The key to cyber success is having team security on team patient safety, not the other way around, according to Martin Fisher, CISO at Northside Hospital in Georgia. Recently, Martin spoke with Anthony Guerra, Editor-in-Chief of healthsystemCIO.com, about the biggest challenges his team faces, his approach as an ‘outcomes-driven CISO,’ and the best way to say ‘no.’
LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE.
The way I think about regulation is I have to follow it, but I am more of an outcomes-driven CISO – I ask myself, what is the regulation trying to get me to accomplish versus the prescriptive.
They think: confidentiality, integrity, availability, and they look at it in that order. When from us, it’s availability, integrity, confidentiality.
You also have to walk the talk, right? We’ve made decisions here that accept other risk because the alternative was a patient safety risk.
Are there times when we deploy things I’d rather not? Sure, happens all the time. But again, my job is not to tell people no. Our job is to sometimes say, ‘Not like that.’
Nothing helps a CISO more than having an outside third party validate what you’ve been saying for a long, long time.
Guerra: Hi Martin, thanks for joining me.
Fisher: Glad to be here today.
Guerra: Very good. Please tell me a little bit about your organization and your role.
Fisher: Northside Hospital, we’re in Atlanta. We’re a 5-hospital system. We have about 300 outpatient departments, about 200 practices that roll up. Probably the thing we’re best known for locally is about 35,000 babies are born in our women’s center here in Atlanta every year. Women services is a really big service line, the oncology, the cardiology.
I’ve been here about 8 years, building a security program from scratch over that time. Fantastic place to be.
Guerra: Very good. I always like to find out how CISOs wound up where they are. So let’s talk a little bit about your career journey. I saw that you came into healthcare in 2010 from Delta Airlines. That’s an interesting switch. Can you take me through your career?
Fisher: I ended up in security actually by accident. Prior to being in security, I worked a lot in release engineering. I was managing and owning the software source code repository at the airline when my boss got moved over to be the CISO at the airline and he needed someone to come in and help build the security operations side.
He asked me to come over, and Barry is fantastic and is one of the best bosses I’ve ever had, I’m like, “Absolutely, I’m going to jump at the opportunity to learn a new thing.” Got into security there and it was sort of like a duck takes to water. I really enjoyed it.
Like a lot of things, your time at a company ends, so I moved over into healthcare. A lot of people think commercial aviation and healthcare, they’re so radically different. They’re actually not and here’s why. Pilots and physicians are very similar personality types. Pilots, when they’re flying that aircraft, they have a couple hundred people on a stainless steel tube, miles above the earth and they’re responsible for the lives of everyone on that plane. Physicians, especially some of the surgery specialties, they have that person’s life, even the primary care docs, the health and welfare of that patient is in their hands.
Nurses and flight attendants also have very similar personalities to each other. Everyone thinks normally the flight attendant is there to make sure that you have your Diet Coke and your peanuts, your blanket or whatever. Yeah, but the real reason they’re there is if things go sideways, their job is to get you off the aircraft in less than 90 seconds. Nurses are not there to plump your pillow and make your bed. They’re there if you code.
I think, for me, I’d like to think I was pretty successful with the airline, understanding the pilot and the flight attendant mindset, it did not take long for me just to pivot it 30 degrees to realize that they’re very similar, and that’s also how you approach security in healthcare – I think the reason I was successful with the airline was I made sure that the pilots and the flight attendants understood I was on their side. They did not need to be on team security side. Team security needed to be on team flight operations.
My doctors, my nurses, my everybody, they don’t need to be on team security’s side. Team security needs to be on patient safety, patient care’s side and, as long as you’re aligned that way, the amount of friction the security program generates just drops. That’s where you get the opportunity to have those really great conversations with your primary stakeholders on, “We’re all aligned, can you help me do this security thing we need because patient safety, because patient care.”
Guerra: Aviation and healthcare are both highly regulated industries, as opposed to something like retail. That makes for a unique security environment also, I would imagine.
Fisher: I think the regulations at the time I was in the airline industry, I was doing security before, during, after 9/11. That was really an inflection point across everything. The way I think about regulation is I have to follow it, but I am more of an outcomes-driven CISO – I ask myself, what is the regulation trying to get me to accomplish versus the prescriptive. It’s one of the reasons I’m not a huge fan of PCI. Don’t tell me what to do, tell me what it is you’re trying to accomplish. That’s why I think HIPAA is actually a pretty good regulatory framework. The security rule and the privacy rule describes the outcomes you have to achieve. To achieve those outcomes, HHS doesn’t care how, just get them done.
