Health systems today face increasing odds of a breach, and that’s what drives Rishi Tripathi, CISO at Mount Sinai Health System in New York City. “There is an opportunity for us to step up and do a far better job than we do protecting our banks or factories, because this is literally life and death,” he says. And Tripathi should know. He’s been around the block with cybersecurity. In his career, he has guarded a utility, a media company, manufacturing and financial services – landing most recently in healthcare. The significance of the responsibility is not lost on him. In this interview, Anthony Guerra, founder and editor-in-chief, interviews Tripathi on what he’s learned from other industries about the cyberbattle and how he handles the fearsome task at the front line.
LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE.
“If you compare the expectations that we have in healthcare versus the expectations financial services has on their vendors, there is a disparity.”
“ … if you have a security function that becomes almost like a bottleneck or a bureaucracy, where things go in and you don’t know when the output would be delivered, that becomes an issue.”
“ … the name of the game is talent. How you attract the best talent. And I can tell you the best talent wants to work in a mission-driven organization.”
Guerra: Rishi, thanks for joining me today.
Tripathi: Anthony, thanks for having me.
Guerra: All right, very good. Let’s start off. You want to tell me a little bit about your organization and your role as CISO over there.
Tripathi: I’m the chief information security officer for the Mount Sinai Health System. And it is a pretty complex operating environment from a healthcare provider perspective. We’re tasked with protecting the health system in total, which includes a number of hospitals, ambulatory clinics, research, facilities, university, etc. So it’s a fairly complex environment, and we’ve been on a path to mature the program. There are some things that were of interest to me when I joined here. And we’ve been executing on that to take it to the next level.
Guerra: Can you tell me a little bit about your career journey, how you wound up here and your perspective, as you compare it to the other industries you’ve worked in?
Tripathi: Yes, absolutely, Anthony. I started my career, actually, working in electrical substations. I was working for a construction company wiring up regulators and substations, and then I got a job for the utility where this connectivity was being made to in their SCADA system. 911 happened, and they were looking at beefing up their security. And I, essentially, raised my hand, and I started working a lot on cybersecurity at that time. So I’ve worked in SCADA system; I’ve worked in financial systems. I have worked in manufacturing. I have worked in media and entertainment, and I’ve worked in healthcare. So five jobs in total, each in cybersecurity, and each in different industries.
So it has been unique trajectory in that sense. I’ve seen that every industry has a lot of commonalities, but also some differences. At a base level, if you think about it, every industry will have a piece of technology or an organization that is easy to secure your traditional IT stuff. But at the same time, every industry will have these OTs, which are more difficult to secure. So in case of an electrical utility, your SCADA environment – a lot of it is more difficult to secure. Your traditional financial services has your ATMs, and so on. And then you go to manufacturing, your factories and things like that. In media and entertainment, your broadcast system. And then in healthcare, it is your hospital and your care provider systems. So those are different in every industry. And the consequences of a breach are different, too. From electricity being shut down to a game not being visible to actual life impact, in the case of a hospital. So, I’ve seen different industries do security differently. Some things are done better in financial services, some things are done better in manufacturing, in media. So, I’m able to get the best from each sector and put it in to use for Mount Sinai.
Guerra: So when you come into healthcare, what is your impression? Are there things you think healthcare does well, and then some of the things where you see healthcare can benefit from ways that things are being handled in other industries?
Tripathi: Yes, I mean, that’s a great question. So, just going back to history a little bit, the pivotal moment for financial services was the 1993 breach of Citibank online. And that’s when they got really serious about cybersecurity for online banking. So there, they had a head start. For healthcare, that pivotal moment was 2015, when the Anthem breach happened. So, healthcare I would say, is ballpark maybe 20 years behind financial services from a maturity perspective. So that’s the bad news. But the good news is, we can learn from them. And we can leapfrog and don’t have to learn from the same mistakes that they may have made over the years. So the healthcare has a real opportunity to leapfrog and move ahead real quick. But there’s a lot of work that needs to get done.
Guerra: A lot of times you hear when people talk about how it’s being done in other industries, you’ll hear people in healthcare say, “Well, you don’t understand healthcare is different.” There may be some truth to that, in some areas, but that may be used a little too breezily a little too often as an excuse, what are your thoughts on that?
