The health IT industry is approaching a pivotal time with security. Although most leaders seem to understand the ramifications of a data breach, there is still a lack of awareness when it comes to how critical a cybersecurity strategy can be — particularly when most of the work happens behind the scenes. Two people who are trying to change that are CIO Rod Dykehouse and CISO Matt Snyder of Penn State Hershey Medical Center.
In this interview, they talk about the CISO’s role as point person during a crisis, the CIO’s role in communicating the value of cybersecurity initiatives, the difference between compliance and security, and the misconceptions when it comes to federal regulations. As organizations continue to grow and evolve, the need to get a better handle on data protection will only increase, according to Dykehouse, who has been with the organization for nearly five years, and Snyder, who was hired in 2014, who also discuss their strategy in negotiating with vendors to increase device safety.
Q&A With Rodney Dykehouse, CIO, and Matthew Snyder, CISO, Penn State Hershey Medical Center, Part 1
Gamble: Cybersecurity is always a tough topic for leaders to discuss, so I really appreciate you both taking the time to speak with me. Let’s start by talking about the impetus for bringing Matt on board in the fall of 2014.
Dykehouse: Sure. Shortly after my arrival, we started looking at the IT structure, roles, and needs, and we created a cybersecurity plan for the organization, outlining projects, initiatives, and leadership. The obvious need was to have a formal chief information security officer. We looked nationally for a candidate and, fortuitously, we were able to bring Matt Snyder onboard.
He was with us for a few months when the CIO from Penn State University called me to say they had identified an issue — it was just a heads-up call. In that call, I told them we have a very strong CISO. Knowing the university had a vacancy in that role, I offered Matt to them, and so he disappeared largely for an extended window of time to help remediate the issue.
Just to frame that, we’re located a hundred miles from the main campus and State College of Pennsylvania where that CIO and the large majority of the IT operations for the university exist. The university has about 25 different campuses scattered around the state, and that’s a challenge. On our campus we have direct accountability for the College of Medicine, but it is part of the university, and so it’s a bit schizophrenic. Is it part of the university or the health system or Hershey Campus? The answer is yes. My role and Matt’s role includes accountability for the college, which is part of the university, but is located on the Hershey Campus.
Offering Matt to the main campus to deal with this incident was a little bit of self-preservation as well because we do get many services and some services from the university. We have people that are faculty in the College of Medicine, the College of Engineering on the main campus, and other colleges. We can’t say that we’re a standalone and disparate; we have great interdependencies between us.
Matt ended up doing an outstanding job for them, and he’s done an even greater job for us based on the lessons learned, the tools purchased, and processes put in place.
Gamble: Matt, can you talk about that experience and what were some of the lessons learned?
Snyder: Very few people have dealt with what I would call like an advanced persistent red or state type of attack where they have to do some type of remediation event on that scale. When go through those, it can be really challenging. I like to tell people that one of my primary jobs as the CISO is to keep people calm when it happens and bring them through the stages of acceptance. A lot of time, people will say, ‘We can’t believe this happened,’ then they say ‘Maybe it’s not going to be that bad.’ You have to help them move through that because you need everybody on the same page to deal with an incident like this.
It’s funny because when you walk into the executive’s office and say, ‘Look, we’re dealing with something.’ First there’s shock, then denial. You’ve heard of the seven stages of grief — I call this the five stages of a data breach. After the initial shock and denial, there’s anger, depression, then eventually they get to a stage of acceptance where it’s ‘Okay, this happened to us. How do we move forward?’ The CISO’s job is to help everyone though that as quickly as possible so that we can decide what needs to be done. As you can image, that requires a lot of trust. In a lot of instances, people underestimate the magnitude of some of these things. They think, ‘We have enough staff; we can deal with this ourselves.’ The reality is that the majority of organizations aren’t prepared to deal with those types of things.
You almost always need to bring in a third party — not just to manage the incident, but to manage other aspects of it, like crisis communications. How do we deal with the media? The same things you’d see in any organizations that’s dealing with a significant issue, whether it’s cybersecurity or a natural disaster.
Gamble: So communication really is key, both during and after the actual event?
Snyder: It is. One of the first things I tell people when dealing with these types of things is that yes, you need a really good incident response plan, but it goes beyond that. It does do any good if no one knows what’s in it. The incident response plan needs to be coordinated among your office of general counsel, your strategic communications, public affairs, and if you have a government liaison, you need to be able to coordinate with them as well. With a data breach, the CISO becomes that point person who’s trying to keep all of these other groups informed and educated while making sure no one group is jumping ahead of the others.
Several years ago, when I was with a different organization, I dealt with an incident where the war room was complete panic. I said, ‘okay, let’s calm down a second and walk through everything — what we know and where we’re at.’ I was able to translate what was happening on the ground to our executives in a way they can understand it, which would help facilitate the decision-making process. But a lot of it was them looking at me saying, ‘What should we do? Tell us how to move ahead.’ It’s really interesting.
