Steve Crocker, CISO at Methodist Le Bonheur Healthcare, says after receiving a full briefing from IT security, business leaders should make the final decision on how much risk they want to accept.
LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE.
We’re not saying no; we’re just saying, ‘Hey, let’s find a better way to do this to protect the organization and protect you and protect your data, protect your customers or your patients.’
I think if you’re not offering remote work, you’re going to struggle to find people or even keep people, because just about every position now, even the CISO roles, they’re being offered remote nowadays.
At the end of the day, we should be an advisor and consultant to assist owners on how they can manage the risks on the assets they own, not as gatekeeper to say yes or no.
Anthony: Welcome to healthsystemCIO’s interview with Steve Crocker, Chief Information Security Officer with Methodist Le Bonheur Healthcare. I’m Anthony Guerra, Founder and Editor-in-Chief. Steve, thanks for joining me.
Steve: Thank you for having me.
Anthony: Looking forward to having a chat today. Can you tell me a little bit about your organization and your role?
Steve: Sure. As you said, I’ve been the CISO at Methodist Le Bonheur Healthcare for a little over 6 years. I was initially brought in to build the organization’s very first security program which included developing a strategy, setting up the governance and policies, risk management, certainly putting in the security and technology and processes and really building the team. There was no security team there prior to me joining. We have made a lot of progress, and there is a lot more in front of us.
Prior to that, I was the CIO and Information Security Officer for 14 years at a Memphis-based bank. I’ve worked in a lot of different industries but this is my first stint in healthcare. Methodist itself is a relatively large healthcare delivery system based out of Memphis. They have six hospitals, including a world-renowned children’s hospital. We have about 100 physician clinics that we own, about 14,000 employees and we’re the second largest private employer in the city of Memphis. In addition to that, we’re an academic teaching and research hospital. We have a close partnership with the University of Tennessee Health Sciences Medical School.
Anthony: Very good. You went from working at the bank for 14 years to – that’s an interesting switch, to not only starting in healthcare but starting at an organization that did not have a lot of structure in place, that’s why you were brought in. That’s a big switch. What made that an attractive move for you?
Steve: Well, my early career was spent in the technical area and then I eventually got into management, kind of drifted over into security, a lot when I was in banking because it’s a big priority in banking. The bank I was at eventually was acquired by a larger bank. That bank offered me a different role within their organization. It’s a great bank and I certainly considered that, but this opportunity at Methodist came along and it intrigued me for two reasons. It was an opportunity to go in and build another security program from the ground up, something I had done before, but it was in a different industry sector; it was healthcare. That was intriguing. I enjoyed that challenge of going into new areas that I did not have experience in before. It’s been fun. I enjoy healthcare, so definitely a different culture than financial services.
The advantage is a lot of the things that we are doing in healthcare right now is a little bit of déjà vu with some of the things that we may have done early on in banking. Banking has been doing cybersecurity a little bit longer than healthcare.
Steve: I do. I think certainly, at least, 7 to 10 years. But I do think that gap is closing. I’m seeing – across the board, I think this sector is behind but I’m seeing more and more – especially the larger organizations – really moving towards a better control infrastructure and making security a business issue and setting up good programs. I’m seeing a lot of innovation in security in a lot of organizations. Across the board though, yeah, healthcare is still a little behind.
Anthony: Coming from an industry that was, let’s say, 7 to 10 years ahead of where healthcare was would have its advantages and its challenges. Because the advantage is you certainly were in an industry that was further along, the disadvantage is learning the nuances, the subtleties, the power dynamics, of healthcare. Can you tell me a little bit about that process – were there moments where you said, ‘Wow, I can’t believe things work like this around here; it would never happen like this in banking.’
Steve: Yeah, there were. I spent the first 12 months just kind of learning who the key players were and learning the politics and the workflows and everything that goes along with healthcare and our organization, getting to know board members, getting to know executives and other stakeholders throughout the organization.
At the end of the day, protecting data and protecting the systems is very similar whether you’re in healthcare, banking, retail. There’s a lot of similarities but it is learning those workflows, and yet there were times that I said, ‘I can’t believe we’re doing it this way.’ But we talk about how much more advanced banking is. There were similar things in banking, sometimes in banking we would say the same thing – ‘I can’t believe we’re doing things this way.’
I think some of the additional challenges in healthcare is the added impact of patient safety. We didn’t have that in financial services. Certainly, the financial side of things and people’s livelihoods but in this case, you’ve really got those human lives that are sometimes hanging in the balance, and that adds a lot of additional context to the security discussion for sure.
