It’s not easy to be a CISO in today’s risk-filled IT environment. And part of the reason for that is the difficulty getting clinicians and staff to grasp the depth of the danger. But it’s something Melissa Rappl, CISO at Omaha, Neb.-based Children’s Hospital & Medical Center, is passionate about. And the way she goes about getting buy-in is with storytelling and relationship building. To her, it’s the bottom line. In this interview, Anthony Guerra, editor-in-chief and founder of healthsystemCIO Media Inc., interviews Rappl regarding the top problems CISOs are facing, including the potential transition to zero trust, direct targeting attacks, click-happy staff and how CISOs are in an arms race with the “bad guy.” With her vast experience, Rappl offers ways CISOs can succeed in today’s constantly changing security landscape, despite the challenges.
LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE.
- Healthcare has a lot of partners, and I love our vendors, but they can also open us up to a lot of risk.
- It’s shocking how much data our partners have, and people don’t fully understand what they’re doing with that data.
- I think for some sectors, zero trust is going to be a lot easier to get to. I think it’s always going to be a hybrid approach for healthcare.
- As soon as the tools get better, then they’ll just find another way to approach an organization.
- Anyone who is a CISO knows that what makes a person effective in this role is relationships, because you have to be able to tell a story.
Guerra: Melissa, thanks for joining me.
Rappl: Pleasure to be here today.
Guerra: An interesting place to start is to talk about your career path and how you ended up where you are. It’s not just healthcare, it’s not just IT, its healthcare IT security, so it’s a pretty specific niche.
Rappl: Wow, what a fabulous question and what a great journey as I look back on it. I’ve been in this space since 1994, so I guess we can do the math on however long that is. Around 1994, I took a position at a non-profit, and they had not put in a network before. I was young enough, eager enough, naïve enough to take on that task. My bachelor’s degree was in public administration, so literally I had no technical background, at least from an education standpoint. But I was curious, and I had great mentors in the space. I had the CIOs at the two hospitals in Lincoln, Nebraska and they worked with us because we’re a non-profit and they were generous with their time. I took MCSE classes, networking classes, and we worked together, and we took this old hospital where the non-profit was located and built a network from the ground up.
And what an amazing opportunity. I was there for 24 years. It was a wonderful organization, and I thoroughly enjoyed my time there, and I got to do everything. I got to do networking and system administration. We put in our first electronic medical record software package, and we subsequently upgraded those. The amount of experience that I was able to draw from that role was really tremendous. I went back and got my master’s in health informatics and really wasn’t quite sure what I wanted to do.
And then, I became certified in corporate compliance. Because you wear a lot of hats at non-profits, I was their IT director, their infosec director, and also their corporate compliance officer. I really loved the compliance and security pieces. In 2017, there was a role that opened up at NRC Health as their director of information security, and I took that position. And that was really a great role as well, focusing solely on infosec, and I went and got my CISSP, and I really started driving a formal security program there. They had the great bones and structure, and we just took and expanded on that.
Then obviously, this role opened up at Children’s. And again, they had never had a CISO before, so walking into this role I was finding which framework to follow and getting my staff and team together. That’s kind of my journey. I don’t want to call them happy accidents, but it was just a lot of me working somewhere where I was able to pursue my passion and my strengths and them giving me all the reins I needed to take on new projects and expand things.
Guerra: What do you think it is about compliance and security that drew you to that part of information technology?
Rappl: I think that I realized — especially when putting in the electronic medical records and with the implications of HIPAA — that we needed better security over our health information. Selfishly for myself, for my family and my friends, and then looking at our patients and who we serve, I felt very strongly that we needed controls and boundaries, and was really drawn to how can you design and implement a system and really put those controls and restrictions in place. I think that’s what really drew me, because I understood some of the shortcomings, back in those days, and was really drawn to what can we do to make it so it works operationally. And how can we help people understand that patients have a right to privacy, just because their records aren’t all in a paper chart. People used to pull a paper chart and walk around with it, and people would ask, “Why have you pulled that chart?” But with electronic records, no one is reviewing that to see if it’s appropriate, and that’s what drew me to that, and realizing that the technology could help us do what the folks in med rec were able to do as “other duties as assigned.”
Guerra: You talked about the restrictions that security individuals have to put in, get to put in, and you saw a little bit of a Wild West out there in the beginning, pre-HIPAA, and realized they’ve got to put some controls in there. One of the main keys for CISOs and security professionals to be effective is to balance that security with usability; it’s always that fine line. How have you navigated that balance?
