The first and most important question for CISOs to ask is, “Am I risk aligned with the place where I work?” If not, they might be swimming upstream as they promote a culture of security that the organization doesn’t embrace, says Aaron Weismann, CISO with Main Line Health in Philadelphia.
In this interview with healthsystemCIO Founder and Editor-in-Chief Anthony Guerra, Weismann shares a number of valuable insights with CISOs on how to keep a health system secure in this post-pandemic era. It takes dedicated effort to build the team of security champions among staff and vendors, and it’s “absolutely critical” to build rapport through one-on-one time with major stakeholders to get them on the same page with the organization’s security goals, Weismann says.
LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE.
Podcast: Play in new window | Download (Duration: 30:38 — 21.0MB)
Subscribe: Apple Podcasts | Spotify | Android | Pandora | iHeartRadio | Podchaser | Podcast Index | Email | TuneIn | RSS
“ … burnout is a thing that we care greatly about. And security contributes greatly to clinician burnout. So we want to make sure that what we’re doing is both meaningful on the security side, but also limits the impact on our clinicians.”
“When you move everybody remote, your threat landscape increases significantly. Everybody’s house is now an attack vector, every computer that’s at their house is an attack vector.”
“It is difficult on a day-to-day basis to deal with an organization, I think, where you don’t align on a risk posture with them. You know, one option is certainly finding a place that does … ”
Guerra: Do you want to start out by telling me a little bit about your organization and your role, please?
Weismann: Our organization is a health system in the Philadelphia suburbs. We’re about 12,000 staff, nurses, clinicians, etc. We have five hospitals, a number of different ambulatory and clinician sites. And few corporate offices. As far as my background, I have been at Main Line Health for a couple of years. I was at Massachusetts Health and Human Services as their CISO for approximately three and a half, four years prior to that. And then before doing that I was an attorney with Health and Human Services for about five or six years as an assistant general counsel there doing IT contracting, information security law, IP licensing, etc. I can go further back than that if you need but I figured that’s a pretty good overview.
Guerra: That’s a good start. Let’s talk a little bit more about the attorney experience. That’s very interesting. So, when did you decide to become an attorney? And then it sounds like you were doing IT contracting as an attorney. Just tell me how the IT and the security and the healthcare evolved from wanting to be an attorney. Just take me through that a little bit.
Weismann: Sure. Yes. So I originally wanted to be an attorney, you know, specializing in technology. My undergrad, I didn’t have a technical background. But when I was in law school, I very heavily got into intellectual property law, contracting, IT licensing, etc. After law school, I went to Suffolk University in Boston to get an LLM, which is a master’s in law in technology and intellectual property. My first job out of law school actually was at State Street Bank and Trust Company, I did finance work. I was in their investment services office, working in their general counsel’s office there.
After a couple of years, the position over at Health and Human Services of Massachusetts opened up as a technology attorney. I decided I wanted to do that. And then as far as the transition into information security, I was one of two attorneys embedded with the IT department. So we were specifically hired to work with IT directly on their day-to-day legal needs. Obviously, Health and Human Services is very large institution in Massachusetts, about 22,000 employees, makes up more than half of state government, handles not only MassHealth, which is state Medicaid, but also handles the SNAP program, Department of Developmental Services, Department of Mental Health, public health, etc. So a number of hospitals there, a number of other public services provided. I worked hand in hand with the CIO. They have assistant CIOs handling all the different agencies. I worked hand in hand with them. And given my networking with them when the CISO position came open, since I was counseling the CISO office and working so intently with the rest of the IT group, I put my name in the hat and they liked me, apparently. Liked me enough to keep me around for a while.
Guerra: Apparently, yes. Very good. So this is your first hospital job? Correct? So you were with Health and Human Services, but this is your first hospital job. Tell me about that. Obviously, you bring a lot of strengths to the table. The attorney thing I would imagine is huge. There’s tons of contracts that CISOs have to deal with. So you’ve obviously got a huge leg up there. I’m sure you still work with your general counsel. But maybe you’re able to vet some stuff before you send it over, whereas other CISOs wouldn’t. But it’s also your first hospital job, probably a bit of a learning curve there, dealing with physicians and things like that. But tell me a little bit about that.