Anthony: Right, right. Healthcare has its powerful users or internal customers, it could be surgeons that bring a lot of revenue to the organization. Financial services has it too – traders, different individuals that can be extremely powerful, that are your customers, and may not always – CISOs often can be on the wrong end of the ire of those kinds of folks. Is it comparable to banking where you have super users that you have to deal with delicately?
Steve: Yes, certainly. In healthcare, it’s the physicians. In banking, it maybe loan officers who are the revenue generators. I’ve always found that in discussions with those people, it helps to explain why we’re doing this, not just that we can’t do this. It’s why we can’t do it and let’s discuss a different way of doing it. We’re not saying no; we’re just saying, ‘Hey, let’s find a better way to do this to protect the organization and protect you and protect your data, protect your customers or your patients.’ That’s always a better discussion than just no. It’s a very similar dynamic, just different players.
Anthony: Have you found that with the high profile breaches that we’ve seen in healthcare and other industries, has it made your job easier in that respect over the last 5, 10 years – that people ‘get it’ more than they used to?
Steve: Yeah, interesting you say that. When I first got into healthcare around 2015, it was really more privacy- and compliance-driven when it came to security. It was looking at HIPAA and things like that. I think it was around 2016-2017 when ransomware started really taking ahold in healthcare and it really started having that patient safety impact, that impact on the business and operations and shutting down hospitals, having them go on diversion. And that really started resonating, not only with the board but with the physicians; they started seeing that a cybersecurity incident can have a real impact on our ability to care for patients. So it made those discussions a little bit easier. I wouldn’t say it’s easy, but it certainly opened up some opportunities to have some collaborative discussions with those key players.
Anthony: You talk about patient safety, impact on patient safety, security lapses kind of a huge impact. I spoke to a CISO the other day who spoke about the importance of having her security team connected to the mission. It was around a discussion about remote work and she needed folks to come back in, at least at some degree of frequency to be around patients, to be around the mission. She felt that was super important. What do you think about that?
Steve: I think it’s important for them to be tied into the mission. No doubt about that. We have to understand why the healthcare system is here and that’s to care for patients and their families. It’s not to do security. I don’t think it’s necessary for those people to be on site to do that. We’re more of a remote workforce now since COVID and I think we’ll continue to be that. I think we’re just as effective, if not more effective remotely.
There are instances where people need to come into the office. If we had a big cybersecurity incident, I’d want my team on site just to avoid any complications that may come with the use of technology. Now, that’s for my staff. For me, yup, absolutely, I want to get in and do some rounding and talk to people and get to know people and make my presence known throughout the organization. Same with some of my leaders that fall under me. But in general, I think they’re fine remote.
Anthony: Yeah. We worry about that two-tier kind of system, right. I mean if you’re coming in and you get your leaders coming in and there are certain individuals who are not coming in, do you worry that those folks just may not move up into that sort of upper rank of management and leadership?
Steve: Well, no. When I say they’re not coming in, they are coming in on a periodic basis for different meetings and different things like that, and any time there’s opportunities we may have them round with us.
We also make really good use of our technology. We use things like Microsoft Teams to be really collaborative, even though we’re not in the same room. We use the video and there’s a lot of collaboration opportunities that you can use the technology for.
Anthony: One of the things I’ve heard mentioned a few times is that CIOs and CISOs are really striving to figure out how to create a virtual conference room type experience that’s comparable to what you get if you were all in the same room. I think there’s investments that need to be made. I don’t know if the technologies are all up to par. But that is something people are working on and struggling with. Do you have any thoughts around that?
Steve: Probably. I think that – it’s difficult to have that same exact experience as when you’re on site no matter the technology. If we were doing something that was highly collaborative – if we were say deploying a new EMR or something, that’s going to require people to come into the office, be in front of each other and really be able to collaborate a little bit more. But just your day-to-day work, especially in the security area, frankly we have not seen an issue with the remote work. We’ve actually found our people to be more productive because they have less interruptions, kind of that water cooler talk. And in fact, it’s helped us with recruiting because finding people is very difficult nowadays. And I think if you’re not offering remote work, you’re going to struggle to find people or even keep people, because just about every position now, even the CISO roles, they’re being offered remote nowadays. That’s just the new world we live in.
Anthony: You’re okay with the remote stuff, but if and when you feel the team needs to come together physically, you expect cooperation and understanding, is that right?
