Intermountain Healthcare AVP/CISO Erik Decker wants health systems to know that implementing a handful of approved best practices can go a long way to staying out of hot water.
LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE.
“ … when one of us fails then we can have catastrophic consequences across the board.”
“The adversaries have a lot of resources. They only have to figure out one way into an organization and we’ve got a million ways that we’re trying to keep our eyes on.”
“Frankly, if you implement the practices of some of these things that we produce out of that working group, you get relief under enforcement.”
Anthony: Welcome to healthsystemCIO’s interview with Erik Decker, Assistant Vice President and Chief Information Security Officer with Intermountain Healthcare. I’m Anthony Guerra, Founder and Editor-in-Chief. Erik, thanks for joining me.
Erik: Thanks Anthony. It’s a pleasure to be here.
Anthony: Let’s start off. You want to tell me a little bit about your organization and your role?
Erik: Intermountain Healthcare is an integrated delivery network located in the mountain states. Based in Utah, but having a presence in three surrounding states and really an 8-state strategy. So we’re about 25 hospitals, we have one virtual hospital, $11 billion in revenue, 43,000 what we call caregivers. We consider all of our employees to be caregivers and part of the care continuum, and up to 2,800 beds. We also have a plan, a payer plan called SelectHealth with a million members in that. So that’s what ultimately the integrated delivery network is all about. Our mission for Intermountain is to help people live the healthiest lives possible. That is what we focus on, really quality care at appropriate cost is the key thing.
So my role as AVP and CISO is to help protect this organization, protect the safety of our patients, the digital enterprise, the financial assets of the organization and the privacy and confidentiality, of course, of our patients and our member’s private information.
Anthony: Very good. You’ve always been pretty involved with a lot of different groups volunteering your time, your energies to engage and to help formulate different pieces of content that can help others do their job better. Where did that come from? Have you always done that? Did something wake you up to that at some point and you kicked it into high gear? Tell me about that and then tell me a little bit if you want to go into specifics about some of the main groups that you’ve been involved with.
Erik: Cybersecurity is kind of one of those things where we only do better when we’re all doing better. So we all have to be in this game. We all have to be protecting our assets and our people. And when one of us fails, the “weak link in the chain” kind of concept, when one of us fails then we can have catastrophic consequences across the board. It’s also something that’s not really a competitive advantage. Like when I talked to my fellow CISOs that are out there, we openly share our tactics and techniques, because the mission of what we’re trying to do is noble. We’re trying to help people. It’s not about bottom line, that kind of stuff. There’s a part of me that’s just always been that way. I learn best when I talk to my peers and I talk to other people. I like to hear from other people who have already gone through some challenges and learned.
So I’ve always felt that it’s best to have a good network and a good community to share that stuff with. So it was kind of natural when, I think probably the impetus was in 2014 when I joined University of Chicago Medicine as their first CISO, my old boss, Erik Yablonka is a fantastic mentor of mine. He really introduced me to some associations and said, “Hey, get out there and try to do some good and we’ll support you in the process of doing that.” And, also kind of around that time, and we’re still in this time right now, the whole healthcare cybersecurity problem is still in its forming stage and we got to solve for this space. We’re actually not in the beginnings of it now and we’ve made significant progress over the last five years. But I saw that opportunity and thought, “Hey, there’s not a lot of solutions like at a national level, at a global industry level,” those kinds of things. There’s not a lot of solutions that are out there. So it’s ripe for opportunity. It’s right for making a mark, for being able to lean in and try to do some good and honestly, that drove me. It truly is a second job, I mean, there’s a lot of work that goes into all the outside stuff that I do.
So just again, to kind of give some examples of this, obviously, there’s a lot of associations that are out there that people can get involved in and they should. There are professional organizations within the cybersecurity community that are across industries. There’s a lot of really good ones that are out there, and I highly encourage folks to participate in those. That’s where you can find good networks of common people and see how the problems are similar or dissimilar. And then within healthcare alone, there’s also specific trade associations and things like that that you can get involved in.
