When it comes to IT security at hospitals, the third and even fourth-party risk involved has expanded the front line from a moated castle to everywhere. And that’s not easy to protect, says Jason Elrod, chief information security officer (CISO) for MultiCare Health System. But protecting patient data vulnerability is the mission — and zero trust is going to reveal itself as the standard approach. In this interview with healthsystemCIO Founder & Editor-in-Chief Anthony Guerra, Elrod talks about how he has defended MultiCare Health System for the past 12 years. He starts by closing the perimeter with identity and digging in stakes with a solid zero trust journey. Elrod knows there’s no silver bullet out there, but he is aligning with federal regulators on zero trust by using NIST CSF. He then beefs up his IT talent by getting deeply involved in the recruiting process, and builds relationships with cyberinsurers.
LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE.
“As you get to a second- or third-party and that supply chain of a solution, the importance of that third-party risk management grows.”
“In order for the perimeter to scale, you have to shrink it all the way down, you have to be more atomic with your perimeter, the individual identity, in order to scale it, wherever it may roam.”
“For me, zero trust is a strategy attitude methodology that relies on a trail of techniques and technology.”
“I think the best way to do (cyber-insurance) is not to think of it as an adversarial relationship, because it’s not at all.”
Guerra: Jason, thanks for joining me.
Elrod: Thank you very much, Anthony. Happy to be here.
Guerra: Why don’t you tell me a little bit about your organization and your role?
Elrod: Excellent. I am the vice president and chief information security officer for MultiCare Health System. We’re an 11-hospital system based out of Tacoma, Washington, and our area of service is primarily the Pacific Northwest.
Guerra: I find CISOs have sometimes very interesting career journeys. Why don’t you tell me how you wound up in not only technology, but healthcare and security? How did you wind up in that very specific place?
Elrod: So I wrote my first computer program back in 1979, and that was on a system called a Commodore PET.
Guerra: Okay, I had a Commodore 64. I didn’t do anything with it. But I had it. Go ahead.
Elrod: My dad was a programmer for the Department of Justice at the time, and we had access to it. So I was very lucky, from that standpoint, to have early access to technology and computers. Today, I tell my kids, you know, “Back when I was your age, I had to type my video game in by hand, it took me four hours uphill in the snow both ways, no shoes, and then it wasn’t fun. We couldn’t save it and we had to do it again.”
So long time in IT, a longtime technologist, longtime love of technology. I would say that, professionally, I’ve been in IT since probably the mid-80s. And I began my career in finance. I managed data centers for financial organizations at the time, back in the “You’ve Got Mail” era, and had an ISP back in the mid-90s to the year 2000 crossover. And it was during that time, when you were running an ISP early on, that you find out there’s nobody you can call when somebody hacks your system. Nobody out there. And so that’s when I really dove deep on the vertical of security. What does it take? What’s happening here? How does this impact not just the IT aspects of it, but that was that further specialization back there, mid-90s. Then, I’ve been in healthcare doing this job probably the last 12 years, now with a focus of information security in healthcare. So that’s a journey. So from way back when on the little green screens to now.
Guerra: Tell me about the switch to healthcare. How did that come about? Did you always have an interest in healthcare? Or was it just a good opportunity?
Elrod: I think it was probably a little of both. At the organization where I was before I came here, I had the opportunity to come in and audit the organization, or a chance to come into the organization and stand up their SOC. And at that point, my wife was like, “Hey, our kids are going into high school. And it would probably be a good idea if you traveled less and settled down into that more.” So interesting thing there. I didn’t really have a plan more than the 18 to 24 months to come in and do that stand-up; just this point-in-time item. But somewhere inside there, you get connected with the purpose. And you start realizing that in healthcare, there’s really a one-to-one relationship where you can use your tradecraft in IT or in security and have a real-world impact on people’s lives. You know, helping protect people when they don’t feel well; helping them feel well-protected; helping them feel a bit safer, when maybe they don’t feel safe. And that really brought out the defender in me and I developed an incredibly strong connection to healthcare. And so security in healthcare was just a match.
