Todd Bell, CISO and executive director of IT compliance at Valleywise Health in Phoenix, used to fight fires in the Colorado wildlands. Now he fights cybersecurity fires, and they’re both equally hard jobs, he says. In this interview, Bell talks about the trends and difficulties CISOs face in their roles today. Ransomware is rampant, and vetting third-party vendors is key, Bell says. He also firmly believes in challenging the IT team and himself to be better every day at protecting the security of the organization, including creating a safe environment for them to speak up when they see a potential problem. Bell also talks about being a fan of the cloud and concerned that some vendors aren’t doing a better job of product lifecycle management.
LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE.
Podcast: Play in new window | Download (Duration: 31:05 — 21.3MB)
Subscribe: Apple Podcasts | Spotify | Android | Pandora | iHeartRadio | Podchaser | Podcast Index | Email | TuneIn | RSS
Bold Statements
We would like to be more aggressive with how we want to implement technology to provide better patient care, but the reality is that our vendors are really kind of slowing us down, unfortunately.
Kronos really opened our eyes, especially mine, that we have to go back and really look at some of our bigger vendors and make sure that we have better processes in place in case another one of our vendors happens to get hit by a ransomware attack.
I do have some concerns about people wanting to stay in cybersecurity for the long haul, because you know, it’s becoming a burnout job.
Guerra: Todd, thanks for joining me.
Bell: Thank you for having me.
Guerra: Happy to do so. Todd, can you start off by telling us a little bit about your organization and your role?
Bell: We’re an organization of just under 5,000 folks. We are a major burn center and also behavioral health and a teaching hospital. We have locations throughout the Phoenix area.
Guerra: Okay, very good. All right. One of my favorite starting points is to find out how everyone wound up where they are now. So, how did you wind up being the chief information security officer at Valleywise Health? What’s your career path that got you here?
Bell: It was a little bit by accident, a 115-degree day, unpacking a U haul, and a really upset wife. That’s how it started off as I relocated. And just as we’re unpacking the U haul – we relocated from Colorado to Scottsdale, Arizona – the CEO called me up and told me they did about a 70 percent furlough reduction. And so just as we were unpacking, we found out about the news. And so that’s when I had to get my butt in order and start calling around. And so coincidently, I already knew about Valleywise Health and had some contacts and knew about the position being open. And that’s how I ended up becoming the CISO for Valleywise Health.
Guerra: But I’ve got to ask, when you got that call, was it an “Okay, I got this; I can handle this,” or was it “I cannot believe what just happened?”
Bell: You should have seen the look on my wife’s face. She wanted to kill me. I love her. She still stuck with me. And we made it to our 25th anniversary. (laughter)
Guerra: Congratulations! I see this is your first job in healthcare. Is that correct?
Bell: I’ve been in healthcare from more of an advisory and consulting perspective, but it’s always been on the back end. And this is the first time I’ve really been on the clinical side of the house. And so, this is where I have a lot of room for improvement to learn about how a hospital really works, because as you can imagine, COVID has just been such an interesting experience. I’m learning so much from a clinical side because there’s so much to know.
Guerra: Healthcare is often thought of as being quite a bit behind other industries. Some people say 10 years, some people say 20 years (depending on the industry you’re comparing it to) from just a pure technology point of view, and the use of technology. Having been in other industries, maybe you want to talk a little bit about that. Do you feel like that’s true? Obviously, there’s a learning curve as you learn the clinical environment. But do you also feel like there are some technologies and use of technologies that you’ve been exposed to, having been in other industries that you say, “Hey, we could use a lot of that stuff here?”
Bell: Yes, absolutely. And I think you are 100 percent right about healthcare that it’s anywhere from 10 to 20 years behind the curve. And one of the things that is really challenging is cloud adoption. I see that cloud adoption is much lower in this industry. I come from fintech and a variety of other industries. And obviously, in those other industries, people understand the benefits and scale and cost benefits of cloud-enabled environments. In my last job we were 100 percent cloud, and then I go into an environment where there’s a lot more on-premises equipment. And it’s not that people choose to make poor decisions. It’s really healthcare as a whole because this isn’t just a Valleywise situation. This is with our vendors, because we have so many of our vendors really holding our industry behind. At Valleywise, we try to do our best to be a forward-leaning organization. We would like to be more aggressive with how we want to implement technology to provide better patient care, but the reality is that our vendors are really kind of slowing us down, unfortunately.