Rappl: Partnerships. I really think having good partnerships with our CIO and our CMIO and the clinical providers and having those conversations with them is key. For me, I can go and share with them the risks and the potential vulnerabilities for doing something a certain way. And providing an option. Like saying, instead of using a generic username, let’s look at tying this in to our SSO and use multi-factor and really discussing with them the security benefits and have them give me that feedback on the operational impact. So, most of the times when you present it, I get a lot of, “that makes a lot of sense.” I think having those very straightforward and candid conversations is really what’s helped me gain that balance. And then also the ability to partner very closely with audit and legal and compliance so that we are all on the same page. So, it’s not just one of us hanging ourselves out there. We’ve really got to be that risk group so that we can share the potential impact of a practice that doesn’t necessarily meet standards.
Guerra: Can you talk a little bit more about articulating risk to the users that are going to make that type of decision?
Rappl: Unfortunately, all you have to do is click on any news site and you can definitely show risk. So you can say, “this is how Anthem was breached.” You can say, “this is how one of our fellow partner organizations was breached.” You can use those real-world examples of credential compromise. More or less, when we’re talking about our providers, generally it’s a lot of operational conversations about multi-factor; about using single sign-on; no generic passwords; and having to change your passwords. Those conversations, to me, are pretty straightforward because I can point to — off the top of my head — half a dozen examples and share that this is a risk that these organizations took, and they weren’t successful. They gambled, they lost, and the impact was huge.
Guerra: So, it sounds like most CISOs out there are going to be consuming an awful lot of information—and awful lot of news, right? A lot of Google alerts. You want to know about every incident, so that you can leverage it in a positive way for your organization. You also want to know about all the threat intelligence.
Rappl: It takes a village, right? I’ve got a great team. I’m not omnipotent and can’t obviously take in every single source. So, a lot of our team works collectively. We have daily standups. We talk about things that we’ve seen; alerts we’ve received; and really have those risk conversations on a daily basis, is what we do. What changes do we need to make, what do we need to put forward to mitigate against a potential vulnerability that’s been brought to our attention? For example, that zero-click iPhone piece. We use that as an opportunity to do some education for all of our employees, and we posted that on our intranet. I wasn’t as concerned necessarily about our own managed devices with that exploit, but that was a great opportunity to make sure that people see this in the news, explain what it means, and here’s some actions they can take.
I like to give our folks information that benefits them personally so that they have a little bit of an investment into the message that I’m sharing. So, it’s not all about, “we need you to do this again” within our four walls, or within our system, but this also benefits them at home. That way, when they see messages from me, they think they might get something out of this, a personal benefit.
Guerra: So they know that not every message from you is, “I’m getting slapped on the knuckles.”
Rappl: It’s not Debbie Downer every single time. It might not be the most fun thing to do to put some additional security settings on. If I’m looking at content, I like to have something that’s meaningful to me, something that resonates with me personally; for myself, my family, etc. And I think that using that formula for our folks, so that they get something out of it. It’s not all just, “don’t forget X or I’ll lock your workstation.”
Guerra: As you mentioned, you’re keeping abreast of breaches not just in healthcare, but maybe in comparable-sized organizations and you’re evaluating to see if this could happen to us, and if so, why. And if so, what can we do about it. And then bringing that to decisionmakers to authorize whatever it is that you want to do.
Guerra: That sounds like a great idea and a best practice. I’m going to go about the next question two ways: I’ll let you pick. You can talk about a few of the things you’re working on. Or if you prefer, you can talk at a high level about some best practice trends that you really believe in.
Rappl: I joined Children’s in April of 2020 and I came in with a fresh set of eyes, and literally coming in off of a ransomware event at my previous employer. I definitely think that all CISOs are served by having a good EDR (endpoint, detection and response) tool. Not having a good EDR tool in your toolbox puts a lot of burden on your staff. I think implementing that was a big win for us. Also, logging. Hidden logging. We need to see what we can’t see. You don’t know what to protect if you don’t know where your vulnerabilities are. So, I think for me, it’s good EDR; it’s good logging; it’s good boundary protections. Obviously, two-factor authentication. Critical. You should make sure you’ve got all these rogue SaaS tools and applications, making sure you’re tying those in, using SSO and obviously into your two-factor solution. Account reviews are also big. That’s often overlooked.
