In this day of the Great Resignation, where all organizations, not just in healthcare, are struggling to maintain a workforce, Rady Children’s Hospital and its CISO, Sahan Fernando, are not in a bad position. The hospital has always endorsed remote work, according to Fernando. Rady puts a lot into the people behind its mission, and that means being flexible. When it comes to “good talent” and “really good people who you want to stay, you find a way to make it work as much as possithe ble,” Fernando says. He also offers insight into some of the lessons he’s learned as a CISO through the years.
LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE.
VPN is not a right. It’s a privilege.
I still have to understand technical things, but more of my job is working on business problems and helping to make secure business processes.
I try and teach this lesson proactively: think, to the greatest extent possible, what is the impact of what you’re about to do?
Guerra: Sahan, thanks for joining me today.
Fernando: Thank you so much for having me on.
Guerra: All right, if you want to start out, tell me a little bit about your organization and your role there.
Fernando: Absolutely. So Rady Children’s Hospital is a healthcare system based out of San Diego, California. We have a couple different areas from which we serve our pediatric population. So that includes from pre-birth support all the way up to birth and through later stages of life. I believe the oldest population we serve goes up to about 21 years old. So, we really work through all stages of development with our youth – serving not just San Diego County, but Imperial County and Riverside County, as well as working with other hospitals on strategic partnerships, both nationally and internationally. My role as the chief information security officer is to oversee the information security program across all of our organization’s units, so that role oversees a team that serves not just the acute care hospital, but our Genomics Institute, our primary care, and various other interests.
Guerra: Very good. Okay. So, I like to find out how people wind up in this interesting spot—pretty “nichey” I like to say. It’s not just healthcare; it’s not just security–it’s healthcare IT security. So how did you wind up here?
Fernando: Boy, well, the shorter version is with a lot of luck. I’m definitely very, very fortunate. So, I attended Gonzaga University up in Spokane, Washington. And I had studied computer science, a little math, but really, my major was in business management information systems. I grew up with very classic, casual computer use. And as the Internet became a little bit more ubiquitous, I was finding lots of ways to explore gaming and knowledge and media, all sorts of fun stuff. I knew I liked technology. Initially, I was really looking at casting a pretty wide net as I was getting ready to finish school. I definitely waited a little long on the job search front. I didn’t really have much skill in terms of coding. It really was never my strength.
And so, as I was searching around, I really was looking more at what was tech-related and was it in a place I felt like living and I was very fortunate that I applied for an information security analyst job for a managed security service provider in town, and somehow got an interview. My former boss, who’s still a very close friend of mine, said that the cover letter apparently went a long way, and so I managed to get an interview and they decided to take a chance on me, even though I didn’t know a significant amount of the more technical questions that were very security specific. They asked what a botnet was. And I was pretty candid, that I wasn’t sure, but I also could figure out what it was if they gave me two minutes. And so, I started there as just a tier one analyst in a rather fledgling security operations center, fresh out of college. I’m also a former division one athlete for men’s rowing. I think that competitive energy really needed an outlet. I put it into work.
My parents also provided a good example in terms of work ethic, and the very classic: work hard to advance yourself. I was fortunate, I didn’t have a lot of other commitments, as I was volunteer coaching, but otherwise, I just was able to really apply myself to learning more about the field I just wandered into. Initially, I was feeling very overwhelmed, thinking, “Oh my gosh, what did I sign up for? I don’t understand what this is.”
You know, one of those teaching anecdotes I always like to share with folks is we all start somewhere. For a couple days, I kept plugging in RFC 1918 addresses, you know, private addresses into IP void, not realizing that, of course, you know, that there’s no context on that for outside of the internal network. With a lot of help from my peers, very supportive management, very patient management and a good amount of trial and error with internal IT and then helping customers really take advantage of opportunities to continue growing – and not just in InfoSec, but just other tech stuff – as I mentioned, it was a service provider, I learned. And so, it was professional services, security, consulting and managed services; I worked a lot with our managed IT customers. And that was a good way to, I think, develop a little bit of, not just empathy, but actual sympathy for CIS admins, and how to work with them. What does that actually look like for them on the day-to-day in their millions of priorities? But also, that viewpoint of, okay, here InfoSec says it does this thing, but what does it actually look like to go do it? From there, I just kept working towards opportunities to advance. Eventually I was able to move into a management position and work my way from there, and then I was very fortunate to join the Rady team in October 2020.
Guerra: Take me through that jump from non-healthcare to healthcare. What made you interested? Was it just that an opportunity came your way? Because I’m interested in the perspective of someone from outside of healthcare when they come into healthcare. There’s a lot of things to learn there. But they also bring a lot to the table. There’s a big appetite for people from outside of healthcare, who know technology, to come in. Take me through that transition and why you decided to come to healthcare as opposed to financial services or anything else?