Guerra: That’s great. So connected to the mission. A high-level open question here, you could take it whatever direction you want. From a big picture point of view, what are either a couple of the big things you’re working on, or the most compelling or interesting trends that you’re looking at and following?
Elrod: I think I’m going to take that the former. So what am I concentrating on right now. And that really is third-party risk. Because more and more, we see our solutions that we consume as an organization as being composed of other solutions. So as you get to a second- or third-party and that supply chain of a solution, the importance of that third-party risk management grows. So your due diligence has to push out there. So your thought around what is the perimeter for my security is blown away. It’s no longer a walled castle or a walled village with a moat; the frontline’s everywhere. And so what you end up having to do is say, “Well, how do I push that security, privacy, compliance risk management boundary out as far as I can? How do I move that from not only just where I’m at right here, but understanding that the boundary that we work within is now pushed out to maybe second or third parties? So how do we do that? And how do we address that?” So that’s of big importance right now, and things like zero trust comes in to play there.
Guerra: Okay, so yes, third party risk is huge. I’ve heard people talk about the concept of the perimeter no longer being a reality, there is no perimeter, right? It’s not the castle and moat anymore. And when I hear them talk about that zero trust comes up, we can talk about that more, but also identity. Do you see identity being a major component now of managing a zero trust type world where there is no edge, no perimeter.
Elrod: Funny you mention that. I say identity is the perimeter. And really, who should have access to data? Where, when, what, why, to what extent, for how long? So data is always the asset. Identity — that’s an entity, right? That could be an individual; it could be an application; it can be a system. That’s the perimeter: identity. How can I be assured through identity assurance that this identity should be able to interact with this data? And the specific controls that we’re going to look for are based on the classification of that data.
For instance, if it’s the public notice, or something goes on our website, well, you know what, I expect the identity of everybody we want to see it to see it. And the protection because it’s public is probably copyright, don’t copy it and say it’s yours. So it’s a very weak protection, we’re looking for integrity around it in some ways to make sure that it’s not changed, or the message is not adjusted. But on the flip side of that, let’s say it is protected health information, PHI, we want to make sure that only this specific care team, all those people involved in delivery of care, have access to it when they need it for that purpose. So you’re going to shrink that way down and say, “Okay, look, the data is now confidential. So I want to make sure that the identity of whomever or whatever is going to interact with that is properly maintained.” So it’s interesting. So in order for the perimeter to scale, you have to shrink it all the way down, you have to be more atomic with your perimeter, the individual identity, in order to scale it, wherever it may roam.
Guerra: Now, I don’t want you to name any vendors, but is identity management difficult to achieve? Is that hard to do?
Elrod: The short answer is yes. It’s hard to do.
Elrod: I might be able to properly identify you, or me, or get a posture management of a device and get to understand what that is. But being able to do that in a holistic fashion that I could then take that perimeter and properly apply it to certain data or access elements, that’s the difficult part. So whereas internally to our organization, I might say, hey, look, I’ve got really good identity proofing. I know, Jason’s Jason, I know Anthony’s Anthony. And remember, we talked about third party; how do I make sure I push out that I trust their identity proofing? And then one farther? How do I trust their identity proofing of the identity proofing that is third-party, fourth- party plus? So having a consistent mechanism, which will recognize that that identity is truly valid, and then applying that to the very specific data set, that’s the difficulty. I mean, I think component-wise, the pieces are out there. I think putting them all together, especially when you look at legacy items, that’s the difficulty.
Guerra: I think I have heard it said that there is a fractured vendor environment there where there’s vendors that have different pieces, but nobody’s really put it all together for you? You have to do a lot of work after you buy the little pieces?
Elrod: There’s a lot of integration work that needs to be done. I mean, think about it this way, Apple would like everybody to use Lightning as a universal port. Why? Because Apple benefits from it. And then other folks might say, “Hey, I want to use USBC. You know, until we can all get to the idea of like, we have one charging cable, and one data transfer cable, it’s difficult to say, yes, these two are one for one without something pieced in between. How do I get an adapter to put the two together to make it work? That’s a physical representation of it. But it’s that same idea. There’s not really a congruent incentive model for an organization that’s a major player to play with another major player if they’re vying in that space.
