Q&A with CISO Dan Bowden, Part 2: “You Learn to Pick Your Battles.”

“As a CISO, you need to think about what’s in it for the business.”

With that statement, Daniel Bowden confirmed what many industry experts have already recognized: that the CISO position – much like the CIO – has evolved significantly in recent years. It’s no longer just about keeping information secure (and, consequently, keeping patients safe); it’s about introducing solutions in a way that can help enable the business without interrupting clinical workflow.

During a recent interview, Bowden talked about the unique challenges facing information security leaders as health systems battle Covid-19, the opportunities that exist to create better relationships with users, and what he believes are the keys to maintaining a solid security strategy. He also talks about the valuable lessons he learned while serving in the US Air Force, why he believes mentoring is so critical, and what he believes sets Sentara apart from other organizations.

LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE. 

Podcast: Play in new window | Download (Duration: 15:39 — 14.3MB)

Subscribe: Apple Podcasts | Google Podcasts | Spotify | Android | Pandora | iHeartRadio | Podchaser | Podcast Index | Email | TuneIn | RSS

Key Takeaways

• With the right approach, solutions like identity proofing can be sold not just as offering security benefits, but also helping to bring in revenue.
• For Bowden, spending time in academics before coming to Sentara helped him learn “to work in a world of managing assets security-wise, where there wasn’t nearly as much homogeneity.”
• For cybersecurity in healthcare, perhaps the biggest game-changer from a policy standpoint was reporting of breaches being assigned to the Office for Civil Rights.
• One of the biggest benefits of serving in the military was the “continual leadership and mentorship training” often missing in the civilian world.

Q&A with Dan Bowden, Part 2 [Click here to view Part 1]

Gamble:  So it’s really important for an organization to have that foundation.

Bowden:  Exactly. When you put that together, then you’ve got two-factor authentication and privileged access management on devices — in terms of security, all of a sudden, you’re pretty hard to beat. If you’re doing a good job blocking exposure to your software vulnerabilities — if not patching them out right, you now have become a pretty challenging target, and I think a lot of bad actors will look elsewhere. That’s one of the big ones I’m focused on, not just for Sentara but for all of healthcare.

Gamble:  When you talk about making a case or tying these things to the overall business goals, it seems like that has become a key part of the CISO strategy.

Bowden:  It absolutely is. With identify proofing, I can describe a way to improve your experience, but we have physicians who bounce through different parts of our hospital, or go from hospital to hospital. We have 12 now; we’ll soon be part of a health system with 18 hospitals; they have a lot of authentication and identity friction. Maybe with a solution, I can, if not eliminate it, reduce by 80 or 90 percent. That’s a business enabler. It’s managing the provider directory and the credentialing process for physicians, and taking the friction out so that when we bring on a new physician, we reduce the credentialing process down to where they are now helping us bring in revenue much quicker than normal.

With patients, it’s managing our master patient index more accurately, which helps improve efficiency on billing and accuracy in charting. But you’re right, as a CISO, you need to think about what’s in it for the business.  And if you’ve got something there, it’s easier to have those kinds of things looked at and adopted.

 

Gamble:  I imagine it certainly comes into play having a good relationship with other leaders and having establishing that rapport and trust.

Bowden:  Absolutely. I’ve been at Sentara about for years. When I came on board it was going through a reset for the security program. I’ve been able to roll out some good solutions and have success with those. When that happens, it can build up your credibility or your goodwill with the organization, and also contribute to getting things done in the future.

 

Gamble:  I’d like to talk about your career background. You’ve been at Sentara for 4 years, and prior to that you were at University of Utah Health?

Bowden:  Yes. I was the CISO for University of Utah Healthcare and for the University of Utah on the academic side, and so I actually reported to both the health system CIO and University of Utah Campus CIO. I did a lot of security work and a lot of infrastructure projects. When you’re at a mixed academic healthcare organization, there are a lot of really interesting challenges; it’s a very diverse environment. I learned to work in a world of managing assets security-wise, where there wasn’t nearly as much homogeneity. The benefit in being at Sentara is that things are a little more standard and we try to work as a system, whereas when you’re at a university, there’s a lot of sub-optimizing that you do. And so you have to learn how to provide good security across a lot of optimized ecosystems.

 

Gamble:  I can imagine it was a challenge having these two different worlds and trying to make sure they were both getting what they needed in terms of security.

Bowden:  Yes. It’s interesting because you learn to pick your battles as a CISO. On the health system side, there’s a different risk tolerance. University of Utah Healthcare was very risk-averse and focused on protecting patient data. On the other hand, University of Utah is a very well-known R1 research institution. And so they didn’t have a high-risk tolerance, but there was definitely a drive to get research done, and to engage with and attract the kind of people and organizations who would help with facilitating that research mission and technology transfer. It’s those different factors pulling on the mission across the organization.

