At first glance, Jim Brady’s title — Vice President of Information Security and Infrastructure Operations and CISO — may seem like quite a mouth full. It also may seem quite time-consuming wearing that many hats.
But to Brady, Fairview Health Services’ decision to bring infrastructure and security under one umbrella makes perfect sense. In fact, he believes it has already “done a lot of positive things” for the two groups, which typically have worked in silos, despite the many synergies that exist between them. And as healthcare organizations continue down the digital path, he thinks that collaboration will flourish even more.
Recently, healthsystemCIO spoke with Brady, who joined Fairview in April (and took on full-time duties in August) about how his team has managed the myriad challenges of supporting providers and safeguarding data during the pandemic. He also talked about his approach in selling cybersecurity initiatives to the Board, his philosophy when it comes to leading and letting others lead, why words like “interim” don’t matter, and how he has benefited from a diverse career path.
- It may not be common to have infrastructure and security under one title, but at Fairview, “it actually has done a lot of positive things for groups that typically may have operated in silos.”
- Cyberattacks affect more than just the EHR. It could be access to the EHR, which, if it lasts more than 24 to 48 hours, can cause clinicians to break down. “They get stressed out. They have productivity problems, and it becomes very difficult to go back to paper.”
- Although the industry’s singular focus on Covid was amazing, it showed that things can get done much quicker than previously believed. The tradeoff? “You can’t have 100 pots on the stove.”
- Unfortunately, hackers didn’t leave hospitals alone because of Covid. In fact, they did the opposite, and found they could get more money by putting forth less effort.
- No matter how secure healthcare organizations are, “if our business associates, vendors, or third parties have a breach, we’re still liable on the provider side and we have to take responsibility.”
Q&A with Jim Brady, Part 1
Gamble: Hi James, thanks so much for joining us. Can you start by providing an overview of Fairview Health Services?
Brady: Sure. In 2017, Fairview Health System merged with HealthEast to create Fairview Health Services. We have 12 hospitals, 56 clinics, and a large outpatient pharmacy division within Fairview serving the Twin City area and then Minneapolis.
We also have a partnership with the University of Minnesota Academic Health Center and University of Minnesota Physicians, which we branded as M Health Fairview. As part of that, we collaborate and do a lot of research. We’re three separate entities, but a lot of the leaders in those three organizations have cross-functional roles.
Gamble: What was the impetus behind that?
Brady: We have such a close affiliation and partnership with the medical school and the university, where their doctors are providing care in our hospitals and clinics, and we wanted to leverage that. So I think the impetus was becoming more of a single, operationally functioning unit, rather than having everybody operate independently.
Gamble: Let’s talk about your role. You’re the VP of Information Security and Infrastructure Operations, as well as CISO. How do you approach that?
Brady: I have a dual role, which is a little unusual. Most security leaders are focused only on security. That’s all they do, and there’s a good reason for it, because there’s a lot to be done. There’s quite a bit of risk now at the board level and the executive level. In addition to not wanting to be on HHS’ wall of shame and not wanting to impact our patients by having our data exposed or breached, there’s also ransomware attacks that can literally shut down a hospital or a clinic. And that means we can’t see patients. We can’t surgeries. We can’t generate revenue. There’s reputational damage.
It can force an organization to close their doors. It can block up their data to the point where they can’t function for a few hours, or even a few days or weeks. That’s pretty traumatic, from an operational standpoint, not being able to use the electronic health record or be able to access electronic or digital tools in an era in which clinicians have become very used to that.
It wouldn’t necessarily be the EHR that’s affected by the ransomware. It could just be the access to the electronic health record. If you remove that for longer than 24 to 48 hours, some studies have found that clinicians actually begin to break down. They get stressed out. They have productivity problems, and it becomes very difficult to go back to paper, because it’s been so long since they’ve done things manually.
