Myers says health systems must start protecting their organizations today against the potential cyber threats of tomorrow.
LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE.
“I wanted to make sure that whoever we brought in had tremendous cybersecurity experience, a very proactive risk management mindset, and was a business leader as well, not just a technology leader. It was important that they could speak appropriately to our business stakeholders and partners, communicate the importance of cybersecurity and make sure that cybersecurity is not seen as an impediment to the business.”
“… there are some areas that shouldn’t move to the cloud. So a great example would be our supercomputing infrastructure. We’re not going to move that to the cloud anytime soon, probably not even in the next five years, that’s going to remain on-premise.”
“I think that, for certain projects, it’s great when people can meet on site and really work together to solve a problem. Sometimes it’s difficult on Zoom to get that traction, but overall my philosophy is for a flexible working environment, and I think that’s here to stay.”
Anthony: Welcome to healthsystemCIO’s interview with Kristin Myers, executive vice president and chief information officer with Mount Sinai Health System and dean of digital and technology. I’m Anthony Guerra, founder and editor-in-chief. Kristin, thanks for joining me.
Kristin: Thanks, Anthony, for having me.
Anthony: Very good. You want to start off, tell us a little bit about your organization and your role.
Kristin: Mount Sinai Health System was created from a merger of Mount Sinai Medical Center and Continuum Health Partners in 2013. It comprises eight hospital campuses in the New York metro area and also the Icahn School of Medicine. So around $9.3 billion in revenue and we have 43,000 employees. My role is chief information officer and dean of digital and technology. I am continually looking at optimizing and modernizing and really innovating so that we can enable the health system’s mission and also increase our competitive advantage in the marketplace. I’ve got a wide scope of responsibilities that really span digital enablements, cybersecurity, enterprise data and analytics, innovation, informatics, service delivery, applications, the cloud infrastructure, and also the IT program management office. So anything technology-related falls into my purview.
Anthony: Very good. Excellent. Well, what caught my eye was a press release that went out. It had some very interesting topics in it. It has to do with a company called Sandbox AQ. It’s a collaboration you’re launching around post-quantum cryptography solutions. I was kind of blown away by that. I hadn’t seen a lot of things come out around that, that kind of topic, so I wanted to jump on the phone with you. If you want to start out by describing the issue that this is working to solve, that would be great.
Kristin: So if you think about the amount of confidential information that health systems have – such as PHI and financial information that’s protected today with traditional encryption methods – they can be broken very quickly as quantum computing develops. So really in theory, a bad actor can collect encrypted communication streams and then decrypt them when they have this technology. That would be pretty harmful for health systems around information like PHI or a social security number. So the whole idea around this post quantum cryptography is really around developing a system that’s secure against both quantum and classical computing and can interoperate with our existing protocols and networks.
Over the next year, we’re working with Sandbox to inventory and really assess all of the encryption methods that we’re using in the health system and then identify methods that would be impacted by quantum computing. And so they’ll give us some options around that to address the risks. We see this as quite a long-term partnership with them. This isn’t a problem for today but certainly is a problem that will occur in the next three to five years.
Anthony: How does something like this get initiated? Is this you initiating it saying, ‘There’s an issue here and I’m going to move forward with addressing it,’ or did it surface from somewhere else in the organization?
Kristin: It actually surfaced from somewhere else in the organization. Mount Sinai is known as extremely innovative; and when Sandbox contacted our organization, we did a review. We looked at what the marketplace was like, what problems were we trying to solve. The White House had just actually released a memo around quantum computing and readiness of federal agencies around this exact problem. We’re an academic medical center, we work very closely with the NIH, it’s a matter of time before this type of technology needs to be adopted with AMCs. So we thought it was a great idea to at least start the process and learn with an organization like Sandbox who are extremely innovative as well.
Anthony: So you think this is going to be, at some point within the next few years, a stakes-to-play kind of technology on the security side.
Anthony: What’s your sense of what percentage of health systems are starting down this road? Do you think you’re on the cutting edge here or do you think there’s a general movement to address this?
