A Q&A with a Healthcare CISO
This healthcare CISO has spent the vast majority of his career in healthcare and has witnessed a lot of changes when it comes to security and identity. Today, as CISO of a large national healthcare organization, he helps to secure and manage the identities of about 20,000 affiliated healthcare professionals and advanced practice clinicians. His organization provides a wide range of outsourced emergency, critical, hospice, and other forms of medical care to more than 3,200 facilities and physician groups nationwide.
Today, this CISO discusses the difference between securing large and small organizations, how security has changed over his 20-year career, and his current priorities.
Thanks for spending time with us. Could you tell us a little about your experience in security?
I’ve been in healthcare my entire career. Both my parents were doctors. I couldn’t take the blood and the needles, or anything like that, so most of my career has been in healthcare with a stint at an advertising agency. That was, I have to say, the exact opposite of healthcare. I was brought into that company because it had a security incident, and it needed help recovering from that. My immediate priorities were to figure out what was happening, how to make it stop, and prevent it from happening in the future.
You’ve had experience at larger organizations. How was it different when you moved to a smaller organization? What advice would you offer smaller organizations when it comes to security?
It was interesting because they were all on a much smaller scale. Before that, I was working for a large for-profit hospital chain. To go from the big enterprise down to a 200-person business with two people in IT was a big mind shift.
I learned quite a bit in that position. First, I would say to know exactly what it is that you’re trying to protect and be clear of what your critical assets are. Then, be methodical in how you secure them. This way, if you are breached, you can stop the bleeding immediately. That may be pulling Internet access or pulling a machine from the internal network. If you know where the breach occurred, just stop the damage, and then you can bring things back to normal methodically.
It’s the same approach that you would take in an enterprise, as well. I’ve had similar types of challenges at small and large organizations. You follow the same guidelines: You isolate where the incident is occurring, prevent it from spreading, make it stop as fast as possible, and then recover.
You’ve been in security for a long time now. How has it changed over the course of your career?
I started right out of college, and, at the time 20 years ago, the approach to security was quite different. You wanted to have these strong perimeters, and, as you moved in closer to where your data were, the controls got stronger and stronger.
And things have changed today when it comes to the fact that the data that you’re trying to protect is now stored all over the place because of cloud and personal devices. The challenge associated with this leads us more toward identity governance rather than having strong perimeter types of controls.
It’s interesting how technology has changed. But, from a CSO perspective, conceptually it’s the same, but how you get there is very, very different.
Also, back when I started, there weren’t really dedicated security teams. That was just starting. You were either on the network team or you were on the server team, and so this idea of security being its own independent department was relatively new. You had to do more with the people already in place. Whether it was easier or not, I don’t know; it’s just that the way IT departments were structured at the time were very different, and the technology wasn’t as mature as it is now.
Also, the entry points into what you were trying to protect were not as prevalent. You had to come onsite, as remote access was still relatively new. Back then, VPNs weren’t that mature, so most people had to come onsite to be able to access that data. That’s a much different shift than what we’re dealing with now.
In some ways, it was much easier back then. Identity was less important, and you have fewer entry points.
Considering the changes you cited, along with the continued changing environment, what are some of your priorities?
They are the same. The hardest thing is understanding what is under your control. I think shadow IT is a challenge because of the ease in which people can bypass controls and systems. It was much more difficult to bypass controls in the past.
The prevalence of technology in the hands of end users is so large that it makes the difficulty managing what data are under the user’s control enormous. It forces us to prioritize what is under our control. This is why I have been focused on reducing the amount of data we have, to the point of actually purging data. It’s about eliminating the number of things we need to protect. I’ve heard from other CSOs as well who are trying to reduce data as much as possible.
Last, we want to focus heavily on user experience. If security is too difficult or just too annoying to use, no one is going to use it. That means users are going to try to find ways around our security controls. One of my goals has been to get out there and to try to understand what is appropriate to the end user and balance that with what I need from a security perspective.
Are you implementing role-based access control?
Yes. We are moving to full role-based access control, and we are automating the process. To get an account, the person has to be entered into the HR system and that feeds into our identity management system, which takes care of it from there with the information provided.
I think automating won’t just improve the user experience and save time, it will improve security. It will help to instill a culture of discipline.
Our estimate to complete our role-based access control implementation, which consists of approximately 30 different applications, is around 16 months.
With that approach, what are the keys to succeeding?
Understand what they need to do to do their jobs, what their work life is like. This is extremely helpful. Try to walk in their shoes, understand what could be annoying to them, what could improve their workflow, and try to understand it from their perspective. That’s always been the first thing I’ve turned to throughout my career in security: listen and understand more than dictate and control.
If you don’t get adoption, then you’re going to lose. It’s better to at least have your customers working with you, to try to achieve the goals or priorities that you’re trying to achieve, and work together.
What mistakes do you see others making?
I like to use an analogy for the mistakes I see my peers making. I played football when I was growing up, and our coach taught us 10 plays. We couldn’t even think about trying anything fancy until we mastered those 10 plays backward and forward and could run them backward and forward in our sleep without even thinking. It was about getting the basic blocking and tackling down before doing anything fancy.
The mistakes that I see peers making quite often is that they get fancy before mastering the basics. They see the shiny new toy, or tool, that’s out there that catches their eye. They end up then focusing all of their time on one specific thing, while ignoring the basics. Then, they get popped because of something dumb. Identity falls into that. If you can’t manage accounts, if you look back at all the major breaches that have occurred over the past five to 10 years, they all start with some kind of identity problem, like a service account or someone didn’t delete an account after a terminated user left, or something like that, bad password policies, or not using multifactor authentication, things like that.
That’s where I see some of the newer CSOs who come up from technical backgrounds make that mistake.
What were the business drivers for you to implement IdentityIQ and SecurityIQ?
It was just there, twofold, and it goes to what the two products do. We started with IdentityIQ because we wanted to understand where sensitive data resided, as simple as that. We’re trying to understand what we have to protect. If you don’t know where PHI exists, you have to try to protect everything. That’s not reasonable, and it just isn’t sustainable. That was the driver behind SecurityIQ. Coupling that IdentityIQ and the ability to learn about who has access to what allowed us to build out our roles.
The driver behind IdentityIQ was consolidation. We had five different products that were all rubber-band and duct-taped together to try to meet our identity efforts. It just wasn’t working. We scrapped what we were doing in the past and decided to go with best-of-breed products that would integrate with all of our solutions. Now we’re doing the hard work with HR and the business owners to find out what is appropriate for every role and how many roles we need. That’s just work that you have to grind out.
You’ve quite a bit of experience implementing identity management. What would your advice be to those who haven’t done so yet?
All of these things that we’ve been talking about. You really have to know what you have inside your organization: what applications you have, what your authoritative sources are, who your employees are. You need to know this and have solid diligence around that before you can go down this road. Just having a good inventory, a good relationship with HR, and getting an idea of what processes are currently in place around identity is important as pre-prep work. Then, what I found in my experience that can be the hardest is selling the idea of moving to this and it having a return on investment.
That comes down to getting the money to be able to do this. That’s where I think you can work with partners or a vendor to help create a business plan and ROI calculations. Most of the time, cost reductions can be found in a reduction of service desk work or how many times people have to reset their own password. But there are deeper savings you can find. You can look into the time-provisioning accounts; maybe an organization might have had a breach that was due to an account that was left behind that wasn’t terminated appropriately.
My advice would be to build a case that is best for your organization and have that ready, so that when you ask for the budget, it doesn’t take years and years, or it even makes identity a priority to the company.