A Jan. 13, 2022, meeting of the nonprofit Workgroup for Electronic Data Exchange (WEDI) featured a lively panel discussion involving chief information security officers from three large healthcare organizations. Moderated by CHIME Vice President David Finn, a former security and privacy officer himself, the panel included Daniel Bowden, vice president and CISO at 12-hospital Sentara Healthcare based in Norfolk, Va.; Stephen Dunkle, CISO at Pennsylvania-based integrated health system Geisinger; and Rick Doten, vice president of information security for large managed care company Centene Corp., who also serves as CISO for Carolina Complete Health.
Finn began the discussion by asking the CISOs about whether the recent Log4j attacks represent a new level of threat. Bowden said the issue is larger than Log4J. The threat actors are targeting the big commodity software that they know massive numbers of businesses use. They are looking for vulnerabilities that haven't been discovered yet. “Once they find it, they use what we call the ‘spray and pray’ attack,” he explained. “They know there's probably a million businesses that use this software; they spray across the internet and look for anyone that has that service exposed to the internet with the vulnerability. To me, Log4j is just one; there's going to be another one that comes down the stream.”
Noting that many smaller healthcare organizations don’t have dedicated security professionals on staff, Finn asked what larger healthcare organizations can do to help the smaller ones that struggle the most with security.
“We had more than 20 business partners last year who were dealing with ransomware,” replied Doten. “We supported them in their remediation by providing them guidance during incidents, because we have expertise and more staff and capability. We all communicate. We know what's going on, and we all help each other.”
Geisinger’s Dunkle stressed that he would like to see more cooperation between healthcare entities, and one concern he has is that there is a reluctance to share information about security breaches. “I recently talked with an attorney friend, and he's proposing that anytime someone has a ransomware event, the first thing they should say is they're suffering a network outage. He's proposing you don't even share that it's a security incident. I get that to some degree from a business perspective, but as a security professional, I want to engage with my peers. I don't want to judge them. I want to partner with them, and get out of the silos and work together. We've got to get into a position where we can really comfortably disclose information with each other, but not hurt our organizations. And I don't have the answer to that.”
Centene spends time educating providers and its business associates about new standards, but it also has to meet them where they are from a tech standpoint, Doten said. “We'd love to have APIs with FHIR protocols going back and forth, and applications talking to applications, but not everyone has that capability. Part of our challenge industrywide is we have to play to that least common denominator.”
Finn asked the CISOs how they get their boards of directors to support cybersecurity in terms of financing and resources. “I don't try to own all of it,” Dunkle replied. “That would definitely be a big mistake. I'm a big believer in enterprise risk management of which cybersecurity is just one piece. CISOs struggle daily with the idea that we're not the ones who tolerate the risk — it's the organization that does. The key is partnership and communication.”
Sentara’s Bowden stressed being proactive and getting people to understand the impact before an event happens. He said his all-time favorite meeting at Sentara was a ransomware tabletop exercise that involved the CEO and all his direct reports.
“It took us months to get that call on the calendar,” he added, “but I would say you're crazy if you don't do it. The value gleaned from it is high. It's an expensive meeting, but the long-term payback is worth it.” The executives take ownership and realize these are decisions they will have to make on the fly, he added. “And they may make decisions that we as CISOs would not have made.”
Finn noted that the “great resignation” is the buzzword of the day, and asked if the CISOs were having challenges with hiring. Is it more difficult to find people with security expertise?
Geisinger’s Dunkle said that because more people are working remotely, he actually has found hiring easier since the pandemic began. “My entire department, including myself, is a remote workforce,” he said. “We have security talent on our team from all over the country, and it's been great for the team. Also, I don't have to worry so much about recruiting a security person from healthcare. That's nice to have, but if I can bring them in from retail or manufacturing, that's OK, too, because they've got 90 percent of the toolset we are looking for.”
In terms of the difficulty of finding talent, Centene’s Doten said that it all depends on the type of talent that you're looking for. If you are looking for a cloud security person, then no matter where you are or what field you are in, you're going to have a hard time finding them. It involves more than just putting something on Linkedin or a web page, he added. It involves recruiters reaching out to people working elsewhere to pitch opportunities to them.
With privacy becoming a hot topic in addition to security, Finn asked how CISOs jointly govern security and privacy at their organizations. Are they separate functions that sometimes get at cross purposes with each other? “The privacy officer and I both report to the assurance side of the organization, and he is my peer,” Geisinger’s Dunkle said. “Our offices are side by side, so he is very much a partner, and we talk continuously. I can't take any credit for that. It's by design.”
That led Finn to ask whether where the CISO sits on the organizational chart matters much. Will most healthcare CISOs continue to report to the CIO? Or will enterprise risk management be where cybersecurity lives?
“I think that my spot on the organizational chart is irrelevant,” Sentara’s Bowden said. “If I'm a good leader, and I can influence people to do the right thing, it doesn't matter where I am. At Sentara I have worked for a couple of great CIOs, and they trust me and have enabled me to do what I need to do. I think if you're a good leader, you lead through influence.”
Centene’s Doten agreed that if you're good, then it doesn't matter where you are on the organizational chart. “My wish for the next few years is just that there are more of us. I want to see more CISOs in healthcare.”