Weismann: Massachusetts does have some hospitals and public health and mental health. This is the first job where I’m specifically focused only on that area of practice. In Massachusetts, it wasn’t the biggest area of practice by far and certainly not the best funded compared to a private health system. So we are a not for profit, private health system. It has a lot of the same benefits with the mission — with the passion — that working for the Commonwealth of Massachusetts did. Some of the different challenges, though, are the volume of biomed devices that we have. Some of the network challenges we had were that the clinicians, specifically, all of the clinicians who worked for our hospitals in Massachusetts, were there voluntarily and weren’t there as their primary jobs. Mostly. There were some, certainly, that were.
At Main Line Health, everybody’s here as their primary job; everybody has to care for patients day in and day out. So things we do in security impact their lives greatly. My favorite anecdote is passwords. Having to log in and log out, having computers shut down and sign out during the middle of the day – those are great security practices. But if a clinician has to enter their password 60, 70, 80, 100 times, it’s going to drive them insane, right? And even though I might think, oh, it’s 10 seconds, you know, every time they enter a password, that adds up, that is time they’re not spending with patients. That’s time where they take patient notes back to their office, and they want to input those. So, you know, burnout is a thing that we care greatly about. And security contributes greatly to clinician burnout. So we want to make sure that what we’re doing is both meaningful on the security side, but also limits the impact on our clinicians.
Guerra: Did you have to learn that hypersensitivity to impeding physician workflow by burning your hand on the stove, so to speak? Or did you understand it when you started?
Weismann: I would like to be able to say that I understood it when I started but 100% I burned my hand on the stove five or six times before I learned my lesson. You know, it’s a good lesson to learn, and one that I think isn’t just limited to the clinician environment; it is everywhere. There was an article recently about someone who posted a TikTok video about their hatred of Microsoft Teams, and how terrible it was for their creative job on a day-to-day, work from home basis. It happens everywhere, right? So I think having that sensitivity towards the end user is something we forget. And I certainly forget about it in information security. It’s absolutely something we need to be mindful of.
Guerra: Well, I, love your honesty, your refreshing honesty. It’s wonderful. I looked over your LinkedIn profile. You mentioned that one of the things that you did was overhaul the organization’s security infrastructure. Can you tell me more about what you mean by that?
Weismann: Yes, specifically, Main Line Health, I came on in June 2020. So three months into everybody being home for COVID, three months into the lockdown. And, parenthetically, do not switch jobs, if there’s another lockdown ever. That was the most terrible experience in the universe. (laughing)
But one of the challenges for the organization is we had our hospitals open, we were running, I would say at about 50% or 60% capacity, to be honest, everybody else was home. We had people who did image reading at the hospital, who went home and did remote reading from their home offices. We had finance people, HR, legal, IT, even that went home and worked from home and did so for about a year and a half before we started reopening in earnest. And the big challenge there is we had made — just as, I think, a lot of other health systems, and frankly, a lot of other organizations — real investments in safeguarding our crown jewels, all of which were on prem. The focus was protecting what you have on prem, protect what you have in the cloud, and you’re golden. Not a lot of places supported a remote, primarily remote work environment. When you move everybody remote, your threat landscape increases significantly. Everybody’s house is now an attack vector, every computer that’s at their house is an attack vector. So how do you compensate for that? How do you handle that?
Our big thing for the first six to 12 months was, it’s not a fire we have to fight, but it’s something we have to address as soon as possible. How do we safeguard everybody in their homes? And it’s interesting to see how a lot of our solution providers really adapted to that very quickly and move to cloud-based services, moved to services that were more agent-based than had been previously as opposed to hardware EDR, for example, or, hardware firewalls, and really trying to figure out how to implement that very quickly. We have great partners. We have great support. And, we have a great staff who’s willing to engage in — I don’t want to say cutting edge technology because it’s not totally cutting edge — but the way it’s implemented, this unprecedented implementation of it.