For me, it gives me the flexibility as a technology and a security leader to see what I’ve got in my toolbox, to see what works inside my environment, apply it, achieve the outcomes, and we’re all good to go.
Guerra: As you said, in both aviation and healthcare, there is a lot on the line. It’s a high-pressure environment for security professionals.
Fisher: It’s interesting. When we are interviewing people for security positions who are not from healthcare, I’ll generally ask the question at some point – what do you think is the most important thing? What do you think keeps this CISO up at night? What’s my biggest concern?
Generally speaking, those folks pause for a moment and they think about it and they’re like ‘Well, if there’s a huge breach of medical records…’ Their answer is not wrong, right? They just don’t understand the context, but what I’ll try to do in that moment is say, ‘Look, I’ve got tens of thousands of devices on my network – the majority are connected to a person. It can be an infusion pump. It could be a radiology device. It could be something in rad-onc where we’re delivering radiation treatment. If that device gets popped, it’s connected to a person, we could hurt or kill a person. That’s what I worry about.’
Now, the evaluation part for me is trying to discern if they got the point, if they have an aha moment. But there are some people who just think, ‘no, no, no, no, it’s the data, it’s the data.’ They think: confidentiality, integrity, availability, and they look at it in that order. When from us, it’s availability, integrity, confidentiality. That inversion of the triad, the normal prioritization of the triad – some people when you explain to them why it has to be that way, they get it and those are the people that we keep talking to. Some people, they can’t get their brain around it. We wish them well and there are going to be other industries they can work in. Healthcare is probably not going to be one of them.
When you come to the hospital, you’re here because you’re sick or you need care, and the worst thing I can do is hurt you or hurt your loved one who is here. Nothing else really matters if you can’t accomplish that. Everything we talk about here is patient safety. If you look at the mission statement in my group – number 1, we ensure patient safety. We ensure quality of care, then we protect data – in that order is how we do it.
As a healthcare CISO, I found that just living that, breathing that, again, reduces the friction because I’m showing them that team security is on team patient care’s side.
Guerra: When you have such a clear goal, a lot of other things fall into place, correct?
Fisher: You also have to walk the talk, right? We’ve made decisions here that accept other risk because the alternative was a patient safety risk. Because I interact with directors and VPs across the organization and with some of our senior clinical leaders, they see us walk the talk.
Now, what that doesn’t do is make them think, ‘Hey, the security team rolls over.’ There have been some really, not difficult, but intense conversations with some of our key clinical leaders where I totally understand the patient safety stuff but we really need to take security measures – like with Log4j, we took some outage to remediate that because of, ‘Oh my gosh, this could burn the world down.’ Because they know that I’m on team patient safety and they know that I’m on team patient care, they’re going to pause and listen and we can have a conversation: and I have the credibility with the org to say, ‘We need to do this, we really need to do this,’ and that I’m given the space to make it happen because they know I would not bring it up if it truly wasn’t the kind of issue that needed to be resolved.
Guerra: Many CISOs talk about taking on risk to deal with Covid, in terms of implementing solutions to deal with the pandemic that they didn’t have the usual amount of time to vet, and then going back to remediate after. Did you experience that?
Fisher: Absolutely. Being a healthcare CISO during a pandemic has been one of the most interesting experiences in my life. Because we took everything we had done to date, every single plan we had about how we on-board new technology and how we assess risk, all of those plans evaporated because of the reality of what was happening in our ICUs, in our EDs, and us putting medical triage tents up in our parking decks, right.
We’ve not seen that. For us, it was – one, being invited into the conversation with clinical leadership. They would say, ‘We need to go tele-health, fast.’ We were brought in to help guide that conversation. They said, ‘Here are the three people that we’re looking at,’ and security was asked, ‘Who’s the least bad, in terms of risk?’
We would do a very fast assessment and say, ‘Based on what we know, this is how I would rank/rate them.’ They might say, ‘We want number 3.’ Now, again, to your point, I may have to circle back and fix this. I then had to figure out what can I do right now to help mitigate that risk which could involve us talking with our counterparts on the privacy side, talking with our counterparts on the compliance side, talking to outside counsel who could really understand what OCR was saying and where OCR was drawing the lines.
All of it fit into that conversation, and then collectively, security made a recommendation to leadership. We were part of that decision-making process. That’s all I can really ask for.
Guerra: Can you give me some more insight into how new product risk is discussed between operational leaders and security?