Tripathi: I would say that’s more of an excuse. The impact of a cyber-attack on a healthcare institution far outweighs the impact on a financial institution. In financial, the money can be lost or stolen. And you can always recover that or recover parts of it. But in healthcare, you’re literally talking about people’s lives. So if a hospital is shut down – and there have been cases in Europe and so on, where the ER systems were shut down and patients had to be diverted – that could result and, in some cases I believe has resulted, in loss of life. So how do you undo that? I agree that healthcare is different. I agree the challenge is greater. But that is also an opportunity for us to step up and do a far better job than we do protecting our banks or factories, because this is literally life and death.
Guerra: You’re not going to have a CISO position in any industry that’s got more on the line. Right?
Tripathi: Exactly. And that’s what drives us. And that’s what drives me personally. And that’s what drives the recruitment of my team. We are coming from financial services. The majority of the folks in my leadership team are from financial services. And they’re coming here because they have an opportunity to contribute to a major health system during a pandemic. And it is a unique opportunity. So, the calling is big, and people are working very, very hard to make sure that we are up to par from a cybersecurity perspective.
Guerra: So in terms of things that are certainly unique to healthcare, medical device security is a big one. Most people talk about how challenging that is to even get an inventory of the devices, to know where all the data is. That’s a very specific health care issue that you haven’t dealt with before. Can you talk about any of those very healthcare-specific challenges? And how maybe you’re bringing some of your experience to have a new perspective on dealing with those?
Tripathi: Yes, sure. So the biomedical devices, they are unique in the sense that they actually provide care or part of the care for patients. But from a cyber perspective, they are similar to a broadcast environment, or a utility environment, or a factory environment, in the sense that these are all operational technologies. And the commonality is most of these technologies are built on old operating systems that are not patched as regularly. And how do you secure that environment? So the strategies we’ve used in the past seem to be the ones that will be successful here as well, where you build segmentation around some of these devices. You network segment them based on criticality. And then you work with the manufacturers, where patching is an option, to aggressively ask for patches. So, it is an interesting challenge, but it’s not something that has not been dealt with. We have some technology deployed that provides visibility on what medical devices we have, and what level of risk that they pose. And then we prioritize and where possible we patch, where not possible we segment and cut off from the Internet and reduce the risks.
Guerra: You mentioned working with the vendors and manufacturers. Does healthcare have a different, perhaps a more dependent, relationship on its vendors than you’ve seen in other industries?
Tripathi: I think so. I was just trying to draw a parallel with broadcast, because broadcast systems are very much run by third parties. These are third parties that just come in and maintain that environment for any broadcaster. In healthcare, in the same way, some of these environments, you have the presence of vendors who are actually maintaining these devices for you. So I would say, yes, it is higher than other industries, absolutely. And then the criticality that these devices play, for the functioning of our health system, is crucial as well. So it just becomes even more important.
Guerra: Yes, I spoke to another CISO, who mentioned that her clinicians are interested in a lot of the startup companies, the vendors. The clinicians say, “These are amazing applications, they’re really going to help.” But they’re really behind from a security point of view; they almost didn’t think enough about security when they were building the application. So she says she’s in a position of almost being a virtual CISO. And having to coach and help these companies along, because her users want to use this so badly. But she’s got to help get it up to snuff and up to the proper security level. Have you seen anything like that?
Tripathi: Yes, I think the issue that you bring up is a general issue about our expectation as the healthcare industry from the vendors that provide technology to us. If you compare the expectations that we have in healthcare versus the expectations financial services has on their vendors, there is a disparity. They ask a lot from the third parties they do business with, versus we’re not asking at the same level, right? So there is an opportunity there to increase the level of rigor that we put in, in getting the technology vetted. But also, once we actually start asking for that level of sophistication, the vendors will have no choice but to up their game and create more secure products.
Guerra: Yes, that definitely seems to be an issue. So you’ve been over there about a year and a half. Is that correct?
Tripathi: Close to it. Yes.
Guerra: So I interviewed your CIO, Kristin Myers, a few months ago. I would describe her as a very security savvy CIO; she really knows what she’s doing on that side of the fence, so to speak. When she was interviewing you, what was she trying to learn about you? What made her comfortable to select you? What was she looking for?