I’m involved in those, and also the work that I do is part of a government public/private partnership. So it formed around 2007-2008. A presidential directive pulled together and identified 16 critical infrastructure segments across the country. These are critical infrastructures that are run by private industry, there’s a national public safety, national interest in making sure that they are run appropriately. So these critical infrastructures come together with a government counterpart and an industry counterpart. There’s an all-hazards version of this, environmentals, the physical threat, the cyber threat. All those things mesh together and that comes together in these things called the SCC (Sector Coordinating Council) and GCC (Government Coordinating Council).
So what I’m involved in is there’s the healthcare version of that. There’s things like finance, oil and gas, energy, et cetera, transportation. These are all part of the 16 critical infrastructures. So the one I’m involved in is the Healthcare Sector Coordinating Council and Government Coordinating Council. The one that deals with the all-hands, I’m a co-chair for that. Below that, there is a group called the Cyber Working Group. And when the Cyber Working Group works with the government it’s called the Joint Cyber Working Group, joint because it’s government. So I helped establish the latest iteration of that group back in, say the 2017-2018 timeframe. I helped lead the recharging of that. There’s a new executive director that got put in charge of that group. And we went from a pretty nascent group of maybe 30-50 organizations that were part of it to 300 organization today that are members. We have over 700 actual individuals that are part of it.
So with that, there’s an election process. I served on the executive council of that for three years. I just rolled off of that last December and I was elected as the chairman of the Cyber Working Group for the next two years. And in that group, what we do is we have 15 task groups where we organize and we’re building content. We’re building resources, practices, methodologies, et cetera, that help set the stage for what we should be doing in cyber and healthcare. And there’s lots of different facets to these problems which is the reason why there’s 15 task groups.
And then the last piece of this, I know this is so much, but the last piece of this is one of those task groups that’s in there is the 405d task group. And that task group is the one that I run with my government counterpart, Julie Chua within Health and Human Services. And what we do there, the inaugural publication that we created there was the Health Industry Cybersecurity Practices or HICP. We posited five threats that everybody faces and 10 practices to mitigate them, 89 sub-practices to get into the specifics. And then we stratified that by, if you’re a small, medium, or large. So we wrote essentially a guide based on the size of your organization.
And then just last year, January 5th, there is a new law that was put into effect. This is something that I worked on with CHIME back in 2017, 2018, that instructs OCR, if organizations have adopted was called recognized cybersecurity practices, instructs OCR to offer relief in the case of a breach. And so, we helped set the stage for that and 405d is specifically called out in that law as a recognized cybersecurity practice. So it’s pretty awesome to see the genesis of all of this from the beginning to where we are now. On my journey, I’ve testified to Congress; I’ve been invited there to serve as an expert witness. I’ve testified at a couple of other forums as well and it’s just been awesome.
Anthony: You mentioned relief, specifically what gets you relief if you have a breach?
Erik: If you have adopted recognized cybersecurity practices. And so the definition of a recognized cybersecurity practice is NIST publications, like the NIST cybersecurity framework and things along those lines, which is great, and/or anything promulgated under the 405d program. So HICP is a recognized cybersecurity practice. And then there’s another category that has yet to be defined. OCR has not put out their RFI in their notice for proposed rulemaking on this new law. But there will be more specificity that coms once they do that.
Anthony: All right, very good. So as you’re talking about this stuff, I’m thinking that there’s two types of security executives out there in healthcare. There’s the type that just want to know what’s going on and there’s the type that wants to get involved. For the type who just wants to know, where should they go?
Erik: We just launched a new website within the 405d program. It’s 405d.hhs.gov. So go there, we’ve got tons of information. HICP was the inaugural publication, but we’ve created all kinds of different supplemental materials as well. So as an example, we built a threat-to-practice matrix that helps organizations tease these things out. So say you’re worried about ransomware, which is one of the five threats. We’ve identified the exact practices that will directly impact and help mitigate that ransomware threat. We also identified indirect practices that will help do that. So there’s 89 things – I know that’s a lot to look at – just pick ransomware, for example, go right to it and check yourself and see how you’re doing against those items. So that’s one website. And if you want to join the 405d program, there’s actually an application process on that page.