You need to have that document. You need to have that plan, and everybody needs to know what it says. You have to test it, and then after you go through an incident, one of the most important things you can do afterwards is go back and revisit that plan and say, ‘what worked and didn’t work? How can we improve upon that?’
When you talk about the lessons learned and continuous improvement aspects of incident management, it’s a very iterative process, and it’s never-ending. I think teaching people that it’s iterative is also really important because sometimes when you give executives good news they think everything is working fine. Then the next day you might not have good news and they say, ‘but I don’t understand because you told me something else yesterday.’ When you have an incident, especially of that scale and size, those facts and data points change pretty much daily, and getting them accustomed to that can be challenging, especially when we talk about cybersecurity. And Rod knows that. One of the biggest challenges I’ve had is educating people about what cybersecurity is, and what is — and is not — the CISO’s job. We’re still working on that, right?
Dykehouse: I absolutely agree. One of the major lessons learned for me, and for the organization, is the lack of understanding of what cybersecurity is across the business. When an organization has a fire, that’s tangible — people can touch it. They can see it. They can feel it. Cybersecurity is generally not like that. Ransomware attacks become real to organizations when they can’t function as they have been. But when you have breaches where information is lost, sold or otherwise, it generally doesn’t affect the organization’s operations.
And so it’s very important. We have to do it — not just from a compliance or regulatory standpoint for the ethical protection of the information, but because a lot of the things that are done in cybersecurity, people don’t understand. It’s in the ether. It’s in the network. It’s behind the scenes, getting them to appreciate what Matt Snyder as a CISO does with his team to avoid, prevent, and respond to these things so they do not become overt, they do not become operationally significant, and that they protect us from other bad things. I think that is the greatest lesson learned.
We hear when there’s an incident, but the majority of cybersecurity events happen independent of knowledge and awareness by the vast majority of people. And it’s hard to get people to spend money on that when they don’t understand it, don’t see it, and can’t feel it.
Kate: How important is it that the CIO and the CISO are in lockstep and that the information isn’t just coming from Matt, but that all of IT owns cybersecurity?
Dykehouse: It’s absolutely critical. Matt and I have a great partnership, but there has to be a separation, both in terms of authority and focus. I can’t direct him to do things to protect me and my own. We have to agree on doing the things that protect the enterprise, regardless of where that falls. If we’re procedurally-deficit and we’re not doing things effectively on the IT side — whether we build it, support it, or run it — then shame on me. But he needs to be able to call that out without risk of my response toward him, and vice-versa.
I think that relationship and that commitment to the greater good of the enterprise in the clinical delivery of care, research, education, and multiple missions we have as an academic health system — it’s very important for us to keep that front and center. But it’s also important that I continue to communicate the reasons why we’re doing cybersecurity and investing in terms of the systems that the organization depends on, the data the organization depends on, and the services the organization depends on. I have to help make it real for them in a way that says, ‘if this is gone or this is lost from a cybersecurity standpoint, we all will lose.’ It’s walking hand-in-hand through the fog and through enemy attacks, because it’s daily things that happen that the organization isn’t aware of. They’re aware of it when they feel it, and that should be very, very infrequent.
Snyder: Rod has talked before about the symbiotic relationship that exists between cybersecurity and IT, and it’s interesting because in all the other places I’ve ever been, the CISO and the CIO are peers. Cyber may not report under IT because there’s separation of duty and conflict of interest concerns, but the relationship and partnership between the CIO and CISO are imperative. There are many times where I’ll play bad cop to Rod’s good cop, and he’ll do the same for me. It’s really important that your CISO and your CIO are partners, because you need to have that consideration, respect, and understanding.
For example, when I’m uncovering things that need to be fixed, Rod and I will sit down and talk about it and figure out how we want to sequence that for action because Rod has a completely different mission where he’s trying to provide services, and he has a ton of projects on his plate. So it’s not beneficial for me to be out there saying, ‘look at all the things IT isn’t doing’ or ‘look at all these areas that aren’t right.’ It’s much better when Rod and I are sitting in the room together and we’re saying, ‘We’ve identified these opportunities. This is how we’re going to sequence these events and this is how we’re going to start to burn this down.’ I think that that is really helpful.
The other thing that’s beneficial with the CIO and CISO relationship is when you’re at the executive table, it’s really helpful to have someone else there who understands information technology and cybersecurity. It’s like you have another vote at the table that says, ‘I understand this,’ because it’s really hard to explain this to groups like risk management, compliance, finance and others. Sometimes Rod is able to help me speak that lingo, especially in health care. Rod has been such a great mentor helping getting me up to speed on, ‘this is what this means in the healthcare space,’ because it’s my first time in this industry.
Those things are really helpful when trying to make progress. There is nothing I’m doing that Rod isn’t briefed about. If I’m about to throw like a flaming log his way, I’ll let him know in advance and say, ‘This is coming. How do you want to manage it?’ There’s a lot of interaction back and forth, and I think that’s really important, especially when you’re talking about such cross-cutting functions as IT and cyber.