Guerra: You also mentioned zero trust, is it accurate to say identity is a component of zero trust?
Elrod: Yes, it’s a foundational component.
Guerra: Okay, so, zero trust — we’ve done a number of webinars on zero trust — it’s is a journey, a direction, especially in healthcare. It doesn’t sound like people are extremely far along in that journey, that either they’re starting it, they’re working towards it, they believe in it. And again, it’s just something you work towards every day. Is that how you see it as well?
Elrod: I think, for me, zero trust is a strategy attitude methodology that relies on a trail of techniques and technology. Because it’s not a single product, it’s not a single solution. There’s no silver bullet out there. I haven’t encountered it yet. But you have to have an attitude of methodology; the attitude that I’m going to shrink that perimeter to identity. And I’m always going to have maybe a continuous authentication based on the type of data they’re accessing and where they’re accessing it. So, I can authorize you. But I may change that authorization depending on the access you’re asking for, and that’s going to shift between which systems you’re accessing. And again, that’s where we start talking about different methodologies and different techniques in order to do that. Identity still remains the core piece there. You need to know who or what is accessing the assets.
Guerra: It seems to me like everyone is looking for the roadmap, the best roadmap to follow as far as security goes. So you know, a lot of people talk about NIST, you mentioned zero trust. Obviously, there’s HHS’s 405(d). What do you think about that? Is this our gold standard? Is this the roadmap we’re adopting, especially smaller organizations? There are a few different pieces out there — what guideposts do you recommend working towards?
Elrod: That’s a great question. And I think it’s going to be different based on the size of your organization. So organizationally, we follow NIST cybersecurity framework CSF. And you have NIST 800 53 REV 5. I’m throwing out numbers, right? It’s a list of about 1800 controls you could possibly use to actually meet the requirements there of the NIST CSF. Why would you do that? Well, a lot of our agencies that enforce compliance, OCR, OIG, that’s the framework they use. And so when they say, “Hey, this is the framework to use. This is government-accepted and approved.” So we’re going to work towards that; not just have something that’s aligned with it, let’s use it.
And then I think, organizationally, that friction between the audit capability of agencies, and the program or framework you’re using is much easier. You get rid of some of those connectors, right, because I’m using the actual one that they use, so they’re familiar with it. And so you can have a common lexicon and have a common conversation when that comes up. So we follow NIST CSF.
You also mentioned 405(d). So here’s where you’re talking about, you know, I don’t think there’s any organization out there anywhere that applies all of the potential controls that you could have in there. And some of them, the reason why, is they just don’t apply. They’re not something that would be applicable to the organization or healthcare. So not all of that is applicable to healthcare, but the parts that are are the ones we adopt, and the ones we use. Now, 405(d) is going to talk about what aspects of those controls make the most sense to deploy in a prioritized fashion. So you’re a smaller organization, you probably should have these controls first, that’s when you get those done, then move on to the next, as you grow in size or complexity in your organization or potential impact for having a breach, then yes, you’re going to want to increase those controls accordingly. And they do provide a free good stair-step approach, small, medium, large. And once you hit that large, you’re also talking about what are the nuances of not only my vertical, but my individual organization and how we operate in the theater we operate in too, Pacific Northwest healthcare, not for profit. So how does that look? How do we want to make sure that we’re applying it. So frameworks are great starting points, they’re not the endpoint, and are not the end all be all, nor should you actually do them, you know, lock stock and barrel, exactly how they’re written. You should actually take those as a start and apply them in a fashion that makes the most sense for your organization.
Guerra: Is zero trust the true north we want to move towards?
Elrod: I think zero trust is a mechanism, again, an attitude methodology and a process by which you’re going to achieve those things of a good security posture, and privacy posture, strong compliance posture. NIST has a zero trust framework. It’s out there, I actually find it pretty good. So, if folks wanted to go out there and say, “Well, what should I include in my zero trust journey?” Start there. It’s already aligned with something like NIST CSF. And those are the controls. What controls make the most sense as applied to that zero trust architecture? I think eventually zero trust is going to be self-evident.