And I’d say another one is vendor management. Healthcare has a lot of partners, and I love our vendors, but they can also open us up to a lot of risk. The vendors we have in healthcare, to me, are not on par from a security perspective as you would see in other industries. And so, you need to vet those vendors before you move forward with them and execute contracts. You also need to investigate their practices and how they’re going to safeguard your data. Also, find out how they do user management and account reviews. Those were the big items for me when I walked in the door.
Guerra: When you talk about vendor management, are you talking about business associate agreements, or more than that?
Rappl: More than that. The business associate agreement says, “when I get breached, you’re on the hook, and these are your responsibilities for that.” But more than that, you need to do some due diligence before you move forward with a vendor. You need to do security risk assessments. You need to be sure, if they’re a SaaS solution, that you have monitored their environment. There are several tools out there that you could use to see their score. Have they been breached lately? Have they had any known web vulnerabilities that have been discovered? Do they have a SOC (security operations center)—review their SOC, looking at any of their compliance materials. I think you should be really diving in; they’re your partners. It’s shocking how much data our partners have, and people don’t fully understand what they’re doing with that data.
Guerra: You said there is some sort of way to get neutral information on the vendors, or is a lot of it self-reporting – meaning, fill this out and tell me how great you are at security — and then you have to take their word for it?
Rappl: (laugh) Yeah, no kidding. We are actually going live with two tools. One focuses on the risk assessment, and it’s a nice easy straightforward way for the vendor to self-report, upload any documentation policies, SOC audits, etc., and any SOC reports. And then the other is a monitoring tool that you can enter that organization into, and it will do that passive monitoring and give you risk scores for the vendor.
Guerra: It’s definitely a big deal with all the vendors we’re dealing with. You mentioned boundary protections. Talk to me about how there is no perimeter, and it’s all going to be about identity now. Identity management.
Rappl: Isn’t that the buzz word of 2021? Zero trust. If I get any more zero trust emails, I don’t know what I’m going to do. I think for some sectors, zero trust is going to be a lot easier to get to. I think it’s always going to be a hybrid approach for healthcare. Honestly, I don’t think we’ll get our vendors to where we need it to be. I love the premise, and I loathe passwords, so obviously it has instant appeal for everyone. To your point about boundary-less — especially with the hybrid workforce — obviously, I’m talking to you remotely — I just think it’s going to take healthcare a lot longer to get there. The budgets that you’re going to need to get to zero trust, for us it’s going to be a five-year journey — plus.
Guerra: I spoke to a CISO who said it took him three years to get it done. He said it was a bear. It’s not easy.
Rappl: And you’ve got to have all the buy-in, right? You’ve got to have everyone willing to; that’s the mother of all projects. You’ve got to have cross-departmental buy-in to do that. You’ve got to have someone saying, we’re going all in. This is what we’re doing. I think that’s a journey that is going to be a steep hill to climb. But I’m excited. Also excited to see how the buzzword, how zero trust evolves, too.
Guerra: Do you think it’s the kind of thing where you can work toward it and it’s always positive to be working toward it, even if you never get there? For example, an organization that’s maybe 30 percent down the zero-trust road is not quite as good as someone who’s 60 percent?
Rappl: I think it’s a journey. Exactly right. I’m not looking at it saying, “oh, that’s so much, I could never do it.” I’m looking at it, saying, “what pieces can we start to bite off?” And so, we’re doing some road mapping and working, of course, with some vendors, to help us design a five-year plan. Where can we start; what incremental changes can we implement; and how can we budget and what’s the operational impact of that. It’s kind of like any of those large-scale organization-wide changes. It’s just you have to look at the whole change-management process. Or something of that scope. We’re at the very precipice of our journey. We definitely have it in our sites. It’ll be a hybrid approach for a long time, but you’ve just got to start your way down the path, right?
Guerra: Yes. So, when you mentioned the things that you believe in or you’re working on, you mentioned about seven or eight things. There’s the science to being a CISO; there’s lists, there’s specific things, do A-B-C-D, and you mentioned some of those things. It’s not easy being a CISO. We know that. Where does the rub come in? Why is it not as simple as, “do these 10 things and you’re good?”
Rappl: (laugh) Wouldn’t that be great? Well, it’s because it’s an arms race. You can put those pieces in place, but the adversary isn’t static. It is just a constant change and pivot in strategy based on risk. And then you open up new threat vectors, right? So, for example you can say, “ok, so we’ve done our stuff, we’ve put this out there, we feel fairly confident.” [Then you hear] … “Oh, well, now we’re going to go into the cloud. We’re going to take all our data and we’re going to move it over into the cloud.” Or, “now we want to start doing data warehousing and data analytics” –or other offerings or other methods to take your risk surface and expand it.
