The ultimate challenge for a CISO is to get all of an enterprise’s stakeholders to recognize that IT is not just in the security game to protect the data, it has the organization’s bottom line and care outcomes at heart, says Michael Carr, VP, CTO and CISO at Health First, an integrated healthcare delivery network on Florida’s Space Coast. According to Carr, this is done by finding a good way to articulate risk in the context of all the organizational risks. “And I think the ability to quantify, the ability to measure, and really to help people understand everything is a critical issue,” he says. In this interview with healthsystemCIO Founder & Editor-in-Chief Anthony Guerra, Carr discusses testing business continuity plans, getting buy-in on purchasing decisions, third-party risk, cyber insurance and more.
LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE.
Podcast: Play in new window | Download (Duration: 31:52 — 21.9MB)
Subscribe: Apple Podcasts | Spotify | Android | Pandora | iHeartRadio | Podchaser | Podcast Index | Email | TuneIn | RSS
Bold Statements
“(Getting cyber-insurance) is a long, tedious, painful process. And I think part of it is because there is no industry standard around information security. I know a lot of organizations have adopted NIST CSF, not everyone. So everybody’s got a different playbook – even the insurers look at different information.”
“I think third-party vendor management is one of the hardest things that organizations have to deal with. It’s not just you and your business partners, it’s business partners of your business partners or business partners to the business partners of your business partners.”
“ … we’ve got to have commitment to actually test that. I think that’s the last piece. It’s great to have a documented plan. But if you’ve never tested, if you’ve never exercised it, good luck in the case of a real disaster.”
Guerra: Michael, thanks for joining me.
Carr: Thank you for having me.
Guerra: Why don’t we start off with you telling me a little bit about your organization and your role.
Carr: Sure. Well, Health First is an integrated delivery network that primarily serves Brevard County, Florida. So we’re about an hour east of Orlando, along the Space Coast. Our organization has a health plan, four hospitals and about a 500-member provider group. My role is chief technology and information security officer. In that role, I’m accountable for our core platforms, technology, development, architecture, our data and analytics and our information security program.
Guerra: Excellent. I always like to find out, especially for CISOs, how you wound up where you are. So, tell me a little bit about your career path that got you to the security side of healthcare technology.
Carr: Sure. Going back before healthcare, my background is in finance. That’s where I started my career. I spent about the last 15 years in healthcare — for about the last eight or so, it was more of a specialization focus on security. Honestly, I got into security by accident. And what I found is an affinity to my finance background in terms of not just around audit and compliance; a lot of people think that that’s a natural fit. It’s really more about, how do we take something that we know is important (like information security) and how do we make it actionable? How do we make it measurable? And once I understood the impact of security—on not just healthcare, but across all of our critical industries—it really drew me into it. So being able to take my finance background, my operations background, and then extend my experience in IT, it really helped me understand once again, the importance and the criticality of information security to healthcare.
Guerra: And you were in infrastructure, too, and we know lots of security folks come out of infrastructure. Why do you think that is?
Carr: Because, I think initially, a lot of the security work focuses on the blocking and tackling of core technology. You know, are you patching your servers? Do you have privileged access set up? How do you provision access to users? So, I think a lot of the work initially started there. And now, a lot of those leaders that started in the early days that were really focused on the infrastructure pieces, understand what it takes to grow mature programs and understand the technical as well as the business side of security.
Guerra: Very good. So you started at Health First in January of 2020. And we all know what that coincided with. That had to be fun, starting a new job when a once-in-a-century pandemic hits.
Carr: Yes. I tell people it was great timing because selfishly it helped me learn the organization. And you saw how quickly organizations had to pivot to address sending the remote workforce home, some of the emergent technologies that people were looking at and knowing, at the same time, we had to secure that. It really helped me see how the organization operates, and the priority they placed on information security.
Guerra: And everybody says, from a security point of view, they had to accept an elevated risk profile, because they had to roll out technology so fast to respond to what the business needed, what the clinicians needed. And then there was a process of when things quieted down, going back and reviewing. Did you experience something like that?
Carr: We saw a little bit of that. We were fortunate that a lot of the foundational work had already been deployed around our infrastructure to support remote work. Our clinical partners were already working on virtual visits, and so we had a little bit of a head start. But I think the organization had already done the groundwork, so a lot of our approach was, “Okay, where do we really have increased risk with some of these new capabilities? And how do we expedite the process versus just accepting risk?”