And then of course there’s the work you have to after the fact to put data back into the computer and into the system. There’s money and time that’s lost. On the business side, I think healthcare leaders understand that this is critical; that it’s a core function to make sure we’re secure.
The other factor is medical devices, which are not necessarily governed by HIPAA. They’re regulated more by FDA, and the hardware and software oftentimes can’t use the normal security measures that are put in place to protect them. So how do you prevent them from getting into the hands of the wrong person and causing patient harm?
Security now is more than just ‘I don’t want to get fined.’ It’s operationally a risk; it’s about patient safety and patient harm. That’s my security role.
Gamble: And then there’s the other part of your title.
Brady: Right. So, a few weeks after I came to Fairview, I was asked to take on a technology role as the VP of our infrastructure, which includes the help desk network, data center, desktops, and servers — those types of areas. It was an interesting idea by the health system; they wanted to see if we could improve the way in which security and technology leaders and staff interact. The thought is that having those groups under one leader provides an opportunity from a tactical perspective. I have both, and it actually has done a lot of positive things for groups that typically may have operated in silos. Because we’re under one larger team, we’re working closely and collaborating more, and so I think it has broken down some of the barriers, which has been helpful.
Of course, there are still barriers to overcome. When you’re a large organization, there’s an application team, a data and analytics team, etc. There are other parts of the IT organization where we all need to keep working on how to partner more effectively.
Gamble: In having those dual roles, how does that work from a governance perspective? Does it get muddy at times?
Brady: Both of those areas have directors that I brought together into one single team. There are two on the security side. One is focused on cybersecurity, which includes security engineering, threat intelligence and internet response, identity and access management, and security operations.
The security group focuses more on auditing, IT compliance, and governance. They’re the ones who make sure everybody is doing what they’re supposed to be doing.
Gamble: And you’ve been with Fairview since last spring, correct?
Brady: I started at Fairview Health Services in April as interim CISO, and I took on the fulltime role at the end of August after going through the interview process.
Gamble: I can imagine it was challenging to take on a role, interim or not, during the early part of Covid. How did you approach that?
Brady: Obviously everybody was impacted by Covid; we were no different. There were a lot of projects slated to be completed, and a lot of excitement that we were going to accomplish many different things. But, like everyone else, we went remote almost immediately. We decided only to focus on initiatives around Covid; like making sure we could handle the surge at our hospitals and keep people safe. And we did some other Covid-focused projects, such as making sure we had telehealth capabilities we could scale.
That took center stage, which meant a lot of other projects took a backseat. We kept some things going, while others were deferred to 2021. And while we’d like to say we’re coming out of Covid, it’s not over yet.
Gamble: Right. So it was an interesting spot to be in.
Brady: There were some objectives that had started before I came on board, and I’ve tried to keep the momentum going. Of course, anytime you take on a new role, you look for opportunities for improvement — are there any gaps? Is there anything you can do right away to make things better? And so, on the security side, I definitely leaned in immediately and initiated some assessments, while also standing up some things that didn’t take a lot of time or money, and would reduce the risk and improve security in the midst of an organization that was very remote.
That singular focus on Covid was amazing, and it showed that in healthcare, we can get things done in days instead of months, and in weeks instead of years. Typically we take a long time to make decisions and roll things out, but I think it was interesting to see how so many health systems across the country, including Fairview Health Services, were able to get a small number of things done very rapidly. I think if I were on the non-IT side of leadership, I’d say, ‘you guys can definitely do things a lot faster.’ The tradeoff, I think, is you can’t have a hundred pots on the stove. You just need to have five or 10 and then you can do things a lot better because you’re focused.
Gamble: You mentioned having people work remotely, which comes with a lot of cybersecurity concerns. What was the strategy there?
Brady: We had to pivot quickly on a few things. Fortunately we did have enough infrastructure to support our remote workers. We had laptops. We had a way for people to use their personal devices securely. We have a couple of methods for that.