Guerra: That’s a really good point. You’re morphing and changing and moving just as the bad guys are morphing and changing, so nothing is static?
Rappl: Nothing is static.
Guerra: And then you’ve got those pesky humans, your users, who keep clicking on silly links and emails, right?
Rappl: I know. I tell ya. Although, you have to give it to some of our tools. Our tools are getting better. But just back to the arms race. As soon as the tools get better, then they’ll just find another way to approach an organization. If they find they’re not effective with email, then maybe they will focus just on web links or whatever. [The bad guys might say,] “We’re going to embed it in websites they would normally look at and then give them drive-by malware.”
Guerra: The social engineering to me is the most interesting, right? They get a little information from this person and from that person, and they use those little bits of information to really target a third person and they’ve got a lot of believable stuff in their email: “oh, Sally said this, and we know you’re buying that, and boom.” Right?
Rappl: It’s shocking how much data is out there on each of us, and that can be leveraged. Some of this is scary. Really, it’s a whole warehouse. It’s like an Amazon for bad guys. It’s getting easier and easier to direct target someone. To combat that I personally do an orientation with every single new employee. And I do this three times a month for new employees. I get 15-20 minutes with them to share exactly what I’m talking about. To say, “it’s not ‘Brad’ in a basement trying to hack your password.” These are scripted, targeted attacks, and our understanding of them has to mature so that we can all do a better job of protecting the organization.
Guerra: Where do you come down when issues arise? Healthcare wants to be big and happy and everybody holds each other’s hands. So, if somebody clicks on something, do you just take them out for coffee and say, “well, do better next time,” and does that ever end? Or do you sometimes say, “I’m sorry; you can’t work here anymore”?
Rappl: Here’s a good story that I’ll share with you on how I support this. We know of this individual—not here. This person was just known to click everything. The help desk could tell you who this person was. So there was an incident; a business email that was compromised that was localized. We’d done some gentle coaching, but my thought was, now you get to be part of the process. Now you get to come into our area, sit with us, go through, see the impact of this. And we had her spend some time in there. We were going through everything. Just so that that individual had visibility into the impact of their actions. And I’ll tell you what. That person became the biggest infosec advocate in the org. And I think it’s because they didn’t understand. [In the beginning, they may have said,] “yeah, fine I clicked that, and you had to do the one thing and that was sad.” Now, it’s like, “Wow, I had no idea.”
Even though we’d done some of that coaching. I’m very much a carrot-before-a-stick person because I’d rather win them over to my side and have them on the infosec team and one of the best folks who can defend us, rather than come at them with the stick.
Guerra: Absolutely; makes a lot of sense. Two more quick questions. Cyber insurance. I’ve heard a lot of stories that it’s very difficult to buy it now. You have to have many, many tools and procedures in place and it’s much more expensive than it was a year ago, probably because of all the ransomware and they’re trying to figure out how they’re going to pay for the claims. Have you experienced that? What are your general thoughts on the insurance issue?
Rappl: My general thoughts on that would be you’re exactly correct. Insurance is a business, so they know the risk. Before it was the spreadsheet and a questionnaire, and you filled it out and then that was it and you got your insurance. Now, it’s not like that at all. There are questions, spreadsheets, questionnaires, interviews, evidence. I think it’s like any other business. They’re looking at their payouts. And they’re looking at their risk portfolio. When you talk about monitoring, we had someone monitoring us, and I’m quite certain that that was probably our cyber-liability insurance carrier. So that gives you an idea. If I were them, that’s what I would do. That just shows how savvy they are and rightfully so.
Guerra: Any final thoughts you want to offer to your peers, CISOs at other hospitals and health systems?
Rappl: Keep up the hard work, everyone. This is not an easy role, as everybody knows. Kudos to everybody. I don’t feel I’m going to share anything that will be some wise nugget, I guess. Anyone who is a CISO knows that what makes a person effective in this role is relationships, because you have to be able to tell a story. You have to be able to share and break that information down and tell the story of risk and tell the story of how collectively we can make changes to reduce or mitigate risk. They’ve got to feel they are part of the journey, not being talked to and told what to do, but a part of the story and a part of the solution. And that is what has served me in my role is relationship-building and storytelling.
Guerra: That’s fantastic. Thank you, Melissa. I want to thank you so much for your time today. I think this is going to be really enjoyable for our listeners.
Guerra: You have a great day.
Rappl: You too.