Published December 2022 –
While funding and staffing for IT security teams may not be on the rise, the number of third-parties that health systems are using – and thus the number of potential attack vectors into those health systems – is, leaving CISOs in the unenviable position of having to figure out how to more with less, says Alfonso Powers, CISO at Asante. To accomplish that, he’s looking at automation and other technologies. In this interview with healthsystemCIO Founder and Editor-in-Chief Anthony Guerra, Powers goes into detail on how he manages third-party risk, his experiences navigating a ransomware event, and how he tries to ensure a healthy work/life balance for him and his team.
LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE.
We keep bringing on additional partners, and every time we bring on additional partners, we have another entry point into our network that needs to be secured, given more oversight.
Liability caps in the contracting process always seems to be the holdup. Nobody wants to be responsible if there’s a data breach of some sort.
Well, events like this definitely speed up getting approval for funding. You know, as unfortunate as that is, that’s just the reality.
Guerra: Alfonso, thanks for joining me.
Powers: Happy to do it, Anthony. Thank you for inviting me.
Guerra: Very good. Looking forward to a nice chat. Do you want to start off by telling me a little bit about your organization and your role?
Powers: Sure. Well, I’m Alfonso Powers. I’m the chief information security officer at Asante. Asante is a small/medium health system located in southern Oregon and northern California. We serve about nine counties, including 600,000 lives. And I’ve been with the organization about a little more than six years now.
Guerra: Can you tell me a little bit about your career journey? I like to see how people wind up in the security side of healthcare IT.
Powers: I originally started out my career in IT doing service and support on a help desk. Did that for several years. And then I moved into doing more stuff along the lines of network administration and system administration. Did that for several years. And then I actually did some web development for a while, and picking little different pieces in the IT space here and there. And then I moved on to work for a software development company where I was a network administrator.
And then that’s when I stepped into my first leadership role as an IT manager. In that role, security was just part of it. And back in those days, if you did IT you did security too, and they were seen as one. So did that for about five and a half years. I would say that in about 2012 is when I really started being more focused in information security, and I went to work for a professional services company. And my role there as a director was mostly to grow the information security program. And we did things along the lines of auditing, penetration testing, assessments.
And then moving on to Asante, I got my first job as an IT manager in information security. And I’ve been with Asante since I started that in 2016. Got this role as CISO back in August of 2021.
Guerra: I wonder how the evolution goes from being interested in IT. It seems like for some folks, they get pulled into security from their inclinations and their interests. Or it just happens to be an opportunity. And some stay on the non-security-focused IT track. They still have to know about security, but they don’t make it their whole world in terms of their career. What do you think about that?
Powers: Yes, I think that’s spot on. I have noticed that a lot of professionals in information security usually didn’t start out in information security, and it makes sense to a certain degree because you’ve got to really learn how the systems are built, how they’re constructed on the technical side, to really know how to protect them adequately, in my opinion.And then we see the folks on the other side that do more maybe risk management and those sorts of things. And they really come from more of a business background, really understanding that business side, and they know how risk actually weighs in with an asset and overall value to an organization. So you know, people in IT do eventually just need to specialize and branch out. And that’s what we’ve seen. And it’s beyond information security. We see that now all over with the DevOps, in the cloud space, and other areas. So yes, I think that’s spot on.
Guerra: What are you looking at in terms of one or two trends that you’re seeing? What are some of the main things on your mind that you need to position your organization to deal with?
Powers: I think what probably is on most CISOs’ minds is prevention – particularly of ransomware. It’s our big, big threat out there. So we’re really weighing what we need to put in place from a security control perspective of what’s going to be beneficial and actually prevent that threat. Fortunately, there’s great technology out there to help us get there, and it’s always challenging to get it configured in a way that is going to be acceptable and not cause business interruption. Prevention is really the name of the game. From a technical control perspective, ransomware is our big threat.
The other thing, more towards the business side, is we’re dealing with lower budgets or scrutinized budgets and, in most cases, smaller teams. And so, what can we do to actually deal with that? For me, what I’ve been focusing on is dealing with this concept of how to do more with less – really adopting more of an automated approach. Get rid of those day-to-day tasks that we can with automation, and really just having our resources focus on more things that go beyond the day-to-day.