Guerra: So that’s the vendors stepping up. Can you talk a little bit more about the security infrastructure? Does that involve just you doing work and upgrades on particular things? Or does that involve you working with the CIO?
Weismann: It involves me working with the CIO. It involves me working with our assistant vice president of cloud and IT operations, the folks in our strategic program office, the folks at our enterprise applications office who handle our EMR and all of the other supporting infrastructure that clinicians use on a day-to-day basis. Really, the staff at Main Line Health, the Herculean efforts to send everybody home and do so in a secure way, can’t be understated. So even though we’ve had great vendor partnerships, we’ve had great internal partnerships, great uptake in secure technology, and great implementation of that secure technology.
Guerra: You mentioned all the individuals that you have to work with, obviously, it’s a huge part of being a successful CISO is building those relationships with those key people. Any advice or things that you have found work for you, when trying to get a good partnership going and trying to make sure that you’re going to support each other?
Weismann: Take people out for coffee, or drinks; whichever people prefer. But you know, COVID really got in the way of that. So for two years, it was all virtual. But, really try and get one-on-one time with your major stakeholders, build a rapport with them, and have them understand what you’re doing and why you’re doing it. However you need to do that, however you get to that point, it’s absolutely critical, in my opinion.
Guerra: Yes, for sure. Let’s talk a little bit more about third-party vendor management. Can you tell me how you’re handling that?
Weismann: Yes, it’s one of our biggest areas of growth. And one of our most aggressive areas of growth. There have been a lot of attacks, really over the past year, year and a half, where a lot of threat actors are now attacking common solution providers – those third-party vendors that service a lot of different clients have a lot of very sensitive data because that’s the best bang for the buck. They’ll pay so that they’re not embarrassed; they’ll pay so that the clients aren’t embarrassed. So they have that reputational thing and in the healthcare space, they’ll pay so that they aren’t subject to HIPAA fines, and so that their clients aren’t subject to HIPAA fines. So there’s a lot of incentive for threat actors to go after those kinds of individuals. A lot of incentive for us to try and safeguard that as much as possible.
So IT governance actually reports up to me in our organizational structure. And that’s an area where we’re primarily focused on evaluating vendors, evaluating vendor risk, and evaluating the products coming in the door. So we do architectural reviews on the products. We do security reviews of the vendors themselves. We use some common rating services that provide a highlight of what vendors are doing, where they are for their security journey, etc., what their problem posture looks like. We found it to be pretty effective. Obviously, if a vendor has a breach, that’s always going to be a surprise, but we found the notifications coming from those services to be pretty quick, sometimes even before the vendor notifies us, and we’re able to address issues pretty robustly as a result of that.
Guerra: Have you also looked at the implications and the impact of the downtime of any particular application, maybe just the major ones, maybe more than that. Do you look at that in terms of your business continuity planning on the security side, and try and talk with the business and the clinical users about, “Hey, if this does go down, what are we going to do? What are the procedures for going to paper? What are the procedures for coming back from paper?” Does that all get talked through?
Weismann: Yes. And my counterpart on the IT operations side had the prescience, at the beginning of COVID, to bring someone on to handle that business continuity and disaster recovery function. So we have dedicated staff that coordinate with our office, and are integrated in our incident response tabletop drills, they’re integrated in our security planning, disaster recovery planning, etc. So they’re an invaluable resource to have. If an organization doesn’t have those dedicated resources, I would highly recommend it.
Guerra: Let’s talk a little bit more about incident management. Talk about the degree to which IT security leaders, who maybe used to living in their silo, now really need to be out there understanding the workings of the business and clinical world.
Weismann: I encourage my directors to round as much as they possibly can. So get in front of those clinical leaders, and really, the frontline clinical workers. Understand what their day-to-day is and understand what they’re doing to make the environment more resilient. You know, on the non-InfoSec side, we have downtime drills a lot of hospitals do, it’s very easy to say, “Okay, information security downtime can be integrated into these downtime drills; we can leverage current processes that are being used in order to make our environment more resilient against security threats.” It’s easy for us to integrate with our disaster recovery, and IT operations folks to understand what’s going on there. Very beneficial to be able to do that stuff.
