“As a CISO, you need to think about what’s in it for the business.”
With that statement, Daniel Bowden confirmed what many industry experts have already recognized: that the CISO position – much like the CIO – has evolved significantly in recent years. It’s no longer just about keeping information secure (and, consequently, keeping patients safe); it’s about introducing solutions in a way that can help enable the business without interrupting clinical workflow.
During a recent interview, Bowden talked about the unique challenges facing information security leaders as health systems battle Covid-19, the opportunities that exist to create better relationships with users, and what he believes are the keys to maintaining a solid security strategy. He also talks about the valuable lessons he learned while serving in the US Air Force, why he believes mentoring is so critical, and what he believes sets Sentara apart from other organizations.
LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE.
- Telemedicine isn’t just about improving patient care; it also helped conserve PPE by enabling physicians and nurses to communicate with patients from outside of their rooms.
- The security team at Sentara was one of the first to transition to remote work, and as a result, played a key role in providing training to other departments.
- The biggest challenges in having a large remote team are getting patches deployed, facilitating collaboration, and setting realistic expectations.
- With fraud incidents on the rise, CISOs should be focused on “better identity solutions, better identity proofing, and a transportable digital identity that will be leveraged across business use cases.”
- By enabling second-factor authentication verifications and doing behavior-based access control up front, security leaders are able to “remove friction later.”
Q&A with Dan Bowden, Part 1
Gamble: Is your team working from home at this point?
Bowden: Yes. Anyone in our IT organization who isn’t focused on patient care, or directly supporting those who do — meaning they need to go into a hospital to perform their duties — is working from home. The Commonwealth of Virginia set some pretty tough and important safety guidelines for employers, and the way our IT building is laid out, it’s impractical to try to bring 900 people back while figuring out how to adhere to the rules.
Gamble: How did the transition go in terms of setting up digital health capabilities?
Bowden: It’s interesting; we had already started work in 2018 on a new comprehensive capability for telehealth that was integrated with our EHR and with our mobile app. We have mobile apps for our patients and our health plan members. The challenge is always in the adoption of new technology.
Covid-19, although it is a tragedy, has shone a light on our capabilities for telehealth. Whereas in January of 2020 we were seeing about 200 to 300 telehealth visits per month, by April it was up to 60,000 per month, and we didn’t have to build anything new for that. We had the capability; we were just waiting for someone to use it.
At that time, before we knew what we know now about equipment and PPE, there was a huge concern about conserving PPE. That’s where telehealth came in. It wasn’t just for patients being able to see providers from their homes — it was now being used within facilities to conserve PPE. If a nurse or doctor can speak to the patient from the nurse’s station or out in the hallway using an iPad, that helps conserve PPE and lower the consumption rate.
And we were ready to implement it. Now, we ended up being very blessed that the volumes that were projected in early March didn’t play out — hopefully things stay that way. But we did learn about our capabilities in terms of being able to serve patients.
On the telework side, we sent home thousands of people across the organization; a good chunk of those weren’t IT people, and they weren’t used to working from home. For a lot of them, their lives were in chaos. The schools were shut down, so their kids were doing virtual learning and their spouses working from home. They didn’t have enough computers or internet connections. We sent thousands of people home within three or four weeks, either with a laptop connected through the VPN, or Windows virtual desktop.
Fortunately, we already had some good security tools put in place, like two-factor authentication and privilege access management on our devices. That helped a lot. And so we were, in effect, largely prepared to do something like that, but we had no idea how it would unfold. It was exciting, to say the least.
As an organization, we invested in all of this capability to get here. We don’t know what’s going to happen with future waves, but we don’t know want to be known for having outbreaks in our places of work, so we’re going to keep everyone working from home for as long as we need to.
Gamble: What were the biggest challenges from a security standpoint in moving all of these people to remote work?
Bowden: The biggest thing was training. My team — the security team — was actually the very first team to go home. There was a rumor that someone in our building had possibly been exposed, and so I sent my whole team home the next day. I said, ‘Go home and bring all of your tools, because there’s going to be a flood of people.’ My team ended up doing helpdesk work because there were a whole bunch of people who didn’t know how to connect to the VPN. They had a device that was configured to do so, but they were like, ‘where is this AnyConnect icon? And then after I do that, how do I authenticate? How do I put in my two-factor passcode?’ A lot of our time in March and a good chunk of April were spent on security training.
I’m blessed to work with a great IT organization with whom we partner very closely. And so there weren’t any urgent security gymnastics we needed to do. We had the core tools in place; it was just a matter of making sure we scale those out as we expand our capability. For example, if we were going to blow out a whole bunch of new Windows virtual desktops, we did the same standard configurations. We work with a really good IT organization, and so we had baked in those standards and were able to roll those out quickly without having to serve unnecessary allowances.
One of the challenges we had was in getting patches deployed — that’s hard under normal circumstances. I give a lot of credit to our IT and security teams. We maintain a very robust and aggressive patching program, and we had to modify our scheduling because when you’re working remotely, access to test environments was different and more challenging.