Fisher: Again, this is a very specific Northside leadership culture thing. It may be similar elsewhere. It may be very different elsewhere. Using tele-health, right, here are our three options, actually there were more options. There were a couple that we said, ‘Please don’t do this. Just please don’t do that one.’
We would work with our friends over on the IT application side, there’s clinical folks. Essentially, it’s a team of people who quickly research the options and those options bubble up and we help rank/rate. But at the end of the day, it boiled down to, ‘Here are the three that we feel that we can adequately handle.’
There were a couple more we looked at and, just from my perspective, there were a lot of things wrong with both of them, not just from a security perspective but we didn’t believe they could handle the capacity, so and so forth. They just fell off for technical and practical reasons as well. But out of the three, my response was, “Here are the three in ranked, rated order, I can secure any of them,’ and a choice was made.
After that, I don’t go into more detail unless I’m asked a question. There are certain leaders here who are very detail oriented. They will take down the rabbit hole and follow it down to the molten core of the earth, and I need to be prepared for that, right?
I’ll show our assessment. There are some who are like, ‘Is it red, yellow, green? Or do you, Martin – understanding that you’re on team patient safety – do you feel we can appropriately secure this?’ We have that conversation. And my job is to sit back and let the business decide, of those three, which is going to be the best quality of care, which can the physicians use most easily? Which one integrates with our EMR and with our rev cycle? In all those other things that, from a security perspective, as a healthcare technologist, I’m interested in, but they’re outside my lane. ‘Here are your choices, pick one, I’ll secure whichever you choose.’ That’s how the conversation works.
Guerra: Have you had people continue to push for a product you said wasn’t supportable on the security side? How do you handle that?
Fisher: It really depends. Here at Northside, I’m very fortunate that I can have candid conversations about why, right. Again, because we’re all on team patient safety, we’re all on team quality of care, I can explain why this isn’t endangering safety or why this is endangering quality of care. There’s a lot of trust. The conversations work out.
Now, sometimes people do get emotionally attached to Product X, sometimes it will be some new physician leader has come into the organization.
‘I’ve always used Product Z.’
‘Fantastic, doctor, we don’t use that.’
‘But I want to use that.’
‘Okay, in order to do that, I’ve got to build mitigating and compensating controls, and essentially create a little Product Z island out here. This is what it’s going to cost. If you’ll give me your cost center number, I can start building it with your budget.’
Then, the conversation morphs, right. Are there times when we deploy things I’d rather not? Sure, happens all the time. But again, my job is not to tell people no. Our job is to sometimes say, ‘Not like that.’
Guerra: Right. Or not like that unless you want to pay for it?
Fisher: Well, exactly. But even then, it’s like, ‘I just want to deploy Product Z.’ It’s going to be, ‘Well no, we’ve got to do the other things as well.’ I’m not a clinician. I don’t run rev cycle. My job is I stay in my lane. And because I stay in my lane and I respect other people’s lanes, they end up respecting mine.
Again, I think it’s part of a healthy culture to where there can be constructive tension. There’s always tensions in an organization to where my director for emergency services is laser focused on when an ambulance shows up with a trauma patient, how fast can we do things. I’m totally on board with what Chris wants to do. Then what I’ve got to do is wrap security around it fairly effectively and get in his way as little as possible.
Now, my emergency services directors respect my lane as well, right. He realizes that I’m here to help him, and I’m here to help him help our patients. It’s this great tension where we can – this is probably one of the very first things I did was we walked through one of our emergency departments together and we’re able to, in about 10 minutes, resolve three problems to where he was happy, I was happy, and all the tension left the room. That’s winning.
Guerra: Is it easier to get buy-in on security than it was 10 years ago because of some of the recent high-profile breaches?
Fisher: Absolutely. It was totally different. We were seen as an impediment. I always try to look for the positive in anything. I think with this era of ransomware, some media outlets better than others have done a good job of explaining the impact of a ransomware. When you get to see what happens with large breaches, team patient safety, team patient care starts paying attention. Nothing helps a CISO more than having an outside third party validate what you’ve been saying for a long, long time.
Sometimes we use a big four consulting firm to do it, but if it’s CNN or the Wall Street Journal going, ‘Hey, this is a real thing, watch what happened at this hospital system or that clinic or whatever it is… stuff got real.’ The hypotheticals that as a CISO we have been talking about for a long time where it could happen is now happening. Our clinicians have colleagues who are being impacted by it.