And then when we run the tabletops — as you identified — having organizational and clinical leadership there, understanding what they’re going to do, how they’re going to do it, when they’re going to do it, is absolutely critical.
Actually, one of the things that came out of our last incident tabletop is that we didn’t have enough frontline staff. So we included clinical leadership, who are going to be organizing everything, which is great. We hadn’t included the people who have to implement the downtime drills, have to continue patient care. And there are real champions of technology, champions of information security, within our clinical staff that we can leverage for that response. Those individuals are going to be included in the next round of incident response tabletop planning. So I think the more robust we can be, the better, and we’re trying to build that robustness, iteratively, each time we run one of these exercises.
Guerra: Very good. You mentioned rounding. I have heard that rounding is one of the things CISOs are using to keep people connected to the mission. Is your staff largely remote? Do you work about keeping a remote staff connected to the mission?
Weismann: Yes, and we are remote to a degree. But it’s very important to our executive leadership, since we are a community health system in the Philadelphia suburbs, that people are integrated into the community. So the look and feel of the health system is important. Understanding the communities we serve is absolutely critical. So, we prefer to hire local staff if we can. And fortunately, we haven’t had issues hiring local staff. We require staff to be in a certain amount of time per week. And by doing that, I think it eases the difficulty that you’re highlighting that I think a lot of businesses have, which is, when hiring fully remote staff, the expectations to come in are different; the expectations to be on site and participate in that company culture are totally different. For us, that physical presence is still valued.
Again, we have five hospitals and a ton of clinical sites. So those are open 24/7. That is what we are supporting. We need to figure out how to support that best. It’s an easy value proposition to say, “Hey, your job is going to be better and easier if you go on site, if you talk to these people, and if you meet your colleagues on the business side and the operation side.” So, it’s actually been a pretty successful model, I think. We’re still working out exactly what that looks like and working out some of the kinks. But I think it’s been working effectively so far.
Guerra: Very good. From a big picture point of view, what are the top couple of things you’re working on, or just the top trends you’re seeing — maybe something you want to highlight for your colleagues that you’ve got your eye on, but maybe not everybody else does. Something that you’re looking at.
Weismann: I don’t know that I have any high-level trends that I’m monitoring that other folks don’t. Clinical burnout is a real and critical issue, security, environmental threats, very critical issues, ransomware threat actors, etc. My big initiatives are, we’re looking to alleviate both of those to a degree. So one of the things we’re looking at implementing is badge tap access in all of our clinical workstations. The idea being that if we can ease how clinicians interact with a PC and make that easier and more approachable, it’s going to be more secure. We’re going to get passwords off computers, get passwords off walls, that happens literally everywhere. And we’re really trying to figure out how best to do that in a way that is beneficial and acceptable to everybody. As far as dealing with ransomware attacks, again, it’s building the infrastructure and the muscle memory that we need as an organization to be able to defend against those and have early warning and detection against those. And then, recovery from that as well. And pursuing options for how do we continue clinical operations in the event of wide-scale network computing downtime, etc.?
Guerra: Most of the time, ransomware gets in when someone clicks on the wrong link in an email. How do you create a security culture to guard against that?
Weismann: There are a number of different ways. So we work with our digital marketing team to figure out how we handle that through banners on the desktop, through communications, etc. We do the phishing exercises internally. We do phishing education on a monthly basis. We also work with HR to coordinate with managers. Okay, how can we best manage this messaging this out to teams? How are we communicating that appropriately, and then we work with our public safety group and our patient safety group.