Tripathi: That’s a great question. I think, in my view, what she was looking for, and I’m just guessing at this point, is a forward-thinking, collaborative, and a how-do-we-make-it-happen-for-the-company CISO. So, more strategic business, rather than tactical blocking and tackling. I think the CISO role itself has evolved and gone through very technical folks, then folks who would say no to a lot of things. And now we are at a phase where we have to be business enablers. So the job of the CISO is to protect the revenue of an organization. And if the decisions we are making are hurting the revenue of the organization, even without being attacked by cyber actors, then I’m doing a disservice for the company itself. So, my job in a broader sense is to protect the revenue, the functioning and operations of this organization, but also enable the technology in a secure way so we can go fast. And I think there’s this old saying, cars go fast because they have brakes. And that’s what the mentality is; we try to make it work. But sometimes today there are too many constraints. So I think that’s what she was looking for, a forward thinker and a business leader.
Guerra: You’d like to say yes all the time but that probably can’t happen. Rather than saying no, you might have to slow things down so the proper security vetting is done. Does that make sense?
Tripathi: Yes, and no. One of the principles that we talk about in my department is how we think of ourselves as the bodyguards of the company, not the guardians. So we’re not here to preach that, “Hey, you should do this.” We’re here to protect. So, speed is of the essence in everything we do. So if you have a security function which is executing fast, and providing a response fast, then people are willing to be patient. But if you have a security function that becomes almost like a bottleneck or a bureaucracy, where things go in and you don’t know when the output would be delivered, that becomes an issue.
When I say speed, I mean speed of execution. I mean you can only run as fast as you humanly can – 100 meters can be run only in certain amount of time, humanly. But that piece is easy to explain to the stakeholders, versus, “Hey, you know, we’re going to start in a week, then we’ll run 100 meters, and then we’ll stop and do an analysis for a week, and they’ll let you know.” So you’re just padding on extra time. So we’re very conscious of the work we do, how we respond to our organization. We want to be more approachable, where people are coming to us because things get done fast.
Guerra: Many say there’s a workforce shortage in healthcare IT security. Do you think so? You can only move fast if you have the people.
Tripathi: Yes, yes, absolutely. Kristin has been phenomenal in getting support for the security program. You know, from an investment perspective, resource perspective, and so on, we have significantly increased the size of the security team, many folds, we have significantly increased the deployment of technology, using not only cutting-edge technology, but automation. So a lot of things have been automated, building things in the cloud.
We are working on codifying the policies. The security policies are not stale Word documents, but they’re actually implemented in technologies and in providing feedback to the DevOps people in real time. So you can do some of those things. But you’re right, the name of the game is talent. How you attract the best talent. And I can tell you the best talent wants to work in a mission-driven organization. You look at Navy SEALs, you look at US Marines; they’re not there because they’re looking for something from a financial perspective. They’re looking for a mission, and they want to execute. And that’s what we have at Mount Sinai, and our mission is literally patient care, saving people’s lives. So when we’re able to go to market with the clarity of vision, and how we are going to execute to get this organization to the next level of cybersecurity, we’re able to get some really good people. From a location perspective, we have opened the location to people who have joined our team who work remotely, and we’re able to manage and grow the team that way. So COVID has provided that opportunity that didn’t exist before.
Guerra: Do you have any feelings around the value of the in-person connection, even occasionally?
Tripathi: Right. So, I ran a local team at Citi. Citibank is, I believe, in 200-plus countries all around the world. I worked with many colleagues virtually, never physically met them, for 10 years, and sometimes you’d meet them. And there’d be some off site and so on. I’m extremely comfortable running a virtual team. It is really not about the physical presence, it really is about your work ethic, and your team’s work ethic. So if you are actually all on the same page you’re able to execute virtually. But in my view, this virtual and hybrid work environment is here to stay. Our system was able to take advantage of it in the sense getting the right talent in. Whoever embraces it; they’ll be successful in the long run.
Guerra: With people working remotely, it must me even more important to hire well.
Tripathi: Yes, so this is a time of transition being accelerated by COVID. I’m just trying to think of an analogy. Remember when we went from radio to TV? And the first thing people started doing was they started reading news on TV. So that’s just human nature, you emulate whatever you used to do in the previous technology in the new technology. Now, you look at TV news and there’s graphics and feeds coming in all over. So I think that is what’s going to happen to the workplace as well. What is going to happen is you have this pre-COVID workspace where people used to mingle. And now we are in this transition phase, where we’re just trying to emulate whatever we were doing physically. There are these new technologies coming in and it may evolve into something even better.