Guerra: I hear that from some executives that they say they felt they had done a good amount of work, and they weren’t lucky, because doing the work isn’t lucky, it’s doing your job, right? But it makes me think of technical debt and just how dangerous technical debt can be. You can’t handle the next challenge you didn’t see coming if you’ve got big technical debt. If you’re up to speed, as you mentioned, you’re in a position to react better. Your thoughts around that?
Carr: Yes, I think that’s a great point. If you’re constantly playing catch up, it takes a lot of your focus and energy. And, you know, that’s where I think some of that risk acceptance comes into play of people saying, “Hey, I know I’ve got these issues out here. I know I don’t have multifactor, etc.” So, I think if you’re having to do that work first, it definitely shifts your priorities. And I can see where organizations say, “Hey, we had to take on a lot more risk because we knew we had these issues. We weren’t able to mitigate them because we had to respond to the business need.”
Guerra: Yes. And as you said, the key is to put the argument correctly, or the case correctly, to those who are going to approve or not approve the budget. Because sometimes you’re addressing what isn’t currently perhaps a critical problem. Right? So you have to articulate it correctly. What are your thoughts around articulating that the right way?
Carr: I think that is the number one challenge facing information security professionals today is how do you articulate risk in the context of all the organizational risks? And I think the ability to quantify, the ability to measure, and really to help people understand everything is a critical issue. When everything is, “Oh, my goodness, we have to respond to this,” you really lose credibility with the group. So yes, I think for us it’s, how do we have an honest conversation around what we really think the risk is, and moving away from that fear, uncertainty, doubt, to a more reasoned, “Hey, we think these are the top three things and this is why we think we need to mitigate them. And if you accept this risk, just understand what you’re accepting.”
Guerra: Right. So we had your CIO, William Walders, on a Webinar recently. He’s a very data-driven guy. I think you’d probably agree with that.
Carr: Absolutely.
Guerra: So, he’s not going to want gut feelings. He’s going to want numbers; he’s going to want data and it’s probably got to be good. So what’s it like to work for someone like that as a CISO? It’s sounds like that probably jives well with what you bring to the table. You said you’re a very data-driven guy, as well.
Carr: I think in some ways it makes it easier, because you know what the bar is. You know what’s expected. And so whether it’s our frontline engineers, or other leaders, we always say, “Hey, let’s stay away from, “Oh, my goodness.” Or “Hey, we heard about a best practice.” Let’s take a step back. Let’s look in the context of our program. Where is it in terms of those key risks that we’ve identified? And then how do we show the value? And once again, one of things we look at is, “Hey, there’s a lot of things we know we need to do. We know we needed to MFA; we know we need to patch all those kinds of things. How do you take it back to the business? And how do you take that data-driven approach to show people, “Hey, we’ve done these things, and here’s the impact and here’s the benefit to the organization.”
And one of the things we’ve been able to do is look at our cyber insurance rates and compare that to our peers. And what we’ve seen is, as we’ve matured our programs, our rates are favorable compared to the industry. And I think that’s one of the things we can point to and, from a data perspective, say, “Hey, we’ve done these things. Here’s where the real cost avoidance has happened, as we’ve looked to implement a lot of these things that people may see as friction, but really, they’re about protecting the enterprise.
Guerra: So you mentioned cyber insurance. And we’ve heard from lots of CISOs about what a difficult process that has become, especially if the organization is looking for a new carrier as opposed to renewing with their existing one. Is it as bad as we’re hearing?
Carr: I think it varies by organization and it matches to your organizational maturity around your security program. We’re fortunate we have a great partnership with our legal group and our risk group. And that our program is not new. So we’ve had some data we can show them. We’ve shown them the maturity; we’ve shown them the progress. And so what we found is a lot of things they asked for we’ve already either implemented or are working to implement, you know, adopting a framework and sticking to that, I think is a hard thing. We’re using NIST CSF, and it’s not so important which framework you use, as long as you adopt and commit to a framework and show the path. And I think for us, a lot of the things where they would say, “Hey, have you done this?” If the answer is no and they ask why, we can say, “Hey, because we identified A, B, and C as our key priorities.” So it really helps shape that conversation.