Guerra: Well, what can be done about that? You know, so it’s interesting the relationship between a customer and a vendor. Sometimes, a lot of times, the customer has more power in the relationship, because they could go somewhere else. But sometimes – especially in the case of EHR vendors where you have a couple that have tremendous power. They have more power than the customer. Even though you’re a big health system – you’re still a little piece of their business. So how do you manage that, as someone who feels perhaps some frustration? Do you make phone calls? Do you talk to your reps? How does that work?
Bell: Well, we’ve made a lot of significant efforts to partner with our vendors. We try to jointly work with them. But we also know that it takes a village. And one of the things I’ve noticed about healthcare is this is an industry that needs to be disrupted. And so, if we look at fintech, we have all these mobile banking apps left and right. We have not seen major disruption from a healthcare perspective. And I think that this industry is ripe for a lot of new startups and companies to come be disruptive because I don’t think we’re ever going to move these big organizations. You know, there are huge companies out there that won’t give us the time of day because we’re such a small organization. But I feel that it’s going to take an army of startups. That’s going to start to change this industry.
Guerra: Some of the defense you would hear for why the industry is where it is, is they’re dealing with lives; they have to be very risk averse with trying new things. You’re not buying any of that?
Bell: Well, there’s a lot of truth to that. However, there’s a flip side to that. Our patients are demanding more; they want to have healthcare on their mobile phone, and they want better technologies. And so, our patients want better healthcare, and we want to deliver better healthcare. But unfortunately, we feel like we’re being held back too, because a lot of times we might have an older system. And our older systems don’t have a very good product upgrade path. If you really want to fix a problem, well, it’s going to be a huge capital outlay to buy a new piece of equipment. It could be an MRI, or a CAT scan machine. I wish there was a better product path from a product lifecycle perspective that requires major upgrades. And if we think about other industries, if it’s a piece of Cisco equipment, or gear, or Palo Alto Networks, there’s an upgrade path. I could keep patching this. I could keep upgrading. I could keep improving it to have a decent lifecycle versus, well, if you really want to fix it, you’re going to have to throw it away and go get a new system.
Guerra: You’re not seeing in some of your key vendors the upgrade path that you would like to get the features that you want to give to your users. So you go to the vendor, you see what they’re doing, and you say, “Hey, my users, they want to be able to do this, this and this. What’s your plan for that?” And they say, “Well, it’s not in the plan right now.” And that’s kind of the end of their communication back on that?
Bell: Yeah, because some of the discussions we’ve had, I’ve been really surprised that I’m really kind of being forced on an upgrade path of: ‘If you want these new features and new capabilities, you’re going to have to buy this brand new system,’ versus I wish there were a more refined product development lifecycle of that equipment. And I think that that’s just maybe a little short sighted compared to other vendors out there that do a better job with product lifecycle management.
Guerra: And you’re certainly not the only executive I’ve heard express this frustration. I’ve heard from others that if they don’t see it, if they’re not getting the response they want, they may just spend the money and do it, create it, build it, even. And then I’ve even heard people say we’ll build it, and then we’ll back it out if and when the vendor comes out within their own products. So, it’s a waste of money, but they’re then able at least to provide that functionality to their users in a short period of time, or when they want to do it. Is that something that resonates with you?
Bell: Well, it would be nice to do that. And I think that we’ve been in some circumstances that we’ve been able to improvise on shortcomings. But it’s very limited in what we can do. Right? And now, especially when you’re a safety net hospital, you don’t get a lot of budget discretion.
Guerra: Right, right. So, you’re looking for disruption, you’re hoping that that’s what happens, new entrants come into the market and disrupt the established vendors, give them a wake-up call. But health systems would have to vote with their dollars and have to embrace some of these new systems. But the problem is, the real issues are with the big vendors. You probably can’t get away from that, right? Because even if you use some of these ancillary new things that come up, you’re not thinking of replacing a core EHR, ERP vendor, are you?