Steve: Absolutely. That’s always an understanding. In fact, we have – a lot of our team is located throughout the United States and we will periodically bring them in for meetings and just some in person – bring them in for a week, go to lunch, just some in-person interaction. I think that’s very helpful just to kind of build that camaraderie between the team.
Anthony: Let’s talk a little bit about business continuity. You know as I think more and more about your role, that’s really what it’s all about, right? You’re there, we’ve heard the term Chief Risk Officer which probably is a different individual, but you are the head of risk as far as the IT systems go. Your job is essentially to manage risks, to communicate risks and then find out what appetite people have for the level of risk you’re saying exists, suggestions for mitigating that risk and describing the costs – ‘So if you want less risks, here’s what we can do, here’s what it will cost,’ and the business folks make those kinds of decisions. But ultimately, it’s about business continuity, right? It’s about we need to keep these systems running and whatever you need to do related to a cybersecurity incident, you have to make sure if we’re down, it’s for a very short period of time. You take me through it.
Steve: Starting with risk management, that’s an area I’m very passionate about. I think that’s the core of what information security team does. I think it’s important to have some independence and separation there as well. And what that means is that security should not own most risks. Even cyber risks should almost always be owned by the business units that rely on that technology. In that way, it gives them the opportunity to make business decisions. Because sometimes the business may decide to accept a risk, even a high risk. If that potential benefit outweighs the risk, that may be the best business decision and then we have to learn to operate within that.
Now there’s some risks that get owned by IT and even information security but in general, as much as we can, we really want to push that over into the business area. At the end of the day, we should be an advisor and consultant to assist owners on how they can manage the risks on the assets they own, not as gatekeeper to say yes or no.
You touched on continuity, business continuity and disaster recovery. When you look at cybersecurity framework, you’ve got the five functional areas and one of them is recover. That recover area is probably, in my experience, the one that’s the most important to your board of directors. They want to make sure you have the right protective controls in place. They want to make sure that you’re able to detect cybersecurity incidents and you’re able to respond to them. But at the end of the day, it’s about how quickly you can get the business back up and operational and that’s what they’re really going to be focused on. Having good plans in place, documented plans that are regularly reviewed and regularly updated and going through tabletop tests so that you’re as prepared as you can be in the event that an incident happens; I think that’s very, very critical. Like I said, in my experience, the board really zeroes in on that business continuity.
Anthony: Let’s talk a little bit more on the concept of having the business owners and the departments assume responsibility for the risk they want to accept. What do you see as the IT security department’s role in that? Are you there to make sure they understand the risks they’re taking on and they know about it, they may not realize there are certain risks there when it comes to security – you say, ‘Hey, here’s what’s going on, here’s the best way I can describe the level of risk you have right now, are you okay with it?’ Tell me how that works out.
Steve: Yeah, and it’s important to have good process and good workflow to go along with that. But yeah, for us – first, our job is to identify the risk. So do assessments and look and find where those risk areas are, quantify that risk as much as we can, and then communicate that to those business areas and those risk owners. Now, you can’t go and talk technical jargon with them obviously. You have to put that into a business context and why that matters to them and explain what the risk is, why it’s important, what the potential impact on the organization and their area of the business and then some potential ways you can treat that risk. And you can certainly accept it. You may want to avoid the risk or you may want to mitigate it and here’s some options in how we can mitigate it. You want to go through that process with them so that they can make an informed business decision. It’s up to them to make the decision, it’s up to you to give them the information they need to make that decision.
Anthony: If there are dollars associated with the risk reduction scenarios you give them, do those come out of their budget or your budget or it depends?
Steve: It sometimes depends. You usually want to try to have it come out of their budget. It just doesn’t always work out that way. Sometimes it’s out of the IT budget because at the end of the day, a lot of these are technology risks. So they may own the systems and they may own the risks, but it’s IT that will actually do the work to remediate that. So maybe it’s upgrading a system that’s end of life. Well, that’s a decision from the business unit but the IT area will do the actual leg work to get that done.
Anthony: It’s interesting to me and I’d like your thoughts or give me feedback on how risk is shared in a health system. So you have overall risk, some of which has nothing to do with IT. And then you have the CIO that’s going to own some risks related to IT, the CISO that’s going to own risks related to IT security, you’re talking about the business owners owning some risks that’s related to IT security. There’s almost a shared – you probably have some of that risk on you and some on them. There’s a lot of risks in a health system. There’s a lot of people that have a little piece of it.