People will eventually be saying, of course we do it that way. Why wouldn’t we do it that way all the time? We always do that. Light switches, you flip them on, the light comes on, you flip it off, the light goes off. It will be self-evident. Right now, it’s not. But as we move more and more to that distributed boundary, the more you’re going to have it. It’s just going to be self-evident. Like I said, I think it’s an inevitability. And it’s the right way to go because that’s the direction. That’s the direction you need to go to cover the threat landscape. So I think that’s the right way today, but I don’t think it’s the end all be all. But I do believe it is a good true north by which to apply to your program to make sure you’re hitting all your compliance items inside your framework as well.
Guerra: That’s zero trust as NIST has defined it?
Elrod: I think it’s a good model.
Elrod: I do think it’s a good model, I think, especially if you’ve not been following it for a long time, or not being really steeped in it. It’s a great starting point. And it’s a good framework to have.
Guerra: Insurance. So you talked about working towards compliance and it made me think of cyber insurance, which is a huge issue with prices going up, protection coming down. All kinds of things. A very difficult situation. Do you have any thoughts overall on cyber, some people are saying, hey, it’s not even worth the money anymore. We’re just going to self-insure by putting away what we would have spent on premiums because they’re so exorbitant. And we saw now, I think it was Lloyd’s, they put out the word that they weren’t going to pay for any nation state attack that’s related to a country at war, and there seems to be so much wiggle room in there in attributing who’s perpetrating an attack, that there would be lots of ways to get out of paying a claim. But what are your overall thoughts on cyber insurance?
Elrod: I think it’s necessary. I mean, contractually, oftentimes, you’re going to see it as part of the contract. You must carry so much liability insurance around cyber and stuff. So it’s not something you can opt in or out of anymore. You really have to have a mechanism. So you mentioned self-insuring or going with an underwriter or an insurance company to help you out there. I don’t think you can avoid it. And I think the best way to do it is not to think of it as an adversarial relationship, because it’s not at all. I think it’s worth working with your underwriters, working with your insurance company to say, okay, great, here are the most probable loss events that we would experience in an organization, let’s say it’s ransomware or it’s a loss of business continuity for a little bit or business downtime due to a cyber event, it’s working with them say, okay, great. Who? Who would you suggest we work with from an incident response standpoint? Who, as our underwriters, our insurance partners in this, do you suggest to help us get to that better security posture so our overall organizational risk is less?
When you focus on organizational risk, not just technology risk, how do we address that in the context of cybersecurity? When you do that, I think you have a healthier relationship with that insurer and a much better conversation, because you can say, “Okay, great, here is our assessment. Here’s where we are focusing our efforts.” You can reach out to your underwriter or your insurance provider and say, “Hey, from your perspective, is this where we should be concentrating, or do you see something different?” So I think it could be very collaborative. I think you want to be in a partnership, versus, “Hey, I’m going to do this, and they’re going to try and wiggle out of it.” I think the more you involve them sooner, the less likely that becomes an actual problem. If you’re totally not having the conversation, then yes, it could be a surprise. But if you’re having that constant conversation, you’re having that touch base, you’re going to be in a much better position.
Guerra: I mean, they almost wind up helping you out in terms of doing a gap analysis for you, right? They’re coming in, they’re looking at you, and they’re going well, you know, we can insure you. But you’ve got to do A, B, C, and D first, and you go, Huh, that’s a good point. And then as you said, you could start a conversation around well, can you recommend anyone? Does it go to that level? You say, “Who do you recommend in these areas?”
Elrod: Yes, I think that’s viable if you don’t already have those strong partnerships. Definitely say, “Hey, who have you worked with that was able to provide these things in a fashion that you [the underwriter] knew they were done well. You knew they were in place. So if something were to happen — bad things happen — threat actors are always out there. You knew that we took all those reasonable steps, and we did everything we could. And you’re comfortable with it, as much as we’re comfortable with it.