Fernando: Great question. Loaded question, for sure, in a good way. In my former roles, I did a lot of consulting work, you know, staff augmentation. And being a managed service provider, we worked with a lot of financial and healthcare clients, especially because they were regulated industries; and really, the ones who are most risk averse for obvious reasons. They reached out quite a bit. My first real experience with healthcare was as a staff augmentation resource at a now defunct healthcare system in California. And at the time, they didn’t have any security personnel. We were brought in to try and really bring things up to speed as much as we could. They were going through quite a lot of strategic organizational shifts, we’ll call it, and so there was a lot of not just, “Where are we at now,” but also, “How do we bridge the gap to where we want to be?” and address a very significant amount of risk, and that actually coincided with when WannaCry came out.
There was a decent amount of risk from Windows XP system still on there, things like that. So that was my first foray into really hands-on healthcare IT work – healthcare information security – because even though my role is focused on being an information security engineer, and more technical things, I got to deal a little bit with how we look at it more holistically on information flows throughout the system, both electronic and on paper and such, and so that was my first experience.
And then we started working with a pediatric healthcare institution in the Southwest, doing a lot of consulting and managed security work as well. And we were very closely integrated with them. I think they still do quite a lot with my former firm. That was another opportunity to really learn more about the ins and outs of what does it look like for, you know, staff, on the security team, when you’re dealing in these very complex systems and tons of teams.
Through all of that, I always liked healthcare. I like the idea of working for an organization with a real mission in pediatric healthcare. That hospital really talked a lot about the mission. And that really struck a chord with me. You know, I think most people who go the fortunate route don’t have many encounters as a child in the hospital outside of primary care. I had asthma growing up that was more severe. So, I had encounters, even staying in the hospital overnight from asthma attacks. And so being able to now be in a position where you can contribute to that sort of mission and vision of both acute and primary care and other sorts of ways to enhance the lives of these kids, seemed like a dream come true.
Guerra: I don’t think you get more meaningful than pediatric healthcare. I’ve got to go back. Because you mentioned something that was pretty interesting. You mentioned this cover letter that you wrote that you thought had a tremendous impact, and you kind of left that hanging. So, I’ve got to know what was in that?
Fernando: There was obviously some generic text, but I tried to tailor it to the firm. I mean, show that I took enough effort to look at their website, you know, “Hey, I’m applying for this position. Here’s my background. Here’s some stuff about me, would love to, you know, connect and have an interview.” So fairly high level.
Guerra: I’m glad it worked out. Your cover letter story made me think of something. I spoke to another CISO the other day, and we talked about how there’s a lot of talk about a lack of talent out there. Not a lot of people looking for jobs, not a lot of qualified people in healthcare, especially in healthcare IT – probably especially, and even more so, in healthcare IT security. And he was saying, “I don’t need you to come in with all this experience. But I want you to come in showing you did your homework, that you did your homework on the organization, and that you’ve done your homework, in general, on what’s going on in healthcare from a security point of view.” So, again, you don’t need 10 certifications, but show me you did your homework. And from what you’re saying you did your homework; that’s a best practice. Do you see applicants coming in not having done their homework?
Fernando: Occasionally, I think that that does occur. People apply online. We don’t generally proceed with an interview. I do try and give feedback whenever possible. To applicants on hey, “You know, we’re choosing to move on with someone else at this time,” or “We’re not going to interview at this time. But here’s maybe two seconds of feedback on your resume as to why I made that decision.” I think it goes a long way to show that you did do that homework, at least read through the job description with more than a minute of thought and really prepping yourself for what are you’re getting into. And I would agree with that, especially that certifications are really a double-edged sword. And I say that as someone who used to really hunt for those as a former consultant. They show you can pass a test. You’re kind of going off the quality of the test, and some people aren’t good test takers, right? Some people are great test takers. So, a lot of context gets lost in there. It’s just a way to maybe open up some more doors, but I would concur with that person that I really look at more what’s your experience? Do you bring something unique? Did you write something compelling that caught my attention as much as possible? Maybe I’m old school, I really like when people add a cover letter, because it does take that extra two seconds versus mass uploading your resume everywhere. And so, I think the other part too, is obviously with the mission that’s important here. Is something in your resume speaking to what we’re trying to do here? And so, I think that’s always going to be different depending on your management style, the type of team that you run, the culture of the organization. You know, not everywhere is a good fit for everyone, and that’s not a reflection on you, or us, in a bad way. It’s just sometimes what you’re looking for isn’t what we are looking for. You know, and that’s great. I’d rather save you and us a lot of pain and be realistic. So that if you want to come here, awesome, because we have to sell ourselves to you as well. It’s just as much about you interviewing us.
Guerra: Are you feeling that talent dearth out there? Are you seeing a lack of available people for the skill sets you’re looking for?