Steve: Yeah, in my experience, most risks in healthcare organizations have been focused on the patient side of things, for good reason, obviously. I think this is an opportunity for the healthcare sector in general. When you go back to financial services, you mention the chief risk officer. We always had a chief risk officer that took care of all of the risks throughout the entire organization, brought it all together to present it in a cohesive fashion and that included financial risk, that included IT risk, cybersecurity risk, et cetera. I think that’s an opportunity for healthcare to start looking at more chief risk officers, looking at enterprise risk, bringing all that together for a discussion with the board and the executives.
Anthony: Right. Because third party risk is interesting and a huge, huge area. Third party risk covers a lot of areas of risks. For example, there’s the risk that application isn’t going to play well in your overall stack, that may be the CIO’s risk. There’s the IT security risk, that may be your risk. There’s the risk that that vendor may go out of business in 10 minutes because they’re financially insolvent, somebody has got to take a look at that risk. I don’t know if that’s CFO or – there’s a lot of pieces to this, right?
Steve: Yes. Not only vendor risk management but really all risk management and all cybersecurity as an enterprise effort; it’s not something that your security team is going to do on a silo by themselves. Vendor risk management was one of our early wins as we built our security program here at Methodist. You’ve got vendors and service providers and they oftentimes have a lot of access to very sensitive and regulated data. Sometimes they may store that data, sometimes they may just access your network for support purposes.
One of the things that I noticed in healthcare is that we use a lot of vendors (or we give a lot of access to vendors) much more than we did in financial services and for good reason in a lot of cases. But many of those vendors are very small niche vendors that perform a very specific and limited service. So they may not have an IT team, they may not have a security team but there’s a lot of risk – potential risk – associated with those vendors. So it’s really important to do a lot of assessment work and a lot of vetting of those vendors, especially before you onboard them. That’s where we try to catch them. We have it built into our culture now where you’re bringing in a new service, a new vendor, we’re going to do a risk assessment on it.
Now we can’t possibly vet every security role they have, but just doing reasonable due diligence, looking at any audit reports they may have, reviewing policies and procedures, sending them questionnaires and just having general discussions with them. Doing that on the front end helps a lot because that’s when you have the most leverage.
Once they sign the contract, you’re going to lose that leverage and then oftentimes, we may look at their security program and say, ‘You’ve got a good program but you’ve got a few gaps here. Maybe we want you to use multi-factor authentication in this specific example to help reduce that risk.’ We have more leverage before that contract is signed and oftentimes we can get them to go along with those controls. That’s a big area for us. It’s led by the security team but it’s really a collaborative effort that involves legal, compliance, supply chain, even our IT project management office.
Anthony: We talked about questionnaires, that whole thing makes me very nervous. You’re really relying – there’s other ways, right. There’s HITRUST, there’s SOC 2 Type 2, there’s outside third party certifications that these vendors can get that give you a little more comfort. But to me, it’s always been a little concerning, the idea of putting a lot of confidence in a questionnaire filled out by an entity that needs to say the right things to get the business. You see what I’m saying?
Steve: Yeah, absolutely.
Anthony: It’s got to be beyond the questionnaire, right?
Steve: It does. It’s kind of like security in general; it’s layered control. Questionnaires serve a purpose but they shouldn’t be the end all. Ideally, those vendors would have those independent audit reports, whether that’s a SOC 2, a HITRUST, ISO, something from an independent auditor who came in and did a review of their security program and their controls. That’s usually the best thing you can get short of doing an audit yourself. But unfortunately if they didn’t have that, then it’s going to require a little bit more digging. You’re going to have to rely on some of the outside services like SecurityScorecard – I forgot the name of some of the others – but those can sometimes provide some good information. You’re going to just have discussions with them and review their policies and procedures and you have to dig a little bit deeper.
It also involves contract language. You want to contractually obligate them to maintain certain security controls and a certain level of security posture as well. When they don’t have those audit reports, it does lead to a lot more work on vetting those vendors for sure.
Anthony: Right, right. Let me ask you a little bit of an open-ended question. What’s a trend you’re seeing or something you’re looking at or working on that you may not think everybody else has at the top of their list?
Steve: That’s a good question. We all have a lot of the same challenges when I talk to my peers. In general, we’re all looking at the same thing. I think an area that probably could use more attention is insider threat. That’s an area that sometimes we’re really focused on the nation state and the cyber criminals and certainly we should be, but oftentimes it’s the insider for us that we need to be taking a look at, whether that’s mistakes from individuals or malicious activity from individuals.