Bell: Obviously, a startup isn’t going to come along and come up with a new MRI machine. However, they could look at that machine and see if there a way to get the electronics out of this thing; and use some of these new technologies that are readily available to extend the life of that existing equipment. And so essentially, going in and modifying a piece of equipment, and being able to deliver greater capabilities and updated features and data-gathering and being able to aggregate that information – it’s almost kind of like, you see these aging, executive jets; they don’t just throw the jet away, they go in there, and they upgrade all the avionics on that jet. They upgrade the interior to the avionics. The same could apply to healthcare, that we can have one of these smaller companies come in, and essentially retrofit an MRI machine or an x-ray machine to extend the life of it.
Guerra: You mentioned the cloud. That’s obviously something you’re passionate about. Any other technologies come to mind that you think could get a little more play in healthcare and help bring the industry along a little bit?
Bell: We’re seeing huge demand with mobile devices. And so especially, we’ve been doing a lot of remote patient care with mobile devices. People want healthcare in their hands; they want it to be very mobile; they want to be able to look at their electronic health records; they want to be able to look at their x-rays. How can we put that in the palm of their hands? We’re seeing a huge demand for that. And also, being able to integrate the experience as well, that we might have a patient go into a variety of different departments. We want to make sure that we’re aggregating all this information, whether it’s an x-ray, or a blood panel, and being able to have that information in their hands, and if they need to go somewhere else and see a specialist that we make that as seamless as possible for them.
Guerra: Very good. In your LinkedIn profile, you talk a little bit about business continuity and disaster recovery. And I was thinking about business continuity as a large enterprise-wide issue. One component of that could be business continuity related to IT security. You could have a ransomware event, something like that, that requires the organization to stop using its electronic medical records and go back to paper. That’s a business continuity issue. But again, one sliver of many different business continuity issues. So, tell me about how, as a CISO, you work within your organization on business continuity, and how you sort of play out scenarios. The idea of going to paper and back must be extremely complex, if that ever has to happen, because you would have to be working very closely with operations and clinical folks, very closely, for that to go one way and then back. So just give me your thoughts on how you’re looking at that.
Bell: Well, right now, we’re actually going through a business continuity challenge. We’re one of the healthcare organizations that has been impacted by the Kronos ransomware attack. And so, we’re actually living that right now. We have a daily incident command. Our CIO has done an amazing job spearheading that effort and trying to keep us on track because this wasn’t just about payroll. It broke a lot of processes for us, especially in my department, because it’s how we provision people getting them on-boarded and also off-boarded. And being able to track people’s time off to being able to do your W-2s.
And so, this was a very disruptive event. We’ve been having these daily Incident command calls to get all of our ducks in a row, because we have gone from an automated process and never having to use Excel spreadsheets to being able to create timecard stamp systems for people so they can go to a website and clock in and clock out. We had to build our own infrastructure. Our applications team did a great job pulling that together. But you know, we’re actually living it right now. And so, it’s been very disruptive. But our CIO is getting us through this challenging time.
Guerra: Yeah, I can imagine, how do you think that the Kronos situation is similar or different to a ransomware attack?
Bell: Well, they were impacted by a ransomware event. And that’s what they publicly shared. And they also shared that their backups were also impacted on that. And so, while we have the cloud option that we’re using, we’re not using the on premise. We have it so integrated with our business processes throughout our organization. And that’s what became such a disruptive event. And that went so far beyond just the payroll system.
Guerra: I guess a better question would have been, how are you affected as a third party from the ransomware? It wasn’t a direct attack on your organization, where you’re dealing directly with the FBI. Correct?
Bell: Well, this is the side effect of relying on a third-party vendor, that had a huge impact on us. And so, this was a wake-up call for us. Now we’re fully cognizant and we have an emergency response team, and we’re ready for disasters. But this one was a real punch in the gut for us. And it’s a real eye opener, because I think that we recognize that there’s opportunities for improvement to look at some of our other big vendors to make sure that we’re ready. And some of them, you know, we’ve already done a lot of drills. But I think that there’s other vendors that we probably could have done a better job with, you know, doing more exercises and drills to make sure that we’re ready because the third-party vendor really, really caught us off guard there.