Fernando: I would say that I was expecting more people to apply when we posted positions within the last year. I mean, it’s great not having to sort through tons and tons. I’m okay with that. I personally reviewed every single one that came through, you know, I didn’t want it to get prescreened. Because I believe in giving opportunities for folks that could get, you know, screened out by various pieces of recruiting software.
And so, I will say we had two net new positions this year. And it took some time to fill those. A lot of that’s also my fault. We’re busy, and we want to be intentional. It wasn’t just one interview, and I wanted them to make sure they had a good sense of who we were – not just on the InfoSec team – but also a chance to talk with other teams; the people that they would really be working with, week to week. And so that was one thing that I thought was very useful was here’s a chance to talk with someone from the infrastructure team, for instance. Ten minutes, nothing necessarily technical, but just get their feedback on if this is someone you want to work with. Because if we kind of break down those silos, I wanted them to know that they have my respect and their opinion matters. And, I didn’t want to bring in someone that knows a bunch of security stuff, but they can’t collaborate with people who aren’t security people.
Guerra: Right. Right. So, you’re in Spokane, right? The organization is in San Diego. Does it vary by position, when you have an open position? Are there certain positions where you want them on site and other positions where they could be anywhere in the country? How are you handling that with the new remote workforce environment, which is something you also need to secure? (We can roll into that discussion right after this one.) But how are you handling staffing up?
Fernando: We are super, super fortunate. The organization was always very forward thinking on the remote work front, even prior to COVID. We have employees in multiple states that were full time remote prior, including members of my own team. They were always very cognizant at Rady that good talent, really good people who you want to stay, you find a way to make it work as much as possible. And then understand that the common phrase is very much around, you know, “mission first, people always,” and that gets echoed from the CEO all the way down. It’s a very cohesive message. We really do put a lot into the people that make our mission possible. And so thankfully for InfoSec, we’re able to have talent just about anywhere. I mean, if there was really a crisis, we’re not going to be worrying about the extra two hours for someone to fly down. We have a lot of folks that are in the San Diego area, but my approach has been, “You’re an adult? Do you want to come in every day? Great, we’ll have a space for you. Do you want to come in once a month? That’s fine too. We’ll have a hotel desk or something.” We really look at it as a flexible approach based on each person’s needs. And then I just let them know, “Hey, I’m going to be in the office these few days, if you want to come and meet up in person. Great. We can go grab lunch, outside these days, and have a chance to connect in person.” So that that’s been our approach. Seems like it’s worked really well. You know, they can go in obviously, on their own if they want to meet up and do some strategic projects together in person. The hospitals definitely been very, very supportive of that.
Guerra: Like I said, we’ll go right into one of the biggest topics for all CISOs, healthcare CISOs, as well as the remote workforce. How is it changed the attack surface and the potential vulnerabilities, having lots of staff working in a hybrid fashion, some totally remote, some in and out? People want complete mobility, flexibility, they want to work when they want, where they want, on whatever device they want, in whatever location they want. So how has that made your job more challenging? How do you deal with that?
Fernando: Yeah, I wouldn’t say it has made it terribly challenging, because I was always a big proponent of, to your point, that more mobile approach, how do you empower that? And so, like I mentioned, we already had folks that were full time remote as is and you know, VPN is not a right. It’s a privilege. So how do you design your security architecture that it supports those sorts of processes, has been always my mindset. And so obviously, the advent of cloud computing and moving to a more hybrid distributed model, you really need to factor in those sorts of things. What constraints do you have? Are you putting all your eggs in one basket? And by that, I mean, if everything’s in one cloud provider; you don’t do your due diligence; and there isn’t geo-redundancy; are you suddenly putting a whole bunch of people out if there’s an outage?
I think the biggest challenges are making sure the end user experience is as cohesive as possible. You know, so that without it being cumbersome, and being an impediment to normal operations, we don’t want to backhaul all your traffic to our data centers. That’s not really the approach we want in order to put in certain controls. So how do we work with that? How do we make sure that operational needs are still met? How do we make sure that patches are going out? How are we getting reporting back? I think that is an area that we had to shift a little bit as far as doing vulnerability scanning for remote endpoints. That was a little bit of a challenge at first, and then doing all that without the impact on the end user experience. We don’t want to install a billion agents on people’s computers to do all these different things. Looking holistically at how all these things are complimentary; sometimes is it better to go all-in on certain providers like Microsoft, because you have one agent to do all these things? We really looked at it as flexible, and we are trying to keep it as lightweight as possible. People can do what they need to do, but we can be as granular as we need to be on our controls across the board.