And there are a lot of different techniques we have internally for stopping the line. We use STAR [malware protection technology], which in the healthcare industry is an industry standard exercise for identifying and remediating risk. So we try and leverage those clinical ideas as much as possible to make it tangible to our clinical staff and make sure that our clinical staff is behaving in a safe way. And again, tying it to patient safety. There’s a lawsuit going on in Alabama right now where a patient died in the hospital that was attacked by ransomware. The allegation is that the ransomware was the proximate cause of that death. We obviously don’t want to have that reputational impact internally. Clinicians don’t want to have that impact to patient care, the reduced patient outcomes, etc. So we’re really looking to tie all of that together. And in addition to the communication, in addition to the training, really say, “Okay, this is patient safety.”
Guerra: Do you have discussions with HR that involve deciding what actions are going to be taken against an individual if they click on the wrong thing, maybe repeatedly? Or is that completely HR, or is part of what you’re supposed to do is communicate to HR the implications of these things, so they can then decide how severe to be?
Weismann: We work hand in hand with HR. But if I had to describe the process, it’s the third option you mentioned, which is, we communicate with HR; we have a conversation with HR. HR ultimately includes that in its performance management. And they have a performance management schema for pretty much everything at the health system. Phishing compromise is now one of those things that is included in that performance management.
Guerra: So I’ve heard the CISO described as the chief risk officer. And it’s your job to understand risk and communicate risk, but perhaps not to be the one deciding on how much risk the organization wants to take on. So do you agree that your job is to communicate risks to the people who will then decide, but not ultimately be the one who decides on the risk level that’ll be accepted?
Weismann: Yes, and I only agree with that because I’ve pushed for that so hard. We developed an operational risk assessment and authority to operate processes internally. It mimics what NIST recommends, and what the federal government has implemented, where really, we document risk, we outline where we see risk. And then the business operations teams decide whether or not to accept that risk, we then report on it on a quarterly basis. And, you know, by risk profiling the organization like that, and identifying where we have hotspots of risk, I think people have become a lot more aware of risk and a lot more receptive to conversations around risk.
Guerra: Yes, I wonder if CISOs, and I’m sure it happens, get in a situation where more risk is accepted than they’re comfortable with. And I guess if that happens, you just have to decide if that’s the place you want to work.
Weismann: Exactly.
Guerra: Right? Because the breach is still going to be on your resume as having worked there when it happens. So it’s a very interesting balance. Okay, we’re just almost out of time, I wonder if you had any final piece of advice for your CISO colleagues, something that you’ve found has really worked for you. And you know, in your experience, just anything you want to offer them at this point.
Weismann: I would say persevere. A lot of the fellow CISOs, I’ve talked to a lot of the CISOs I worked with on the legal side, you know, it is a drag sometimes, right? You know, you’re pushing an agenda, you want to push security, to your point, some organizations are just more risk accepting than others. It is difficult on a day-to-day basis to deal with an organization, I think, where you don’t align on a risk posture with them. You know, one option is certainly finding a place that does and I’ve been very fortunate in my career to find a couple of places that aligned with my personal risk tolerance as well. You know, what my professional opinion would be: if you’re unwilling to leave your organization, or you want a challenge, persevere and keep pushing for the risk acceptance that you want to see. And, I think eventually, it’s difficult not to be able to make that case effectively over time. It just takes time; it takes effort, and really being able to communicate that tangibly to the business in a non-technical way is absolutely critical.
Guerra: I love the phrase, you just used, “aligned on a risk posture,” because it really explains where you want to be. And I guess that’s something you’re going to try and figure out during the interview process as a security professional if you’re interviewing for a CISO role — That would be one of the things I would think would be one of your objectives during an interview is to see are we aligning on a risk posture, because it could go either way. The organization could be too risk averse, or the organization could want to take on too much risk. So too much risk, you’re risking a breach. Not good. But the other way, too aggressive, and you’re inhibiting user experience, then you’re going to have people screaming at you all day, “I can’t work like this.” So you want to align, right?
Weismann: Absolutely. And either you find it out during the interview process, or you find it out in the first month you work there, but you will find it out very, very quickly.
Guerra: And that’s not a situation we want to be in. Right? All right. Well, excellent talk today, Aaron. I want to thank you so much for your time.
Weismann: Thank you. I really appreciate your time, as well.
Share Your Thoughts
You must be logged in to post a comment.