Guerra: Yeah, it’s a huge issue for health systems, the third-party vendor issue. And I’ve talked to people, and they talk about getting a better process of onboarding the vendors, more than just a questionnaire that somebody fires off. Who knows how closely it’s reviewed? I don’t know to what degree things are checked. And then there’s the issue of some systems establishing a good method for checking new vendors, but they can’t go back and check the other hundreds. And you can’t just check the big ones, because sometimes it’s the small ones that are going to get you because they have fewer controls, because they’re smaller. So, it’s a big issue. What are your thoughts on how you’re going to go about trying to get a better feel for having your arms around this?
Bell: Well, as you pointed out, you know, for any time we have new vendors, we have a very robust IT security assessment process. And I would say, half the time, vendors do a great job getting back to us with the right information that we need. And 50 percent of the time, they don’t know what the heck we’re talking about. And those are the ones that we make recommendations of maybe they might want to look at somebody else. And so, you know, we try to help guide that process. But the reality is that when it comes to our previous vendors, we already have agreements locked into place. I think Kronos really opened our eyes, especially mine, that we have to go back and really look at some of our bigger vendors and make sure that we have better processes in place in case another one of our vendors happens to get hit by a ransomware attack.
Guerra: You mentioned possibly suggesting that some of the business owners maybe look at another vendor, if you’re not liking what you see, when it comes to the security assessment. Have you found that that process has become easier with all the breaches? That there’s some upside that people get it now? If you say, “This isn’t going to work out,” regarding a particular vendor. If they’ve heard about some big breaches and downtimes, maybe they aren’t as likely to say, “Stop standing in our way and impeding business and go away Mr. IT Security person.”
Bell: You know, you’re so right on that, Anthony. I think we’ve all seen a little bit of that; ‘It’s already been approved, we got the money, you know, get out of the way, just check your boxes and move on.’ But I think that, because we see so many health care systems, unfortunately, being impacted by so many cyber-attacks that I think people are slowing down and respecting what we’re saying, versus maybe a little while ago, it may have been taken a little bit lighter than now. It’s being taken a little bit more seriously.
Guerra: I hear a lot that as a CISO, you don’t want to be the party of no, and you don’t want to impede business, you want to help everyone do what they need to do and just make sure security is taken care of. But you want to be an enabler? Is that how you look at it?
Bell: Well, yeah, I feel like I try to run IT security almost like an advisory organization. And so, we’re there to advise and inform. And so, you know, I’m not going to be able to supersede an EVP that is dead set on purchasing something. But what I can do is inform them and educate them and let them know about the risk of something. And then it’s really up for the executive leadership team to decide if they are willing to accept that risk, or if they want to mitigate that risk, or if they want to use insurance, or they want to add on some controls to it. And so that’s how we holistically look at risk.
Guerra: And, your appraisal could range from, well, this isn’t the best in the world to, you have to be crazy to do to go forward with this (laughing). And I’m not saying you would use those words, but I’m guessing in your evaluation, you could be at two ends of the spectrum.
Bell: What we do is we give a recommendation. And so really the recommendation is to maybe look at somebody else, or that they’re fine, and we can manage this risk. And so, we had one a couple months ago, and they respected what we said. And so now they’re looking at a different vendor.
Guerra: You wrote in your LinkedIn profile that you do the “hard work” to change and transform global enterprises to maintain digital competitiveness. I’m guessing the hard work has something to do with people; that’s where the work is – building the relationships to be effective. It’s not about technology. So, is that what you mean by the hard work?
Bell: Absolutely. And it really comes down to leadership effectiveness, and also being able to be what I consider a high performing organization. And what I mean by that is, it really comes down to good stewardship of your systems. And I’ve seen a direct correlation, that organization that has a very well-disciplined leadership team, and are very good stewards of their environment, have very good business outcomes. And I know you’ve seen the data points as well, versus an organization that wants to run loose and fast – just slap it in and get it going. Because there’s a lot of downstream impact with that.
We get our hands very dirty; we do very difficult, tedious work that most people wouldn’t want to do. But it’s how we make our organization better. Because when you start to do it over here, it starts to permeate in other parts of the organization, and what we’re really trying to strive for is very good stewardship of our systems. This way, we have better agility, and are able to be more competitive with our peer organizations out there, but also make us more efficient at what we do. Because if you have really sloppy IT, you’re not going to have very good business outcomes. You’re always going to be in firefighter mode. And I’d rather be in proactive mode where we have good options versus lousy options.