I think from a financial perspective, it’s very expensive. I think what our insurer told us is rates went up over 100% last year for a lot of organizations. That was the average; ours was less than that. And so, this year we’re in the process of that now, and it is a long, tedious, painful process. And I think part of it is because there is no industry standard around information security. I know a lot of organizations have adopted NIST CSF, not everyone. So everybody’s got a different playbook – even the insurers look at different information. So I think just gathering the data to tell the story is a lot of the difficulty.
Guerra: Yes, you get the feeling probably at some point that they don’t really want to give you an insurance policy. We’re making it so expensive and so hard, like, if you walk away, we’re good. No problem. Have a nice day.
Carr: Well, yes, and I think this is where, you know, as an industry, healthcare, they’ve been bitten, and they feel like we’re high risk as an industry. And it’s not just because of the value of our data, it’s because of the disparity of maturity across healthcare organizations. You know if you’re a very small organization, it’s expensive to do security well. And so I see from their perspective, where, when they look at us as a population, you know, we’re high risk, we’re like a teenage driver. So, we, as an industry have an opportunity to change that, I think.
Guerra: And you’re probably like, “Look at me, I’m not acting like a teenage driver!”
Carr: Absolutely. That goes back to the data-driven approach is, how do you change their perception? How do you show them not just I’ve implemented ABC controls.
But I think measuring the work and measuring the outcomes are really important. Because I do think that just as with any conversation, that financial conversation, there’s the brass tacks of you have to do these things but then there’s a conversation piece where you can explain why you’re different. And once again, that’s where the data driven approach is really beneficial.
Guerra: Yes, it makes me think, again, of technical debt, and probably the last place you want to have technical debt is in the security area.
Carr: Absolutely.
Guerra: Because you can’t play catch up. It’s over. So if they come in, and they say, “Do you have these foundational pieces of security infrastructure in place?” and you don’t, you’re in a bad spot. Forget about getting insurance, you’re in a dangerous spot to begin with.
Carr: Absolutely. And a lot of it is, they don’t ask for a lot of collateral documentation. It’s a questionnaire, do you do these things? Yes, or no? And so, you know, my assumption is that the risk is you can say you’re a lot more mature than you are. But if a breach comes, if you’re one of those unfortunate organizations that has some compromise, and they come back and say, “Hey, but you said you did A, B and C and didn’t,” that’s where I think it’s really going to come through as denied claims and that stuff. So, it really is an honor system, which once again, goes back to not having a common framework to measure information security maturity across healthcare organizations.
Guerra: Great point. Being less than truthful on those insurance questionnaires can result in them simply not paying, so they don’t have to care as much about verifying the answers. The case is different when you are using questionnaires to do third-party vendor risk mitigation. They don’t have the same consequences for misreporting their security capabilities on those. Does that make sense?
Carr: Yes, it absolutely makes sense. And I think third-party vendor management is one of the hardest things that organizations have to deal with. It’s not just you and your business partners, it’s business partners of your business partners or business partners to the business partners of your business partners. So one of the things we do is partner with a third-party organization that does a risk assessment for our business associates and our potential partners. But we’ve had an example where we had a third-party to a third-party, who is HITRUST, HIPAA certified; they’ve done everything, and they still had a ransomware event.
So, I think the challenge is, even if you have a team that’s really good, goes through the SOC2, asks all the right questions, and the organization is transparent, is willing to tell you about the security program, it’s still only skin deep, an inch deep, you’re not going to be able to get as comfortable as you would like. So I think having a process – a regular process – of annually or semi-annually reviewing those is necessary, but it’s time consuming. And it’s difficult. And I would say for us and a lot of organizations, it’s one of our key risks. And one of those areas that’s the hardest to mitigate.
Guerra: You could be talking about what? Hundreds of vendors?
Carr: Correct, several hundred. And we’re a midsize organization. So you take a large organization, it can be overwhelming.
Guerra: It’s tough. Everything’s constantly moving and fluid. It makes me think of medical device security, because that’s another octopus that’s hard to get your arms around. But any more about third-party risk?
Carr: I think you covered it well. It is one of the key areas we talk a lot about. It is challenging. I think we do a pretty good job, but it’s still a key concern, and the work never stops. And as more and more vendors come into healthcare, what we find is less and less mature organizations. This is the not the downside, but a lot of new startups that don’t have a security program, say, “Hey, we’re going to solve this really unique problem that no one else has done. And hey, we’ve never been in healthcare. What do we need to do?”