It’s become very real. There’s a phrase in security, you never let an incident go unused. Some people are using it to sow further fear, uncertainty and doubt, right, and talk about the ransomware boogeyman. That’s probably effective over the short term. I think long term if you’ve been engaging your clinical leaders, and you simply say, ‘Look, this is happening like I said two years ago, can we do these things?’ There’s going to be a lot less resistance from the clinical side – actually, for me, there’s been almost no resistance from the clinical side.
Budgets are opening up, right. Not necessarily because CFOs want to – it’s not about lawsuit avoidance. Again, a good CFO is on team patient safety and they’re on team quality of care. They’re realizing, ‘Hey this investment we need to make in security will help. And since no one is getting cyber insurance anymore, we just freed up $100 million to do more direct mitigation.” I think nothing brings a team together like a real adversary.
Guerra: That’s a very good point.
Fisher: Right now in hospital land, we have a real adversary. We have a chance now to look at each other either across the table or over Zoom and look at each other and go, ‘How are we going to fix this, how are we going to fight this, how are we going to protect our patients?’ In a kind of almost morbid way, it has made us a stronger team. Again, I’m trying to find any good I can in the era of ransomware.
Guerra: From a big picture point of view, what are either the top one or two things you’re working on or, if you don’t want to talk specifics about that, what are some of the most important trends you’re looking at?
Fisher: For me, I think a basic truth that some people are missing is for a long time we’ve counted on inspecting the traffic on our network because that is the surest telltale sign of where badness is going to be. TLS 1.3 is going to take that away from us. It’s going to be very difficult for us to inspect east-west traffic because everything is being encrypted as it should be. So we are losing this ability on the network. So that needs to move to the endpoint. That’s harder. It’s easier to aggregate things on the network and inspect it versus having to collect from tens of thousands of endpoints.
I think us trying to stay ahead of some of these older technologies that are deprecated to maintain the visibility we need across our environments is going to be key because the amount of reaction time we get to badness is shrinking. When the attacker gains persistence and they decide to pull the trigger on badness, it used to be you had tens of minutes, an hour or two to realize what was going on and do something about it and still be pretty effective in your IR. Now you’ve got minutes, maybe seconds before real badness starts. The only way you can do that is with visibility, understanding what’s happening on your network and it’s really, it’s IT 101. It’s asset governance. It’s data governance. It’s basic blocking and tackling, but at scale and with a quality level that is hard. To me, it’s reengineering and going back to basics is where I think, for a lot of us, the next 5 years – that’s what we’re doing.
Guerra: Does that require AI and ML in order to respond in seconds to breaches? Or is that something different?
Fisher: AI, ML is great marketing speak, but I think of automation. There’s the ability to stop doing security silos to where my NDR product does a great job here and my EDR product does a great job there, and by the way, my web proxy does a great job here. That’s great. But you’re watching the world through three different straws. You have to be able to see holistically across it. That’s why I think the challenges are going to be – that was always the promise of SIM, right? Holistic knowledge across your entire environment but, wow, that’s expensive.
Anton Chuvakin was talking about it the other day, that’s an 8-digit bill, if you want to throw that level of visibility into the cloud. He’s probably right. But that’s where we need to be. We need to be able to look holistically at our environment, figure out what normal is and then focus on the not normal.
That’s hard. I think some people are better positioned to do it than others. I think it’s going to be a challenge. That’s why I think over the next 5 years if you look at where the track was in financial services, look at the financial services ISAC has led. That’s kind of what I think healthcare does, just like any other critical infrastructure.
Guerra: Any final thought or piece of advice?
Fisher: Let’s talk about CISO burnout. It is really easy for us to try to take on the world. As CISOs, generally, we are the security SME. We are the face of security in our environments and a lot of us are very driven, especially healthcare CISO during a pandemic, we’re burned out.
I think my only nugget is take care of yourself and take care of your people because if you flame out, if you – we’ve had peers who had to go to inpatient behavioral health because they just collapsed. If that happens, you’re not doing yourself or your organization any favors. Take care of yourself, take care of your people because it’s not a sprint, it’s a marathon.
Right now, it’s not even a marathon, it is an eternal journey, so pace yourself. Take care of you, take care of your family, let your folks take care of themselves, let them take care of their families.
Guerra: If I can use an airline analogy from your previous life, put your mask on before you put your neighbor’s on, right?
Fisher: Very much so.
Guerra: Martin, thanks so much for joining me today, tremendous interview. I really appreciate it.
Fisher: Glad to be here.