Guerra: You gave me just a perfect segue with your reference to firefighter mode. You know what I’m going to say; you’re a wildlands firefighter. Tell me about that.
Bell: We have a ranch in Colorado, and I started being a volunteer with a couple of fires and you know, that second fire that took down a lot of acreage made me realize that I’m really putting myself in insane risk, and I need to get some professional help. And so that’s when I joined a local fire department and got federal training as a wildlands firefighter. This was during the Hayman fire era in Colorado. And so, from there, I ended up becoming a state certified firefighter and hazmat person. A
Guerra: You were fighting fires initially without training. And you thought it was a tad bit risky. You brought your CISO risk assessment hat to your firefighting activities and said, “This is no good.”
Bell: Yeah, and little bit of the wife factor too. You know, like, “What the hell are you doing?”
Guerra: What are you doing? Right? So, then you got trained? And obviously, we just heard about some fires in Colorado. But you’re not there anymore, correct?
Bell: No, no, no. And I’ve gotten out of the fire service, too, you know; it’s a young man’s job. That is a great life experience for me. And it’s just kind of funny – I might not be physically fighting fires, but I really fight fires from a virtual perspective in the cyber world. And it’s a daily cyber fight. And it’s getting harder and harder, you know, a lot of CISOs out there are getting burned out from this position, because things just keep getting harder and harder. Every week, you know, we’re experiencing cybersecurity incidents, just to a whole different degree. And I’ve never seen this kind of activity in the past. The activity just keeps increasing, and it’s getting harder. And I think long term, I do have some concerns about people wanting to stay in cybersecurity for the long haul, because you know, it’s becoming a burnout job.
Guerra: Yeah, I mean, it totally makes sense to me why it would be a burnout job, especially at your level. It would seem to me a 24-hour operation, at least where you could be contacted, if it escalates. I assume you have processes where you try not to let everything escalate to you getting a call at 3 a.m. Maybe only for something extreme, but how do you keep it from being a 24/7 job?
Bell: Well, unfortunately, it is. But we try to take a lot of proactive measures. And so, we do a lot of scenario analysis; what if this happened? What if that happened? And we dedicate time every single week to challenge ourselves. What are we not paying attention to? You know, what do we need to be doing better at? And when you look at people that are high performers, they always challenge each other, you know, it’s like, how can you be better? How can I be better? And I’ve created a safe work environment, where I allow my staff to tell me that, “Hey, boss, you’re not doing this, right.” Yeah, it’s okay. And there’s no consequences. But that’s how we raise the bar on each other to deal with this, because it’s how we’re getting better at this job.
Guerra: And that’s another sentiment that I’ve heard, which is, you have to cultivate that environment where people will speak up, if you shut them down too quickly, or you’re dismissive, you’re going to lose out because you’re not going to get that feedback you need, you’re going to miss something. Makes sense?
Bell: Yeah, you’re totally right, Anthony.
Guerra: Why don’t you give me a final thought before we go. A piece of advice. We all have unique experiences, and we can offer something. What’s your best piece of advice for your CISO colleagues?
Bell: You know, it comes down to being able to maintain the respect and credibility and organizational effectiveness. I always challenge myself; I’m my own worst critic. And I always find a way to self-improve. And I always feel like I’m a work in progress all the time. And I think it’s so important to be humble. You know, yeah, we’re in demand right now, but not to be arrogant about that, but to be wise about what we’re trying to accomplish because I look at the greater goal. And that is, I’m trying to protect our patients, our employees, our contractors, our vendors. This is an ecosystem that I want to protect as well as I possibly can. And I have to be humble enough to accept feedback, even if I don’t like it. This makes me more effective as a leader.
Guerra: That’s a really good point, because healthcare CISOs are in such high demand; getting calls from headhunters. It’s a good time to be humble, right? Todd, I want to thank you so much for joining me today. I appreciate our chat.
Bell: Thank you so much.
Share Your Thoughts
You must be logged in to post a comment.