Quite honestly, something we’ve talked about in other groups is all these new security vendors. I think we need to approach those more rigorously than we do normal vendors. But even within them, I think there’s an assumption that a security vendor has a secure culture within the organization. And I don’t think we can make that assumption.
Guerra: Let’s talk a little bit about business continuity planning. I’ve been thinking a lot about the degree to which security professional need to work with clinical leaders more than ever before so they truly understand how to orchestrate BCP.
Carr: Yes, and this is something we talk a lot about living on the Space Coast being in Florida with natural disasters and hurricanes. And so, we have the backdrop of every year for years having to plan for, and in some cases, respond to a hurricane. We’ve taken that and expanded that to not just be hurricane planning. But to your point, around business continuity. I feel very strongly business continuity should be owned by the business. IT is a piece of it, in terms of the technical capabilities.
We’re fortunate in that we have a really strong clinical informatics group that understands the workflows; understands the technology. And so, we’re able to have conversations of, “Hey, when it’s really critical, what are the 5, 7, 10 things that you need? What is the impact if you don’t have A, B and C? And then, making sure people know how to go to the downtime procedures: they’ve tested it, they’ve used it, they understand the impact.
And as you said, the hard part is once things are back up and you need to recover, how long is that going to take? What’s necessary to do that? So I think business continuity is – everywhere I’ve been—it’s been a challenge, partly because nobody really ever wants to own business continuity because it’s really hard and messy. But I think at Health First, we have that partnership with our disaster preparedness, emergency preparedness group, our clinical informatics team, the technical group and operations. So, yes, it’s a key piece of our information security program.
Guerra: And that’s the main thing the CEO and board want from you, right, to know that you’ve done everything possible not to go down, but if you go down, to get back up as quickly as possible?
Carr: Absolutely. And I think for us it starts with going back and asking what is your key risk? What is the board and senior leadership most concerned about? We’re healthcare, our primary concern is we want to make sure we’re able to provide the best healthcare to our community. And so with that understanding, okay, what is really critical for us to do that? And I think it goes back to prioritization. What are those mission critical systems? We have several hundred applications that we use across the organization. Which of those are really the most important? And do we have the right disaster recovery business continuity processes? Have we tested them? You know, are we confident we can meet an RTO, RPO, whatever that looks like for the organization? And that’s where that engagement, that conversation, need to come in. It can’t be an IT-driven decision about what’s most important. And then we’ve got to have commitment to actually test that. I think that’s the last piece. It’s great to have a documented plan. But if you’ve never tested, if you’ve never exercised it, good luck in the case of a real disaster.
Guerra: I would imagine everyone’s busy, right? So there have to be clinicians involved in these tests to some degree. So is it hard to get them to participate?
Carr: It is when you’re talking about bringing down your EMR, or that scenario. And so what we tried to do is take advantage of patching windows or system maintenance? Right? There are opportunities that we know the systems are going to go down or be unavailable. How do we leverage those, so it’s not a, “Hey, in the middle of the day, on a Tuesday, we’re going to do a D.R. test,” right? You know, that’s not going to fly. But I think you can work within your normal patching maintenance downtime windows to replicate what a disaster scenario would look like.
Guerra: What about tabletops where you need to them to participate? Is that something you do, where you have to get clinical leaders involved in these business continuity tabletops?
Carr: At a macro level across the organization, yes, our emergency preparedness group does that with, “Hey, we have a scenario, you know, some disaster event, it could be a natural disaster; it could be a cyber event impacting a third-party.” They sit down with those leaders and really say, “Okay, this has happened, you’re cut off, what are you going to do? What are your processes?” We have a part to play in that. But that’s an area where I really credit Health First’s leadership and our emergency preparedness group. It’s been a well exercised muscle that people know they have to plan for because of the likelihood of a storm, but it really translates to any disaster, whether it’s technical or environmental.
Guerra: All right. Let’s talk about trends. Anything that you’re looking at that maybe not every one of your colleagues is focused on?
