“Everything I needed to know about information security, I learned in aviation.”
Not exactly what one might expect to hear from the CISO of a large organization, but for Ron Mehring, the time he spent in the Marines has played a huge role in shaping him as a leader. And although he learned from all of the different roles he held, it was his time in aviation that truly laid the foundation for IT security. “You had to do it right all the time; there are no shortcuts, otherwise someone could get hurt or killed,” he said during a recent interview.
And although the healthcare landscape is extremely different from serving in the military, he has been able to apply many of the lessons learned, particularly as his team at Texas Health Resources has strategized to safeguard data – and patients – during the Covid-19 pandemic. Mehring also talks about how they’re leveraging analytics to improve decision-making, the challenges leaders face in transitioning to an adaptive risk program, and the evolution cybersecurity has experienced in recent years.
LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE.
- When transitioning teams to remote work, training and communication are vital, because when people don’t know what to do, “that’s what creates security problems.”
- Anytime there’s a change in how people access data, security teams must make it a priority to answer queries and provide support, which in turn can “reduce friction.”
- Standards need to be put into place so that when alternate care sites are set up, the medical device staff can execute without “coming back to the mothership to ask for approval for every little thing.”
- The consumer-focused strategies that are becoming increasingly common often have a digital underpinning, which creates “new stakeholders in the realm of IT.”
- As both internal and external threats surpass the current model of protection, organizations have two options: become a more proactive and consumer-focused security program or “stay where you are.”
Q&A with Ron Mehring, Part 1
Gamble: I want to start by talking about the elephant in the room, Covid, and some of the added challenges it has presented from a security standpoint. What have been some of the key challenges for your team as far as keeping data safe?
Mehring: The first thing that comes to mind is that we moved a lot of our workforce who had traditionally been in the office to remote work; some of these employees hadn’t worked from home. We’ve always had technology for people to work remotely, but all of sudden we had to get people out of the offices and have them work from home within a short period of time.
So the question was, how do we do that fast? How do we do train people really fast? How do we get people to write tips and techniques to work from home? Even outside of technology, there are issues like, ‘I used to print in the office, now I can’t print anymore.’ We need to teach you a new way to handle documents now. Let’s show you how to do that electronically instead of printing it.
Those little things became bigger things. IT people can work anywhere, and so we’re very accustomed to being able to move around and just do our work. Not everyone is able to do that.
And so immediately you have to start thinking a little bit differently and become a lot more empathetic to people who don’t know how to work from home. Because when they don’t know, that’s what creates security problems. They don’t know how to solve something without people who are around to help them with everything. They have to figure out a new way to get help, like using Skype and Teams, which we recently moved to. We’ve inserted new technologies into this to help people work remotely and be more efficient and more secure at the same time. We’ve had to do training and tips and say, ‘You can’t just print stuff off and keep a whole drawer full of protected health information in your house. Don’t do that.’
Gamble: Right. What about things like phishing? How did you manage that threat?
Mehring: To be honest, what changed most are the things that are external to the workforce. We had bad actors generating Covid-themed emails and things like that, but it didn’t really shift our risk profile that much.
We had done a lot of training before Covid. We have a large anti-phishing program. We’re always testing our employees and communicating with them, and so we didn’t see a major uptick. We trended about the same with our testing; even with attacks that did make it through the wickets and get to an inbox, we didn’t see like a massive upward trend of compromises, so that was good.
Gamble: With the training you did, what was the primary focus? How did you approach that?
Mehring: The number one thing is relationships. Relationships matter, and they become even more important when you’ve displaced people to work remotely. Like I said, they’re used to being in an office where they can ask their cube mate a question or their manager is right down the hallway, or there’s an IT person they can come to with questions. Now all of a sudden they had to figure out how to address these solutions — that was the first thing that had to be worked out.
But relationships matter. We already had strong relationships within our departments and at our hospital and clinic entities where we had a lot of IT people there to answer questions. Our goal was to make sure the folks that usually answer those questions for the workforce in these different departments and entities had to the information they needed.
Gamble: So it really makes a difference already having good relationships in place and good processes.
Mehring: Yes. And nothing’s perfect. The security team just has to be ready and available to answer and field these questions pretty quickly. I always tell our teams, you don’t want people sitting around too long with a security question. Number one, it’s going to frustrate them, and it’s probably stopping them from doing their work. Let’s not do that.
The second thing is, if you leave it there long enough, they might feel that they have to get it done anyway. That’s when workarounds start, and we don’t want them to work around security controls. We want to keep the friction around security processes as minimal as possible. You want it to be easy to use. Of course, not all security processes are easy to use, but you want to reduce the friction so people don’t feel the need they have to start working around those things, because they feel pressure to get their work done. They have deadlines. They have to get this one thing done and the security process is standing in their way. You’d never want to be that process.
So it’s all about reducing friction in those processes, communicating with those on the first line so that they can answer the query and help them find solutions. And if it’s a big problem, they know how to escalate it, or they know if a deeper, more complex solution needs to be created for the end-user, because that happens. You might have a department that was sent home and in doing so, their processes were broken, and so we have to figure something out. We didn’t really come across that, but we had to be prepared to handle it.