Then there’s timing of resources. In a health system, when you increase your bed capacity — like ICU beds, for example — those aren’t just physical changes to the rooms. It cascades back to the technology that supports it for grabbing results and for charting in the health record system. The people who normally have a certain amount of time to help us get patches deployed were flipping the health system over for brand new Covid-19 capabilities in March and April, and so we had to modify our patching schedule and say, ‘okay, we’re going to do things a little bit differently.’
Fortunately, it was only 60 days. I had relayed up the chain that our patching schedule would be different until the middle of July, but by early June, we had already gone back to normal. Managing that was — and still is — probably the most interesting challenge we had. Because now, with devices traveling around, we have to put more effort into where they are when there’s a Windows 10 patch, for example.
But, like I said, I’m one of those CISOs that’s blessed to work with great IT organization and has great leadership support. And so, while there were a lot of long days and hard work, I didn’t feel like I had to push any new initiatives in the midst of all that stress and change.
Gamble: Certainly a lot of change. I would think the ability to deal with all of that speaks to the team you have and the culture in place at Sentara.
Bowden: It does; I’m a benefactor of good organizational culture. There are places where they get stuff done just because they say they’re going to, and Sentara is one of those. That’s one of my favorite things about this organization. In the midst of all the stress and anxiety, they came right out and said, ‘We’re going to have to get through some hard times. But this is the plan — we’re going to do this, and we’re going to come out better on the other side.’ That starts at a high level and trickles down throughout the organization. I was really blessed to be in that situation.
For some CISO — and this is either real or perceived — they feel like they’re the only ones fighting for the cause of risk management. I don’t believe that exists in any organization anymore; I think everyone wants to help with cybersecurity. But I’m blessed in that I get actual overt support. I don’t have to go beg for it.
Gamble: Did you have policies that had to be relaxed because solutions were being pushed out so quickly?
Bowden: I don’t know that they had to be relaxed; it was more that we had to look harder at certainly policies, one being remote work. The 2019 version did address configurations and security, but there was also an HR aspect of managing productivity expectations. And so we reviewed them to make sure we checked off every little security point in the policies and standards to make sure everything was locked down.
We had team leaders who said, ‘How am I going to manage collaboration? Do I need to set expectations?’ and so we rolled out Microsoft teams and other capabilities and collaboration tools so people could get comfortable with this new mode of working with your team where you’re not in the same building — and in some cases, different states or time zones. How do we make that feel as close to the in-person experience as possible? That was one of the big ones. We spent a lot of time to kind of go back and forth asking, ‘Do we need to uplift this? Did we miss anything?’ It’s been interesting.
Gamble: What about the financial impact of Covid? Can you talk about what you’re doing to remediate that?
Bowden: Every single health system has experienced some impact — not just in terms of numbers, but also having to lay off people or furlough people. Back in May, things looked pretty dire. And so Sentara took actions, whether it was the executive team taking pay cuts and managing paid leave, or trimming operating expenses.
The great thing is that Sentara came out on the other side very well considering the circumstances. We were completed one merger with another health insurance company, and we announced in September a letter of intent on another merger with a considerably sized health system in North Carolina.
That tells you something about Sentara and the mentality that we do what we say we’re going to do. That’s the culture, and it’s what I witnessed in the way things worked out in 2020.
Gamble: Putting Covid aside, which is pretty much impossible to do, what do you think it takes to maintain a strong security program? What are some of the keys there?
Bowden: It’s interesting. One area we need to improve is identity proofing. I’ve always been sort of negative on our national cultural view of validating identity. I think we all know it’s weak. If you look at the real ID initiative, you can’t get on an airplane anymore without a real ID-verified state driver’s license or passport. We’ve learned that identity proofing is crucial. It was a challenge when we were onboarding new workforce members or vendors in person. Now we’re in a world where I might onboard individuals I’ll never meet in person. Those simple measures of asking for a driver’s license and social security number are no longer enough, and so we’re going to a model where we request a little more friction at that first meeting.
Let’s say you came to work at Sentara. Instead of only asking for your driver’s license and social security number, maybe I’ll say, do you mind if I walk you through some financial validation questions? It’s like when you call your bank about a mortgage. ‘Answer two or three questions and we’ll ask for a credit card number, and also do some type of biometrics like retinas or iris scan.’ And so that slowed things down a little bit in the beginning, but there’s a tradeoff. We’ll issue a certified device to you, and as we start modeling your behavior on our network, and you’re on our trusted networks in our facilities, we’ll never ask you for a password. By doing so, I’m removing friction later in our relationship.
And when you go to work from home, I’ll ping you with a few second-factor authentication verifications to make sure it’s really you. Once we’ve verified your location and have been able to do some behavior-based access control and authentication, maybe we don’t need to do the second factor anymore. But anytime I find your credentials and your device separate, there’s going to be some friction getting on to the network, and some additional factors of validation.
With the fraud incidents I’ve seen and the account takeovers, there’s often an aspect of identity spoofing or identity fraud involved. And so I’m really keen on better identity solutions, better identity proofing, and eventually, a transportable digital identity that I think will also be leveraged across a lot of business use cases. It can make your experience with us as a patient or a plan member better and give you more control over your patient data. It can be used for your financial records, your children’s education records, etc. There are opportunities all over the place if we can get to a better trusted digital and transportable digital identity.