The other page that I would suggest is, two more, is the healthsectorcouncil.org. So that’s the cyber working group level. So all those 15 task groups and everything that I talked about, that gets you into that space and you can see who the executive council is, the seven sub-sectors, the task groups, what we’re working on, the publications that have been produced there. There’s things like the HIC-SCRiM which is a supply chain risk management guide. There’s workforce development. There’s information sharing. There’s all kinds of good stuff up there too.
And then the last place I would suggest people go – especially if you’re looking for free resources, free services frankly, that you can use that are supported by taxpayer funding – is to CISAs website, the cybersecurity and infrastructure security agency under the Department of Homeland Security. They have a whole series of services. So they will do phishing tests for you. They will do external vulnerability scanning. They will do penetration testing. They will do tabletop exercises and there’s a number of other ones as well. And that’s a fantastic resource for anybody to use, and CISA does prioritize those in critical infrastructure when it comes down to, if there’s too much demand for those services.
Anthony: That’s good information for those who just want to know. What about those who want to do? Those who want to participate in some of this stuff, what would you say to them?
Erik: I’d say join the Health Sector Coordinate Council. If you’re a practitioner in healthcare, meaning that you’re running provider, plan, pharma, medical supplies, health information, IT is also a part of those sub-sectors, labs, critical access hospitals, nursing homes – anybody who’s in the continuum of care can join. If you are an association that directly supports those folks, you can join. Because we like to think of the several working group as the association of associations. So we have a lot of the big name associations that are in there, the AHA, the AMA, HIMSS, CHIME, these are the premier, dominant groups. And this is where we come together to talk through and work through the challenges.
We do allow some vendors in. We have a cap on how much we do that. We know that vendors have obviously, supported our industry and many other critical infrastructure industries and when vendors are there to give back and not business develop, it’s fine, but we absolutely have a zero-tolerance policy on them trying to sell. But they’re not voting members, they are advisors when they come in. So if you go to that website I mentioned, there’s I think an email address that you can email to suggest if you’d like to join it.
The other thing you could do, if you’re specifically interested in the 405d program, you go to that 405d website and we’ve got a form there where you can submit an application to join that group as well. If you join 405d, you join the Cyber Working Group. It’s happens by default. 405d is also a big group and we have over a 100 or so members, about almost a third of the cyber working group is in the 405d group.
Anthony: Okay, very good. So we talked about for folks who want to get involved, you mentioned, and we laughed, that this can be like a second job. What would you say to those who want to get involved but may not have a supportive CEO like you did? What if they are concerned it will be too much work?
Erik: I can say the level of participation is yours to define. I mean, you can join this group and serve as just an advocate for the stuff that comes out. You can be a voice amplifier, if you want; just part of a community listening in and it’s no different than participating in any other trade association to be frank. The amount of time that would be required is not much. The level of involvement, recognition and all that, of course, corresponds to the time and effort that you put into it. So there’s that. If you just want to dip your toes in and see how it comes together, you could do that.
There’s those other types of roles that we have and it also depends on the task group that you join because the dynamics of those tasks groups will be different by the leader of that task group. There’s always a lead over it. But something it’s as simple as if you just want to provide feedback and response to some content that has been developed by the task group, you’re just a vehicle to run some ideas by, that’s a possible suggestion.
You can be somebody who just wants to contribute to a small section of a document and just give some content on something that you care really passionately about – one particular focus and you want to drive some content in there, you can do that.
And then now you’re getting into authorship areas. The part where the work gets really heavy is when you start leading these efforts; when you start becoming like a primary author of these documents. And then, as you go into the chain of leadership, you start getting involved in the executive council, chairmanship, etc. I meet with the federal government and folks three times a week, every week. There’s a lot of time there that is given but it all goes back to where you make some fantastic connections, your organization reaps those benefits. I mean, it absolutely does. There is a name recognition that comes along with this. Where if your organization is behind it – and Intermountain is 100 percent behind it, which I love – you can help further the brand of your organization by showing that you’re giving back and caring about something that actually helps people’s lives. So it’s just good work. It’s good soul-giving work.