Kristin: No, I think we’re probably one of the early adopters around this.. I think it goes back to the fact that, again, we’re an innovative organization as an AMC, but we also have a CISO from outside of industry and he’s able to really bring best practices. He looks at technology in a very different way and he was very excited about partnering with Sandbox, as was I. He thought that long term, in terms of our cybersecurity maturity, it’s important for us to start looking at some of these novel technologies.
Anthony: You mentioned Rishi Tripathi who started as your CISO in May 2021, so May of last year he’s been there about a year. He comes from outside of healthcare.
Anthony: So that’s interesting, right? Were you the head person in charge of that hire?
Kristin: Yes, absolutely.
Anthony: So what were your thoughts there? And when you were making that selection process, it’s easy to play it safe, so to speak, or maybe it’s not even playing it safe these days to go from inside of healthcare, but you decided to go outside; what was your thought process? What were you looking for?
Kristin: So when I became CIO two years ago, it was clear to me we needed a more mature cybersecurity capability. I think that as we invest more as part of our overall digital transformation, you look at other industries who’ve already gone through this like retail and finance, and their investment in cybersecurity is much higher than traditionally healthcare has invested. And so, from my perspective, I wanted to make sure we had a very strong and capable CISO and that was really what I was focused on.
I looked at leaders in healthcare and leaders outside of healthcare. I wanted to make sure that whoever we brought in had tremendous cybersecurity experience, a very proactive risk management mindset, and was a business leader as well, not just a technology leader. It was important that they could speak appropriately to our business stakeholders and partners, communicate the importance of cybersecurity and make sure that cybersecurity is not seen as an impediment to the business. I think that he’s made tremendous progress in less than a year. He’s significantly matured our cybersecurity program since he’s joined and I think he’s an amazing leader and am happy that we were able to find someone of that caliber.
Anthony: Did you have a specific plan to get him familiarized with the healthcare environment because that would be his learning curve. He would know the cybersecurity stuff, but you’d want to familiarize him with the nuances of healthcare. I’ve heard other CISOs talk about the value of rounding in order to feel connected to the mission.
Kristin: I’m a big believer in rounding and Rishi certainly has come on site. He’s rounded in the clinical areas, as has the cyber team. And he also worked tremendously hard to create relationships – whether it was with the presidents of the hospitals, whether it was with our research community, our school of medicine. He really has made a tremendous effort to learn about the business and form those relationships and he’s done extremely well.
Anthony: Every CISO is going to have a different level of comfort and familiarity with cybersecurity. You seem to me like someone who’s got extreme confidence and knowledge in the cybersecurity area, it’s somewhere you’re very comfortable playing. But what are your thoughts on the optimal CIO-CISO relationship?
Kristin: I think the key is trust. I trust him, I think that he has the ability to proactively identify risks before they become issues. He resolves any issues that we see on a timely basis and he escalates to me when appropriate. I think that he has a great balance from the strategy perspective that he and I work on together, that he’s able to really deep dive into issues; so the ability to do that I think is extremely important. For me, I think cybersecurity is one of my number one priorities.
A few years ago, I went and did a CISO certification at Carnegie Mellon and it was a six-month course. I felt that it was important for me to understand how we would improve our security risk posture and what we needed to focus on.
So I think the CIO also needs to have some background and education in cybersecurity because it’s a really complex area. And I think making sure that the CIO is still involved, making sure that you’re assisting to drive resolution and you have to stay aware of cyber trends, and most importantly be a champion for cybersecurity to get the support and the funding and ultimately the compliance in the organization; so I’m a big champion of cybersecurity.
Anthony: Is there a dynamic sometimes where the CIO is driving for innovation and the CISO has to slow them down to ensure security? I don’t think it sounds optimal but I wonder if that happens.
Kristin: No, it’s not optimal. To me, you have to move quickly with digital, but you always have to make sure you’re secure. You can’t be putting out products to our patients that are not secure or have a risk in some way, shape or form. And so there is a balance, but as I said my aim with the cybersecurity program is to ensure we’re not an impediment to the business and speed to market in growth. So making sure that we have the appropriate procedures we can escalate, we can prioritize and make sure that we are really focused on what is going to reduce risk for our patient-facing applications or products. I think they have to be a high priority in any cyber reviews and they do.