We had just implemented a particular type of a VPN that had the option to be cloud-based — that was around the same time Covid hit, and so we ended up going with the cloud-based VPN that’s installed in everybody’s laptops. That means whenever you pop open your laptop, you’re automatically on the VPN connection to the company network and you’re secure. That’s helpful because sometimes just getting people set up to work remotely can be difficult, and oftentimes it isn’t very secure. There’s still more we’re doing to improve security, but I think that has helped us significantly.
We have a lot of good practices and policies in place. For the most part, people are conscientious. They try not to click on phishing emails, but the bad actors are very sophisticated. They definitely try to attack us, along with other health systems; we can see it in our security systems. So we’re trying to stay vigilant.
Gamble: And of course you had Covid-themed attacks, which was another thing to worry about.
Brady: Yes. I listen to a lot of security podcasts, which have some good information. What’s interesting is that I remember hearing a lot of folks like CIOs, CISOs and CTOs say that hackers were going to leave the hospitals alone because of Covid. But in fact it was the opposite; they went heavily after healthcare because we know that the bad actors tend to want to do the least amount of work, with the least amount of effort, to get the maximum amount of money. They’re not thinking about what’s best for our patients. They have their ulterior motives.
So that didn’t make things any better. But all things considered, we need to be much more proactive in healthcare and get closer to the financial sector and other verticals that know they’re a target, and know they’re under the scrutiny of the bad actors. I think healthcare leaders are getting the message that we need to be just as advanced and stay one step ahead of the bad actors.
Gamble: What are some of the other areas you’re focused on right now?
Brady: I think I can break it down into people, process and technology. There are things in those areas that I’ve noticed at every organization I’ve been at, whether I was a CIO, CISO, or in one case, CTO.
It always comes down to this: do you have the right people? Do you have the right skill sets? It’s difficult to get the right high-level security folks in a healthcare organization because we don’t necessarily pay as much as some of the other private companies. That’s a challenge, especially when you’re not located in Silicon Valley or New York City, where there might be a lot of high-tech folks.
And so we need to look at what we can do to train our teams, and open it up to where we can recruit from other areas, which opens the door for a much better talent pool selection.
That’s really helpful in getting healthcare organizations to say, ‘We can be similar to Google, Amazon and Twitter where we can function and be remote.’ Because we’re seeing it right now. Most people are working remotely. It’s not like the old days of conference calls where those who have to dial in aren’t as engaged in the meeting and not part of the flow. When you’re using Zoom or Teams or some other tool; it levels the playing field.
On the people side, it’s using some of the managed services that organizations can offer. We’re also looking at strategic sourcing — what are the functions that are going to be automated as we move to cloud and as we develop more automated systems so that we don’t need someone doing it on paper in a manual way. That, of course, can help lower costs.
On the process side, it’s ensuring the right amount of security awareness, training, and education. We’re using proper change management measures. We’re managing our vendors appropriately. I think a big risk to organizations is not knowing what your vendors are doing. Many breaches, unfortunately, come from our business associates. So we can be as secure as we want, but if our business associates, vendors, or third parties have a breach, we’re still liable on the healthcare provider side and we have to take the responsibility. But it’s very difficult to ensure they have the right controls in place, so that’s something we’re focused on.
With many organizations, a lot of the technology on the security side is disparate; it’s a lot of point solutions. None of them are tied together as much as we would like, and of course here are gaps. For me, it’s looking at what technologies are we missing. There are a few, and so we’ve started the process of bringing those in.
It’s looking at all three of those areas; that’s what I’ve focused on, in addition to having done the assessment. And of course, all of this takes money. But once you’ve shared with the board of directors and the leadership how much would it cost if you couldn’t deliver patient care for one day, that’s where it hits home. We’re a $6 billion organization, so if we were shut down for a day, that’s a potential loss of $60 million. So when you say, ‘I need $100,000 or 1 million to protect us and truly minimize the possibility of a 10, 20, or 30 million dollar incident,’ you’re more likely to get support for that.