Guerra: That’s a great point to try and get to a partnership relationship with an insurance company, because you’re sure as heck going to want to be in that framework with them if something happens, right? You’re going to want to reach out to them to help you get through this. Yes, they’re going to be paying some bills, hopefully. But even beyond that, I would imagine they could be a great resource for you in terms of navigating that recovery.
Elrod: And then they’re going to have that perspective across the industry and across industries. So they’re going to say, “Hey, this is what’s working over in retail, this is what’s working in manufacturing, this is what’s working in finance. Hey, this is what’s working in other peer organizations of your size in healthcare. So they’re going to be able to provide you with some perspective that maybe you might not have because you’ve got your nose down on your vertical. So I think that’s the partnership you want.
Guerra: Yes. Very good. Alright, let’s switch gears a little bit. I noticed that in the past you have posted on LinkedIn for open job positions, if I’m not mistaken, which I see more and more now. It’s pretty cool. I think that CISOs and other IT executives are going direct, as it were. I’m sure HR is involved to some degree in what you’re doing. But it’s not as it used to be in the past, which is you call HR and say I have an open position, and they send you a batch of names or resumes at some point. This is you going direct, again to your network. And you know, you get likes from lots of people. So we know these things can exponentially distribute to wider audiences. I don’t know about the results, or how that works out for you. I would imagine it has some potential to work well. But I wanted to get your thoughts around that. And possibly how you’re managing it with HR, to what degree they’re still involved. And your advice for other CISOs about leveraging this mechanism because we know there’s a talent shortage. So this is a new and interesting way to find people for open positions.
Elrod: It’s 100% a partnership. So in any organization, you have your HR group, and you have your recruiting group, and you’re going to say, Well, here are the positions. Here’s the specific talent profile I need. Here’s the job, and you put that out there. But not everybody can be an expert in the things that you’re an expert in, that you need them to be an expert in, that you need to get expertise in, onboarded. So I think it’s very important for security leaders to step out of that box of like, hey, I’m up on this particular ivory tower,” whatever it is. And actually, I call it, “leaping logical levels laughingly.”
You need to be able to come down and say, hey, you know what, these are the types of personalities and talent profiles and experience we’re looking for, and make yourself available to help with the assessment of that talent profile. You could be a pen tester. And as an example, I don’t have one of these roles open, but let’s say I did. And I could say, hey, you know what, I want somebody specific with these types of technologies, this type of background, within healthcare, within maybe highly regulated areas, and knowing maybe some more of the nerd knobs that I would like to see them talented in, than say my recruiter who knows, some of the work, but their expertise is not necessarily in cybersecurity, and definitely not in red team pen testing and application security space. So they may not be able to suss out individuals who otherwise might have been opted out because of the lack of, I guess I call it a paper ceiling, right, you don’t have the degree, you don’t have the certification. But in the conversation, you might have a portfolio, you might have a reputation, you might be extremely talented. But you wouldn’t be able to pick that up if you didn’t have experience in the discipline. And I’m talking about the discipline of cybersecurity here. You’re going to be able to pick that up like, hey, this person is a paper tiger of certifications, but that’s all show no go. And vice versa, hey, this individual is awesome. She has the experience here, she should be on our team regardless of any lack of certifications. So I think when you have the expertise in an area, you should apply it. And in my organization, anybody in my organization can come talk to me at any time. Starting that relationship even before the hiring process pays off in spades.
Guerra: So when you do those postings, it’s a reply to me, so to speak, not a here, you can send an email to HR?
Elrod: So, I’ll post it out there and say, hey, look, you know, feel free, skip all of that automated stuff and reach out to me, let’s talk really quickly and see if this maybe is the right role for you, or maybe not? You know, because maybe you match everything on there. Then we can talk about the role and where it is maturity-wise expectation, you know, what we expect from the role specifically may be a little bit different than the interpretation of what the job posting might be. I’ll be able to align expectations a little bit better before then. And if it’s a match I’ll say, okay, yes, now go over here and go and put that application in. And I’m going to tell my internal recruiter, hey, you know, look for an application from Anthony. I’ve had a conversation with him. I’d really like the rest of the team to meet this individual and run him through the process. So in a lot of ways, it is almost the golden ticket. Because you’re getting around a lot of those components. But I think we’ve missed a lot of diamonds in the rough, and I’d like to find those diamonds.