Gamble: What about things like setting up tents and different areas for patient care? Did that create security challenges?
Mehring: It did, and so we had to knuckle down and solution it. Our executive leadership team is organized really well around emergencies like this. They’re good at bringing the right people together, especially when it needs to be handled at a system level.
Let’s say you’re setting up external intake points for the hospital because you have a mass of people coming in. You might set up outside tents to do triage work. We solutioned a standard within the system so that if anyone needed to deploy that, they knew exactly what was going to happen, for two reasons.
Number one, hospital leadership is going to feel all the pain when you have an intake point like an ED that’s flooded. We wanted to make that a little bit easy on them by saying, here’s the standard. Here’s what we’re going to set up, and here’s the way we’re going to communicate. Although there might be some subtle differences, depending on the physical placement of the network. The medical device staff and entity IT staff knew what they needed to execute very quickly and they could do it in a decentralized way. They didn’t need to come back to the mothership to ask for approval for every little thing that they were doing out there. They knew what we were going to execute, and that’s the way you want it.
What you don’t want is to have every little change involved with those types of emergency actions to have to come back to some central point for approval. You want to give them a standard to work with, and if they have to work outside of that standard, then they come back. But otherwise you kind of let them go and say, this is what we’re going to execute.
Gamble: It seems like it’s really important to set up a standard for how things are going to go and what steps need to be followed.
Mehring: Hospitals are actually pretty good at this. It’s probably more important for a systems person like to me to get out of the way a little bit, because they’re really good at handling that. They deal with these things every day. Develop a standard, something that they can latch on to, and to which leaders at the hospital level can say, okay, IT has a solution for me and it’s going to be secure. Now I know from an IT perspective that’s going to be managed. There are obviously facility considerations and physical security considerations — all of that comes into play as well.
Gamble: Taking a step back, you’ve been with the organization since 2011 — I can imagine that information security has seen some changes since then. I want to talk about how it’s evolved. Was there any deliberate restructuring, or did it just evolve on its own?
Mehring: We’ve been going through kind of an incremental evolution. As we built the program, we took the current program and evolved it a little bit and kept up with the changing climate. There’s a lot of phishing, and a lot of other different types of breaches that have occurred over the years, and I think we’ve kept pace.
We are transitioning, though. I think there is an inflection point that’s occurred over the past two years that a lot of CISOs like myself have felt, and that’s the need to make a more deliberate change. Our programs have to go through a next major version evolution. We’ve been doing minor versions for probably the past 10 years.
Within healthcare, there have been new interactions forming during the past few years. Many systems, including ours, have partnered with other health or education systems to form clinically integrated networks. In our case, we’ve joined up with UT Southwestern to form Southwestern Health Resources. That’s just one example.
We’re seeing a lot of joint ventures. We’re seeing a lot of extended partnerships as you move into the different markets. In our case, it’s one large market in the Dallas-Fort Worth area. I think a lot of healthcare systems are doing the same where they’re distributing technology out further. Years ago, we considered distributed technology to be a bad thing, and so we centralized it. We centralized all the technology and security functions. Now, we’re going back to where we’re moving it all back out again, but we’re doing it a little bit differently. We’re calling it different things; we might call it digital or consumer health. It depends on where you are.
At THR, we call it our consumer-focused strategy. It has a digital underpinning, and that in itself is creating new stakeholders in the realm of IT. The CIO is no longer the sole IT stakeholder, and that changes the way the security program has to run. All of a sudden you’re doing a lot of shared control assignments into the enterprise where now you have different stakeholders with security responsibilities they haven’t had before.
The other thing is that regulations are maturing now. They’re becoming a little bit more relevant. We’ll have to see what that looks like over the next 5 to 10 years, but I think we’re going to see a better regulatory framework that’s more relevant to what’s actually going on in healthcare industry. It will also come with regulations that will still be stringent, but will be more rational.
We’re seeing that with the interoperability regulation, which has security and privacy components with it. And so internal and external threats are going to start to really surpass our current model of protection, because they’re going to speed up. All of these things are coming in together. At Texas Health, we organize it into two piles in the way we present it to our executive leadership team — it’s like the red pill and blue pill, if you’ve ever watched The Matrix. You can either become a much more proactive and consumer-focused security program, or you can stay where you are, and become more reactive and more internally focused than you are today.
There’s a real choice to be made there, because these are all going to set up design choices. They’re going to set up how you retool policy in the enterprise, and how you view risk in enterprise changes by becoming proactive and consumer-focused versus reactive and internally focused. And of course, they’re not perfect. There’s always a level of reactiveness, but the idea is to get out in front of it.
We’re calling it our adaptive risk program, and we’ll be transitioning over the next 3 to 5 years. It’s interesting because I haven’t done long-term horizon planning around the program in many years; most of the time I’m working year-to-year. We’ve been doing yearly maintenance plans, but now I’m doing a long-term plan to say, five years from now, this is what the threat environment is going to look like, and if we’re doing what we’re doing today, we’re going to have an enormity of problems.