Guerra: In your mind, is there a difference between automation and AI?
Powers: Yes, in a sense, I do think so. With AI, we’re usually thinking of things that the system is learning how to do and taking some action on that. With automation, we’re more building our responses off the data that we’re collecting from our systems. And we’re making the decision in most cases from a playbook of sorts. So we get a detection, and then on that detection, we’ll go through a criteria of “if else” statements in the playbook. And we’ll take the correct action, depending on what it sees in the data.
Guerra: So we know that there’s a downturn in economics and things are being squeezed in the health system. And I know it’s hitting IT for sure, from what I’m hearing, not so much for clinicians. Everyone’s loath to get rid of clinical positions. I mean, that’s just not something people want to do. I would have thought that they’d want to stay away from security, just out of fear of the breaches and the repercussions, but it is hitting security as well?
Powers: It is to a certain extent. Our budget’s been holding pretty steady. We just haven’t been able to add anything really new. So we’ve just been treading water, so to speak. The challenge with that is security is very dynamic. Things change, the threat landscape changes all the time, the demand on security is increasing more and more. And this is for a health system. We keep bringing on additional partners, and every time we bring on additional partners, we have another entry point into our network that needs to be secured, given more oversight. And so, we have a climbing volume of requests, but we keep the same amount of people. So that’s why we’re trying to figure out how we can address these requests very efficiently using what we have and the tools that we have already.
Guerra: So more partners, we’re talking about more vendors that you’re working with, more solution vendors, which means more third parties, and we know that that’s one of the biggest issues facing CISOs at health systems is third- party risk; absolutely huge. So the number of partners goes up. And what are your thoughts around how to deal with that? I mean, onboarding is one thing, right? We can get our arms around that. But from what I’ve been hearing, it’s that huge number of existing vendors. I can develop a new process, so as they come on, I can get better at that. But I’ve got this huge number of existing vendors. And oh, do I need to check them annually? Do I need to check them whenever they have a material change? And what does that check entail? You talked about automating things. That’s something that would seem very difficult to automate.
Powers: Yes, absolutely. We keep getting a growing number of vendors. We do have a strict process with them when we bring them on. But going back to your question of how do we take care of the ones that have been with us for so long? We’ve done a couple of things with that. Number one is we really have leveraged our contracting process to go back and redo those contracts and – in some cases with our vendors – put in place memorandums of understanding where certain levels of security controls and hygiene have to be met before allowing that access. The other thing is, across the board, any vendor that’s going to access our network now must use multifactor authentication, I mean, it’s just a staple now and in the information security space, you just have to have it. That’s a change for some. Vendors didn’t have to do that in some cases.
The other thing is better oversight of when that access is actually done on our network. So we’ve instituted things such as jump boxes that are segregated from when the connection to the network is made. Then they go from there to what it can be accessed for, depending on what the vendor needs to access. We also put into place several other controls; mostly it’s gone back to the administrative stuff with contracting and making sure there’s a great understanding between the organizations. The challenge we’ve seen with that is usually liability stuff. Liability caps in the contracting process always seems to be the holdup. Nobody wants to be responsible if there’s a data breach of some sort. So that’s always challenging. Fortunately, we have some talented folks that negotiate that and make it happen.
Guerra: So those connections between you and the CIO and legal, and compliance, I mean, there’s just a huge number of folks that you as a CISO need to be really interacting with that perhaps 5 or 10 years ago just wasn’t happening. It wasn’t necessary.
Powers: Yes, spot on. There’s no longer a siloed mentality in information security, and you have to partner across the board with other leaders, senior leaders in the organization. The CIO, our chief medical information officer, chief legal officer, chief privacy officer, all of these folks are crucial to building your culture for information security and being successful.
Guerra: Let’s talk about this whole third-party thing. Do you find that this creates some friction, or some issues with the business owners as you’re trying to make sure these apps that are coming on board are properly vetted from a security point of view? And now we mentioned the whole thing about going back and dealing with everyone. Talk about the level of involvement between IT security and the business owners. You know, it’s almost like a three-legged stool. You’ve got IT security, you’ve got your internal business owners, then you’ve got the vendor of that particular product. Do you find that you’re still working through how that’s got to proceed for an efficient process of these third-party reviews?