Guerra: Yes, we’re not going back. So we have to get comfortable in the new world. I’m going to ask you an open-ended question. So from a big picture point of view, what are one or two things that either you’re working on or one or two trends that you’re looking at that may not be on the radar of all of your colleagues?
Tripathi: I’m hoping everybody in the healthcare industry is looking at these trends. One is the trend of ransomware. Recent reports show that the impact in healthcare is higher. And some of the recent attacks can yield like huge amounts of loss. So ransomware is a key trend.
The second one is when looking at the [US Department of] Health and Human Services website, you see the cyber-attacks being reported going up exponentially. So that is also interesting to us. You know, if you start calculating probabilities – how many attacks have been reported and how many big hospitals are out there – it becomes pretty scary, pretty quick.
The third trend I’m looking at is, in 2020, you had a lot of reports around intellectual property theft by Russia, Iran, and China related to COVID-19 research. So that is of interest to us, having a state sponsored incident.
And then the other trend that is interesting to us is, if you look at the volume of PHI data that is being traded on the Dark Web; that is significant. And it yields higher prices than credit card numbers, and so forth. So all of that is really, really interesting to us. And we’re building our program to address those things.
Guerra: Let’s talk a little bit about business continuity planning. It’s not just the numbers going up, as you said, the probability is going up, something’s going to happen. It’s not if but when. What are your thoughts around business continuity planning and the CISO’s role in that?
Tripathi: Yes. So you know, we work extremely closely with our BCP team, with our emergency response team identifying the critical assets and testing them and so on. So a lot of work is happening. This is one of the things that thanks to Kristin, we’ve put back in the spotlight. It is so crucial for any hospital to have robust BC plans – be it a cyber event or not a cyber event. So a lot of effort, resources and hard work being put to BCP initiatives.
Guerra: So IT security is a subset of business continuity planning, you’re a component under the larger overarching entity of BCP, is that correct?
Tripathi: Correct. Correct. You can have an incident that is non cyber.
Guerra: Right, right. Very good. Let’s talk a little bit about board relations. I know you’ve written on this and talked about this. Do you have any advice for your colleagues on how they can best interact with their boards?
Tripathi: I think my advice would be, first, try to understand what the board’s role is. There’s some really good books on corporate governance that are worth reading, because that gives you what the role of the board is. And once you understand what they are there for — they are literally there to navigate a company into the future — then you can understand how you fit into that workspace. How you are fitting into the navigation of the company in the future is crucial for a CISO to understand. And once you have that understanding, then you can actually provide the right metrics, and the right updates to the board that helps them understand that as they’re going into the future, will they be faced with a cyber uncertainty? Or will there be an issue related to cybersecurity? So that’s what they’re looking for.
And, again, as we’re going into the future with the board, you’re also looking at revenue expansion. So you want to make sure that you have those sets of eyes, you identify systemic risks that are bigger risks for the organization from a cyber perspective and then communicate that in simple but clear terms to the board.
Guerra: And that’s been effective for you in your career in other industries? That’s the way to go?
Tripathi: Yes, it is. And so, different industries, they value different things. So if you’re working in media and entertainment, fan engagement becomes crucial, uptime of the broadcaster is crucial, so you have to tie your narrative to that. Add to that, if you’re working in healthcare, patient care becomes crucial. So patient care eventually leads to good revenue if you’re doing a good job there. So you have to tie your narrative to that. If you’re working in financial services, financial risk, utility, becomes up time on the grid, and so on. You have to find that North Star for your own company, and then have your cyber-narrative aligned to that.
Guerra: Well, Rishi, that’s about all we had time for today, do you have any final message or advice for a CISO at a comparable sized organization who’s working through some of the same challenges you are?
Tripathi: The only thing I would say is, appreciate your team more. And, you know, security jobs are not easy jobs. We have analysts who come in day in and day out, and they’re trying to bat 100% and there’s pressure on them that is put on by these costs and news stories. So, appreciate your teams more. Try to relieve some of their burdens. Create an environment of collective brilliance, so people are trying to do the best job, and then you’ll have a success story.
Guerra: Sounds about right, Rishi. A great interview. Thanks so much for your time today.
Tripathi: Thank you, Anthony.