Anthony: So contributing is good. What would you say to CISOs who are reluctant to speak publicly about best practices because they are afraid of revealing a vulnerability or becoming a target?
Erik: This is a delicate balance and one that you’ve got to be careful about, of course. I mean, everything you just said there about not divulging the inside inner secrets of your organization is absolutely correct, and I never do that. If press asked me, “At Intermountain, what is your problem in this space?” I will say, “Sorry, I’m not going to talk to you about that.” And it’s happened. But what you can do is again, if you’re connected into a large community, you’re in these groups and you hear the themes of what is happening in our industry across the spectrum, we can talk about the themes of challenges. I mean, that is not stuff that is of any surprise. I mean, it’s already out there. There’s already press around it. But you can be a thought leader in how you can actually try to solve those issues, how you can give people guidance around tackling some challenges. And when you talk to the press, I keep it high level and I talk about this as themes. I always put my hat on as chairman of the Cyber Working Group when we start getting into what are the challenges in the space or that space or what have you.
The private forums, I mean, things like H-ISAC, the Health-ISAC is a place where not only is it a vetted private community, where you can talk about the very specific things that are going on, but it’s also protected under law. So when we had the Cybersecurity Act of 2015, the same thing that instantiated 405d, there’s a protection mechanism that allows us to share very secret, very specific cybersecurity issues with the federal government and within ISAC and so forth, that protects it. So if you’re talking about a compromise that you’ve had on your network and you need to reach out to somebody, “Hey, have you seen these IOCs and these tactics and these things?” There’s a forum where all of that is happening and it’s very valuable.
The adversaries have a lot of resources. They only have to figure out one way into an organization and we’ve got a million ways that we’re trying to keep our eyes on. So we’re always on our heels, in the sense of, what’s the next attack pathway. And if an organization tries to tackle that by themselves, they’re going to be challenged at doing that. But when you share it as a community, you have a lot better chance of staying ahead and responding to these attacks when they come in, and getting to it quickly.
Anthony: Would you be surprised if there were CISOs out there who didn’t stay on top of this type of threat intelligence?
Erik: There’s not a lot that surprises me (laughing). I will say, if you want an effective program, you have to be on top of this. You have to be thinking. And there’s again, there’s all kinds of ways that this stuff, this information comes out. So joining the ISACs, joining Health-ISAC, it does come with a membership cost but they graduate that membership fee based on the size of your organization. So what Intermountain pays isn’t the same as a small medical group.
The other thing is, again, our federal government critical infrastructure. There’s a lot of work where there’s different types of flashes that come out. So the FBI, DHS within HHS, there’s a group called HC3, which is kind of like another watch group for threats. They produce intelligence and flashes. Keep your eyes out for those. If HHS or the FBI rings the bell and says, “Hey, we’ve got a huge problem on our hands,” pay attention. I mean, that’s, Log4j, that happened last Christmas. We saw the early phases of that thing and I was making calls within 24 hours of seeing how bad this thing was. Calling my federal partners, calling some of the trade associations and saying, “Guys, this one’s like WannaCry. This one’s bad.” And very quickly, there were alerts and things like that that we’re going out and the industry responded, and it responded fast.
Anthony: Anything more you want to say about the HSCC? I know you feel that’s perhaps not as well-known as it should be..
Erik: Yeah. I mean, look it up. The, Health Sector Coordinating Council, that’s where the critical infrastructure comes together with government. It’s not really well-known, but it’s getting there. We’re getting our name out. Frankly, if you implement the practices of some of these things that we produce out of that working group, you get relief under enforcement. There is a financial impetus for you to care about what’s going on from these groups.
Anthony: All right, Erik, great stuff. I think this is going to be valuable and again, we’ll get this out there, open some eyes and maybe they’ll be some inquiries about participation. So very good to talk to you and hope to speak to you again soon.
Erik: Thanks, Anthony.