Anthony: So time is an issue – you need a certain amount of time to review applications that are requested so it’s going to take some time, but you don’t want it to be excessive, right? You don’t want it to be seen as this black hole where a department makes a request for an application and they don’t hear back about it for six months.
Kristin: Right. And the way that you do that is by maturing your third-party risk management program. It comes sometimes down to resources. It comes down to processes and ensuring that you’re prioritizing accordingly. We also use BeyondTrust and so that also has vendors that have already been pre-certified. Now that helps us in our clinical and corporate world. It doesn’t necessarily help us for our research world where we get a number of applications that are extremely novel that we need to be able to turn around quickly so that we’re not an impediment to the research moving forward. So it’s a balance.
Anthony: Right. Do you want to talk about a couple of things that you’re working on? And this could be on the security side but it doesn’t necessarily have to be. Just a couple of the big picture things that you’re working on.
Kristin: Sure. So non-security related, we took a step back and started looking at our overall digital roadmap for the next three years. I think we have a number of digital capabilities but looking at it from a different perspective, from an experience perspective for our patients and employees and ensuring that we’re having more of a seamless and frictionless experience. So that has been an ongoing initiative for the last six to seven months where we’ve really taken a look at our technology, our foundation, our application portfolio, and what are the products that we want to develop that we believe will differentiate ourselves in the marketplace. So that has been a huge priority for us.
I think, secondly, cybersecurity is always going to be a priority in this organization so we are looking at maturing our capabilities, making sure we can recruit the right talent for the organization. And I think our engagement with Sandbox is an example of us being able to improve existing capabilities but proactively address a concern that could grow in the future. Look, I think that the trends in cyber continue to be disturbing, right? I mean, with the Ukraine-Russia situation, there are many cyber risks that present themselves and I think that making sure we’re monitoring that very carefully and then the next generation technologies. We think about our migration to the cloud and it presents a risk and an opportunity simultaneously. We need to make sure that the entire transition we’re also going through with Microsoft it managed carefully from a security standpoint.
Anthony: You mentioned looking at your digital roadmap and it made me think of governance. It’s so important, correct?
Kristin: Yes. I think that the health system strategy has to drive any of the work that is going on in the technology organization, so it’s important to align that at all times. So our sponsor for all of the digital work is our president and COO who oversees the strategy for the organization. We make sure that the digital structure we are now putting up is in alignment with the existing structures that are already in place. So we have a business innovation council and we want to make sure that we are not replicating some of the work that goes on within those councils.
We created a digital portfolio review process and we also created a number of committees and rationalized, quite frankly, a number of committees that were out there because you don’t want to have conflicting charters or missions for the committees. So governance is extremely important. We’ve gone through this process and now we’re standing up our structure that has been reviewed by the executives of the organization and they’re very supportive of it.
Anthony: And you mentioned the cloud. I’ve heard CISOs discuss the idea that maybe there’s some things that need to stay on-prem. So what are your thoughts around the cloud? There’s all different types of cloud arrangements you can have so there are many options there.
Kristin: So we recently formed a strategic relationship with Microsoft to move the majority of our application portfolio off campus to the cloud. And, you’re right, there are some areas that shouldn’t move to the cloud. So a great example would be our supercomputing infrastructure. We’re not going to move that to the cloud anytime soon, probably not even in the next five years, that’s going to remain on-premise. There are also applications that we can’t move to the cloud; they’re not ready. They’re not cloud-ready, and we are using cloud as infrastructure as a service. And then you’ve got other vendors that are software-as-a-service that we are working with, such as an Oracle or a UKG. So I see that there are multiple buckets but, you’re right, there are going to be some applications that ultimately don’t move to the cloud and we’ll continue to have an on-premise data center that they will be located in.
Anthony: It reminds me of when everybody wanted to get rid of paper completely but that didn’t quite work, right? I mean, there’s still paper around and it will be the same thing with the data center.