We’re seeing incidents where people are paid by outside parties to provide sensitive data. We haven’t seen that here at Methodist, but I’ve seen that in the industry where employees are paid to provide data to different individuals outside of the organization. Insider threat is probably a good area to focus on for a lot of people.
Anthony: Talk about the difference – to me, I would imagine there’s a huge difference between malicious and non-malicious in terms of the way they’re detected, the way they’re remediated, the approach and your policies and programs, is that correct? In your mind, there’s a big difference?
Steve: Yes, sometimes there is. Malicious, as I mentioned, maybe somebody is accessing records they shouldn’t be accessing and pulling and sharing data they shouldn’t be sharing. It could even be hacking activity in some cases.
But then you have the other area where it’s just general mistake, something was misconfigured, someone didn’t apply a patch when they were supposed to or didn’t apply a security control that came out in a risk assessment that said it was a requirement. You can’t be everywhere at once. It’s just you have to utilize the resources you have and the tools you have to do as much discovery and monitoring as possible. But like I said, you just can’t be everywhere at once. It’s a big challenge for all the security teams.
Anthony: There’s a difference between Nurse Sally inappropriately looked at her aunt’s test results versus someone selling patient files and data for pure profit, right?
Steve: That’s where we partner a lot with our compliance and privacy area because that’s really more on their side but they lean on us for some of the technology and monitoring capability. Again, that’s just a big partnership with compliance and privacy and legal. Outside of IT, those are the groups that I work with probably more than any other group and that’s compliance and privacy, legal and even internal audit. We have very tight partnerships.
Anthony: Right. You talked a little bit about the work you do with legal. We talked about third party risk and how important contracting is. You need a very good relationship. Obviously the CIO is involved but you have to be involved, and all of you have to be working with legal in order to make sure those contracts, those SLAs, all those things are coming out correctly and also efficiently because these things could take forever and then your business owners are saying, ‘I wanted to use this application, it’s been 8 months.’ Tell me about that dynamic.
Steve: The best approach is to get a general security agreement that’s an addendum or a rider to all of your contracts, just for some of the basic controls, and then you’re not doing any of that ad hoc work that goes along with requiring all of them to use multi-factor authentication. Just put that in the general agreement. And then if there are some specific things for that particular vendor, that’s where you would work with legal. That’s the ideal way to do it.
The other thing is that it’s not just vendors. Because we’re an academic institution, we do a lot of research and provide a lot of data to research entities, whether that’s the University of Tennessee or others, and so that requires a lot of contract language and negotiations and discussions as well that involve legal and compliance and some other teams. I think all those groups we all have hotlines for each other where we can get in touch with each other pretty quickly.
Anthony: Right, right. Listen, I like to keep these to 30 minutes and we’re about there. I just want to give you an opportunity to offer a final thought. In my mind, we all think we do something well. We all think that there’s something about the way we work or the way we approach our jobs that’s a little bit of a key to our success. Tell me what is it about what you bring to the table, your approach to the job, that you think has served you well. As a bit of advice, something for your colleagues to maybe think about.
Steve: Yeah, I think it’s just continuous learning because our field is always changing. What you were doing a year ago may be a lot different than what you’re doing now because those threats were evolving. Staying plugged into continuous learning, staying plugged into your network of peers. Most people are facing the same challenges. The more you build that network of people, you can call on to kind of understand how they’ve been dealing with it; it may be different than the way you deal with it but it’s always good to hear other perspectives.
I think finally, just finding the right work-life balance. You need some type of outlet because, especially CISOs, if you don’t find some balance, you’re going to burn yourself out pretty quickly. It’s a very stressful and draining job. For me, I try to spend as much time as I can with my family. That’s kind of my happy place. I’m an outdoorsman, so I do hunting and fishing. For me, sitting on a quiet lake fishing or sitting in a deer stand, that can be very therapeutic sometimes, a nice break from the alerts and phones and emails.
And then if I need to really blow off some steam and frustration, I play in a rock band. That becomes another outlet for me. But whatever your passion is, whatever your thing you like to do, just have that balance because you can really burn yourself out quickly in this industry. I’ve seen it multiple times.
Anthony: Well, you’re not the only IT executive I know who is into hunting and fishing and outdoors. There’s something about getting out there and away from the computer that probably is therapeutic.
Steve: Yeah, exactly.
Anthony: Steve, listen, I want to thank you so much for your time today. It was a wonderful interview. I really appreciate it.
Steve: Thank you, Anthony.