Guerra: Excellent. Where are you with remote work? Does it depend on the position? Do you like to see people once in a while or are you fine with 100% remote, I’ll never meet you?
Elrod: All of my positions are remote first. So if I gathered everybody in a room, we would just be together remote from the things we’re doing anyways. I’m not necessarily going to say one way or the other way that it should be all in office or hybrid or whatever it is. But from my perspective, I think remote works. If it works for you, then yes, you know, it works for me, and you’re going to be more productive if you’re in a more productive environment. And so all my roles are remote first, then. Yes, I go from there. I’m a big remote work person. I’ll put it that way. Now, I do go into the office, and I do have aspects of it where I have to do it. And there will be expectations to occasionally get together as a team because I really do want to actually see how tall you are (laughing) and have that one on one conversation. It’s not strictly boxed in by, say, a meeting agenda. Fifteen minutes, we’re going to talk about this, and then we’re out. I think you do get some better bonding when you have one-on-one time with the person, but it’s not a requirement for most jobs. Make sure you’re good with your team, make sure you have that camaraderie, make sure you understand what’s going on in each other’s lives. And work life balance. And I think that’s important. But yes, remote first, doesn’t matter where you live, necessarily if you’ve got the talent profile, and you’ve got the motivation to do it.
Guerra: Well, it certainly gives you a much wider, much larger talent pool, right? You don’t have to just draw a small circle of 60 miles around your health system and say, “This is where we can hire people from.” You essentially open it up to the entire country, if not larger.
Elrod: You have less power; you have less competition. So I’ve been in the situation where I was at a nonprofit healthcare system and we had to compete for the same talent pool that Silicon Valley was after. There was definitely no way I was going to pay the same thing as anyone like, you know, Facebook, or Apple or Netflix or Google, I mean, I can’t compete there. But you know, if I don’t need to, I don’t need to. Because if I go remote, I can get the same caliber of talent to come work for us. And yet, they can stay there with their families and their communities and actually grow like that. So it’s huge, because it makes a big difference in the quality and ability for organizations like mine to be able to have that top tier talent.
Guerra: Well, you’ve also got a better mission than Netflix, a little bit more noble there. Not that we all don’t watch it, but it’s still a little more meaningful in healthcare, probably. Amazingly, we are just about out of time, I’m going to ask you one more question. And then I’m going to let you go. Just a final thought, final piece of advice. Picture a CISO at a comparably sized health system, what’s your best nugget for them as they try and navigate today’s challenges?
Elrod: Gosh, I’m gonna say, get wickedly good at the basics. And crowdsource. I’ve made that comment: everybody in this organization, when it comes to cybersecurity, works for me. So get really good at the basics and crowdsource internally. Because you’re going to find a lot of people, a lot more visibility and a lot more talent than you ever thought you knew you had.
Guerra: You told me earlier about hiring, about bringing people in.
Elrod: I’m hiring; and even on operational aspects you need to bring people into cyber. And on my site, let’s use service desk as an example. That’s a security function. They know when the type of tickets that are coming in are normal tickets. They will notice if something is a little weird for our physician population, or a little bit weird for our networking, they’re going to be able to have those initial indicators of compromise way before anything else. And I think, take advantage of it because that knowledge and talent’s out there. You’re going to find a few folks that not only have they noticed, but they’re going to develop that passion for cybersecurity, and that defender’s mindset and they’re gonna be your passionate defenders that are going to really come up through the organization and make your system better.
Guerra: Like the canary in the coal mine. That’s the help desk, right? They have that indication of when something’s going on. Jason, fantastic interview, wonderful talk. I think people are going to really enjoy it. I want to thank you for your time today.
Elrod: Thanks, Anthony. It has been my pleasure.