Kristin: Exactly. I mean, we’ll have a hybrid model like most organizations.
Anthony: Speaking of hybrid, let’s talk a little bit about workforces, hybrid/remote workforces. I think everyone is working through this to get folks back in the office a certain amount of time, perhaps not every day, but some arrangement. Where do you stand on that?
Kristin: We have a very flexible work environment. The majority of our team is actually working remotely. I’m in the office at least four to five days a week and some of our leadership team is. I think that for certain projects it’s great when people can meet on site and really work together to solve a problem. Sometimes it’s difficult on Zoom to get that traction, but overall my philosophy is for a flexible working environment and I think that’s here to stay. I know that not everyone agrees. I know that some hospitals have brought in the team members to work sometimes three or four days a week, but I don’t think we’ll be adopting a policy like that in the future.
Anthony: I hear a lot of executives say they are coming into the office quite a bit, but their teams aren’t. Could this create a two-tier system?
Kristin: I personally like to see people. I think it really comes down to traditionally how you’ve worked also. I like to be able to pop over to some of my peers and talk to them for five minutes rather than trying to set up a meeting that could take three weeks to get on the calendar.
Anthony: It’s exhausting, right?
Kristin: Right. So I think that’s the case for me personally but, at the same time, I don’t want to impose what works for me necessarily to the entire team. What I hear in the feedback from my team is they really appreciate the flexibility. So if they want to come in, and some of them do, that’s great. But there are others that can’t come in, either they may have a health issue, they don’t want to get on the subway or the train necessarily, especially as the rates are increasing. We just got our alert raised here in New York City. So I think that flexibility is really important and you have to also get the feedback from your team.
Anthony: So you give them flexibility but expect them to come in if you need them in, to deal with an incident or something like that?
Kristin: And we did. We did that recently, yes. That’s a great example. I mean, we’ve got (implementation of) Epic hospital billing underway. As you can imagine; you’ve got many parties, you’ve got the finance team, you’ve got Epic Wisconsin, you’ve got our team, and then you’ve got other groups from operations. And so we’ve been bringing team members in and working together on specific issues or decisions that need to be made. And we’ve found in that particular case people were solving issues quite rapidly, whereas it would take much more time on Zoom. So I think for specific projects and for specific circumstances, it definitely makes sense.
We also have remote team members out of state now. I think that’s one advantage is we were able to recruit team members from all over the country. But when you have that circumstance when people are permanent remote workers, you cannot ask them to come in if they’re living out in California. So I think that, again, I go back to flexibility, listen to your team, listen to what they’re saying, get the feedback from them and what’s important to them.
Anthony: So you’re in New York City which has its benefits, it’s got its drawbacks. You have a lot of folks there, but again having them all there is not as important as it used to be. You can hire people in California, but people in California can hire people in New York.
Kristin: Right. That’s exactly right.
Anthony: So it’s a double-edged sword, right?
Kristin: That’s exactly right.
Anthony: Overall, what are the pros and cons of being in New York City?
Kristin: I think New York is recovering but I think Covid changed the way people work. I saw a newspaper article in the last few days where it said only 8% of office workers are coming in regularly – like a three to four or five-day work week. So I think that’s really changed the city and the way that people commute in and spend their time. On the other hand, I think it’s given people that flexibility. So you can take your child to school, you can pick them up, etc. Again, I go back to flexibility which is really important to us.
Anthony: Well, that’s about all I have for you today. I would like to give you an opportunity for a final thought, a final piece of advice.
Kristin: So I think, for CISOs, it’s make sure you’re focusing on protecting the digital value of your organization and prioritizing by protecting key revenue streams. And I think to CIOs, get a great understanding of cybersecurity and stay vigilant, stay ahead of the curve as much as you can and invest in this area before it’s too late. So I think the need for a mature and advancing cyber-function is imperative. You have to keep your whole system and your patients protected.
Anthony: All right, Kristin, thanks so much. Wonderful chat. I really appreciate it.
Kristin: Thank you.