 

Gamble:  So that’s not something that’s solved in a day. It’s always changing.

Bowden:  Yes, always.

 

Gamble:  And that was your first foray into healthcare?

Bowden:  I arrived at the University of Utah in 2007. Before that I was in banking for about eight years, where I did security architecture and infrastructure. I was there through Y2K; prior to that, I was with what was then a major retail organization, and before that I was in the military. That’s where I learned my cybersecurity trade. I was involved in information technology, operations, and encryption — things like that. I joke that I’m older enough to remember holding an encryption key in my hand. Young people have a hard time wrapping their head around that.

 

Gamble:  What was it like going from finance to healthcare? I’m sure that was pretty interesting, particularly in terms of the cybersecurity landscape.

Bowden:  There’s a couple of interesting factors. In the early 2000s, cybersecurity was definitely a big priority in finance; and even with it being a big priority, it was always a challenge. In healthcare, 2007 was an interesting time because we were just getting into great degrees and levels of EHR adoption. Just the ability to share data well was a challenge, and so either the big breaches weren’t happening or they weren’t being reported. That was a challenge; we weren’t sure what was true. Are we not watching the data well and reporting on it?

In 2009, we saw the passage of ARRA. That included a major change with HIPAA where enforcement transitioned to the HHS Office of Civil Rights. That was a seminal moment of, okay, now we’re being more aggressive on reporting security and privacy incidents and breaches. Because if you look prior to that change, there were very few — if any — breaches reported while CMS was responsible for enforcement. But as soon as enforcement was handed over to OCR, it became a priority. That was right around the time I started at University of Utah, and we really embarked on a lot of work on it.

It’s always been a challenge. But when healthcare made that change with HIPAA enforcement, that’s when it really had its day in terms of holding organizations accountable to patients and health plan members.

 

Gamble:  You picked an interesting time to get into healthcare.

Bowden:  It was. I’m really blessed; I jumped into an organization, University of Utah, during a time of transition. They had Cerner and Epic, and they brought in a new CIO and a new CEO. So I got to see a lot of things in just a handful of years and had great people I was able to learn from. So that was a big benefit for me.

 

Gamble:  The last thing I wanted to talk about is your time with the Air Force. You mentioned that’s where you learned the cybersecurity trade. What are some of the other ways it helped shape you as a leader?

Bowden:  It was huge. I think the best thing about the Air Force, and the military overall, is the continual mentoring and leadership training. In the military, every single day on the job — at least, it was the case in experience — is about leadership training. And so my boss was training me to do his or her job; I, in turn, was responsible for whoever was assigned to me. That’s what it was about. It was all about mentoring. It was about training. It was all about advancing your skills and contributing to the mission.  It taught me a lot, the value of it and the importance of professional development. It’s still a big deal to me today.

When you think about what we do to young people today, we tell them, ‘You need to get a degree in order to get a job.’ But then get their degree, and we refuse to hire them because they don’t have experience. It makes me mad.

At Sentara, I have an outstanding group of leaders that report to me, and we have a part-time staffing program for students in the Hampton Roads area. At any given time, we have anywhere from 8 to 14 students who work part-time for us until they graduate, and then get hired by us or another organization. We’ve hired about five or six of them in the past 4 years, and many others have been offered jobs at organizations as big as (or bigger than) Sentara.

I remember the people who taught me in the Air Force. I can still name all the people I worked for, and what they did for me. When I moved out of the Air Force into the civilian world, it was harder. There wasn’t as much time spent mentoring people. I think with the nature of our jobs, it’s harder to do, whereas in the military, the point is to see people advance and move on. In the civilian world, we get caught up in other priorities. It’s not that we don’t want to see people advanced; we’re just not always as active as we could be in seeing that happen.

 

Gamble:  That’s very interesting. I come from a military family, and I’ve seen how the experience has impacted all three of my brothers in a positive way.

Bowden:  The cool thing about the military is that you meet every type of person. You learn that if you make a list identifying the most important things in your life, 99 percent of everyone’s list is the same. That’s what I learned in the military. Maybe the order of things changes based on where you are in your life and what’s going on, but at the end of the day, it’s the same, and that’s important. That was a great experience for me.

I think for a lot of younger men and women who’ve come through the military during the last 10 years or so, it’s been much harder. I’m incredibly blessed. I probably got 10 times more out of my experience in the military than it took from me — and not everyone can say that. I’m very thankful for those who have served in the past 10 or 20 years. They really had much more of a challenge and weren’t set up as well for success in civilian life. I think it’s important to look out for them. That’s another reason I like these mentoring programs with colleges and veterans.

 

Gamble:  I agree, and I admire the work your organization is doing. Well, that covers what I wanted to discuss. Thanks so much for your time, we really appreciate it.

Bowden:  Sure thing. Have a great day.