Guerra: Yeah, and that’s the balance, right? It’s between end user experience and putting the security measures you need in place. If you took them all out, it might even be a better experience. But that’s not going to work because you’re going to get some sort of infiltration and the organization will be shut down and back to paper, and all that bad stuff. So it’s about putting things in that make that as good an experience as possible, while still accomplishing what you need to from a security point of view. Is that how you describe it?
Fernando: Yeah, I would absolutely say so. At the end of the day, we’re here to support the organization’s objectives, and so if we can’t treat patients in the hospital or elsewhere, then what’s the point? So, my philosophy has grown from the beginning. There have definitely some harsh lessons learned, but those are great anecdotes that I get to share with people as I work with them. How do you balance that? And really, I think that’s one of the things that people don’t realize when they move into this role is that this is not as much a technical role as it is a strategic business leadership position. I still have to understand technical things, but more of my job is working on business problems and helping to make secure business processes. I have to be able to understand both very much in order to be effective.
Guerra: You mentioned lessons learned. I don’t know if you were alluding to the idea of users pushing back on measures. We know how things sometimes work in a hospital. Sometimes the providers are not so gentle in expressing their opinions if they don’t like something, and sometimes that comes down on IT. And especially on IT security, if their login isn’t working, or something’s taking longer than it should. Are these some of the lessons learned?
Fernando: Thankfully, at Rady, we have fantastic relationships with our providers and nursing staff across the board. People are really cognizant of how important information security is. So, I really want to call that out; that goes a huge way. Previous leadership and IT leadership have always provided feedback loops. And so thankfully, no touching the hot stove here, at least as far as I’m aware. But definitely at other organizations, again, thankfully, not so much with healthcare.
But you know, the one that always comes to mind is there’s a manufacturing plant we were working with, and we set up a new plant for them. And I was the primary person doing all the work. And I put all the switches in on the guest network, thinking I would go in and put specific ones on the internal one. And that was absolutely a horrible idea in the middle of setting up a new facility and without really communicating with everyone. So that’s where I think the biggest lesson was learned. My former CEO did come in and kind of give me a real heart-to-heart on that. And yeah, it was a good lesson learned. I never forgot that. I try and teach this lesson proactively: think, to the greatest extent possible, what is the impact of what you’re about to do? Whether it is changing the security setting, if you’re blocking some indication of compromise, or if you’re exempting a directory from anti-virus scanning, think, to the fullest extent possible, what’s the consequences that may now occur?
Guerra: We talked about people pushing back a little. I think we probably don’t see as much as we used to, with all the high-profile breaches. Would you agree that among the general users there’s much more understanding of the implications of a breach and that it makes your job easier?
Fernando: Yes, absolutely. Part of the role is definitely education around specific instances where risk was realized. And for better or for worse, there are a lot of very public examples now. But the other side of that is those are teachable opportunities. And I think that’s also why there’s such a sense of camaraderie in the healthcare CISO community, especially among the pediatric CISOs, is that none of us ever wants to be in that position. We really collaborate on how we can we be most effective at our own organizations — and that includes the user education side for sure.
Guerra: Let me ask you an open-ended question and see where you go with it. What do you think is the most compelling technology trend in healthcare security that you think maybe some of your colleagues are not totally locked into, but they should be?
Fernando: Top of mind for me, something that doesn’t have commonplace usage yet, but I think should and will is remote browser isolation. That is a really unique approach — especially if you take a more active approach on making it more integrated with your other controls. So, you’re not just buying a tool for a tool’s sake, but how does it fit in with your web filtering, your application control systems and thinks like that — that reduces a significant amount of risk.
If you can keep malware from ever reaching a system, that sort of remote isolation, is key. And some of the more granular capabilities from a phishing standpoint; if you can block people from actually providing input on a website; some of them have those capabilities where you can view it, but you can’t enter anything in. I think that really goes a long way. And certainly not everyone’s looking at it yet, but it’s gaining traction.
Guerra: I just want to ask one final question. How does a kid with asthma become a division one men’s rowing athlete?
Fernando: I’m very fortunate that my freshman year of high school I just wandered into rowing because of my carpool. My asthma became much more manageable. I stopped needing to take a daily inhaler. Throughout my entire rowing career, I actually didn’t even touch one, whereas before I was taking it up to three times a day. I think it really helped control how bad my asthma could get. There were probably some limitations put on by asthma from what my potential was, but it doesn’t necessarily have to hold you back from pursuing those opportunities, and it was great to not have to think about it for a really long time.
Guerra: That’s fantastic. Do you still row at all?
When I can. It’s tough to get out there. This is first and foremost. Anyone who has used a rowing machine knows how painful those are; but it’s usually the easiest way to row. I’m going to do that right after this, actually.
Guerra: Oh, good. Well, Sahan, it was a pleasure talking to you. I really appreciate your time. Looking forward to catching up with you again in the future.
Fernando: Absolutely. Really appreciate you having me on and hope I was helpful.