Carr: I don’t know if it’s necessarily a trend. But anyway, there’s a lot of debate around measurement. How do you quantify risk? I think this is one of the weakest spots around, not just in healthcare, I think across a lot of industries. It goes back to that question of being data driven. How do you move from a control-based framework of maturity, which is good, but what’s after that? How do we get to the outcome base? How do we show the business value of our work? And so I think, for me, that’s an area our group talks a lot about. And, you know, there’s difference of opinion across the industry about how valuable that is. I think it’s really important. I think the next iteration, that next generation in security leaders today, needs to be business leaders. They need to think in business terms. You need to be able to take a risk and match it up with a competitive risk or an acquisition risk. I think we have to be able to have the same conversation that our finance or operations partners do. So that’s one area that we spend a lot of time on.
I think the second thing for us is around rationalization. And this is an area where I talk a lot with our security vendors and partners. I want to move away from the point solution to solve a point problem. And a lot of times this will be the best of breed, if you’ve got 10 best of breed solutions I think it’s really hard to stitch those together. And not just from a data perspective, but from training from adoption. More vendors to manage more things to maintain. So I think for us, we’re trying to winnow that, narrow that scope of vendors, and really challenge them — if you just do one thing, and you may be the best in the world with that one thing, I don’t know if I need best in the world with that one thing, right? So I may just settle for good enough, knowing that I’ve got other mitigating compensating controls around that. So those are two areas we’re focused a lot on is the measurement of the outcome driven, quantitative analysis of our risk. And then how do we shrink down that portfolio of security vendors, and really challenge them to do more than just one thing.
Guerra: So we’ve done a number of webinars on application rationalization, and that’s an interesting process in and of itself. It’s not easy to get users to give up their favorite application.
Carr: Yes, and I think for us, part of it is when you have 400, 500 applications, it’s really hard to know what every single one does. So we spent a lot of time and effort mapping not just our applications and what functionality they have, but also what business units use them. I would say we’ve had marginal success around the rationalization. A lot of it has been helped by end of life or maybe a regulatory requirement that a vendor doesn’t meet. But the way we tried to approach it is giving them the option, giving them the choice. But once again, go back and show them the data, if you can’t tell them what the cost of a secondary system is, it will be hard to convince them to change.
So I think we have to tell the whole story. I think we have to look at the risk. I think we have to look at the cost. I think we have to look at the administrative overhead. And how do we build that? How do we build that trust that we’re not just trying to make it easier for us. But really, this does solve a problem. One of the things my CIO says is, if you’re just moving from Coke to Pepsi, who cares, there has to be something in it for them. And we need to be able to tell them, it’s not just moving from Coke to Pepsi; there is a benefit to doing this. And this is what it looks like. If you can’t do that, there’s no reason for them to commit to that change.
Guerra: Alright, couple more questions. We’re almost out of time here. I did see on your LinkedIn profile that you are an Airborne Ranger with the Army. So that’s pretty cool. Thank you for your service.
Carr: Thank you.
Guerra: So the question being, what did you learn in that type of work during your service that helps you be a successful executive?
Carr: Wow, I would say two things. One, is you need to learn the roles of the people around you because you never know what’s going to happen. And so I’ve taken that to heart. And I’ve been fortunate in my career that people have wanted to teach me. And so I think first is understanding that.
I think the second thing is, the little things, as my boss says. One of the things that the military and the Rangers really pounded into us is you need to be brilliant at the basics. You need to understand and be able to do all the little things. If you can’t do the little things, you can’t do the big things. And it’s things like in the military, it was you know, your physical fitness, it was your attention to detail. It was cleanliness of your weapons and those things which, at the time, you may have thought were petty, but looking back really what they’re saying is if you can’t do those little things, I can’t trust you with the big things. And I think that’s a lesson I’ve tried to keep carrying in my career and impart upon others is, if you want to do the big things, show people you can do the little things well, and you’ll get that opportunity.
Guerra: Excellent. Very good. All right, last question. Any final piece of advice for your CISO colleagues?
Carr: I think the key to success is the relationships; the non-technical, the non-security relationships. I think, working with risk, working with legal, helping people to understand that we’re businesspeople first. And our job just happens to be to manage the technical and security risk of the organization. But they need to know that we’re as committed to the business outcomes as they are. When you have that trust and confidence, it’s really easy to get support and buy-in. If you don’t have it. It’s almost impossible to get that buy- in.
Guerra: Right. So you’re as focused on patient care as they are.
Carr: Absolutely. We have the same goals, the same outcomes.
Guerra: Excellent, Michael, that was really, really great. Thank you for your time today.
Carr: I appreciate it. Thank you very much.
Share Your Thoughts
You must be logged in to post a comment.