Powers: Yes, there’s no question about that. So what we’ve seen is, the business owners don’t really care in the sense of they don’t really know about information security. They don’t know about the IT stuff. All they know is, “Hey, I got this new system (or whatever it is) I’ve got to bring online to fulfill my business operation services.” So they’re doing that. And then we as security practitioners have to go out and say, “Okay, we’ve got to do all these checks and make sure it’s good before we actually allow that onto our network.”
So there is a little bit there with that. I’ve got some great people on my team that actually do the assessments and whatnot, to make sure that the system is going to be good before it goes on the network. But as a senior leader, my job is really to then interact with that business owner, make sure that they understand why we have to do this and make sure that we’re all trying to get to the same goal, which is to provide outstanding patient care and really make sure that that patient knows that their data is actually safe with Asante.
So we have a very good awareness program internally. We really get the message out to the clinicians and other business owners across the organization, whether they’re in the clinical space or not, to really know what we’re doing and to be there and answer their questions, if they have any around information security. When I first started in 2016, there wasn’t a lot of cultural awareness around information security, to say it bluntly. Now, anyone you ask, I would say, is very aware of what we’re doing and why it’s important. And we definitely don’t want to have a big data breach and be front page news.
Guerra: Yes, I mean, there’s no question that the big data breaches have helped IT security professionals to get their jobs done. It’s almost like a chicken and egg thing or a circular pattern where, you know, you need to do things in order to protect the organization. The news coming out about when those breaches happen helps you get that done, because everyone knows about it. You don’t have to be an IT person. Everyone reads about health systems being down for months, tens of millions of dollars and that helps you to get things done.
Powers: It definitely does. You know, I don’t like going in front of the board or my boss (I report to the CIO). I don’t like going in front them and using the FUD (fear, uncertainty, doubt) model to pitch any ideas. But you know, nowadays, I don’t even have to do that because it’s out there. And they know about these things. So the question isn’t why we have to do these things, it’s more of what do we have to do to prevent these things? And so you’re in a much better position to go and pitch an idea – when that’s the thought process – to the board and the higher level executives.
Guerra: You talk about communicating with those business owners. I think they can get their minds around a new vendor coming on. I’m guessing there’s a little more friction in a renewal of licenses with an existing vendor. And you come in and say, “Well, we have a new process now because there’s more risk or whatever. So we need to look at this differently. You can’t just renew the license. We’re using this as a tripwire to get these guys checked out with our new vetting process.” So that takes a little more discussion, right?
Powers: Oh, absolutely. And, you know, it always introduces, well, the fear on the business owner’s part of, “is this going to introduce delays and we may go beyond our renewal.” And so what does that mean? And yes, that’s typically what we see is the renewals don’t get processed until they’re due at zero hour, almost. We get stuck in this weird spot. We don’t want information security to be seen as a roadblock to getting things done. I mean, there are times when situations like this arise. And, we’ve been customers or partners with this vendor for an awful long time; nothing bad has happened. So we can put a contingency in place that we’ll just move forward, but we will still assess and then address findings as we go. We’ve done that model with several of our vendors that we know have been strong on the information security front. And that seems to work pretty well. But yes, the sooner you can get out ahead and communicate this and get in front of the business owner and have time on your side, the better it’s going to be for everyone.
Guerra: Yes, so you’ve got to find out almost proactively when licenses are coming up, so you don’t get that last second email that says if we don’t renew tomorrow, our costs are going up by 50% on these licenses, and you’re pressured to just rubber stamp it.
Powers: Yes, that’s right. That’s right, and it happens quite a bit, actually, that zero-hour email. And it’s surprising, but everybody’s busy. And not to make excuses too much, but the last several years have been very tough in healthcare. The clinicians have been focused on patient care. And a lot of times these things slip through the cracks because they just don’t think about it, because it’s usually business as usual. And then all of a sudden, it’s like, “Oh, yeah, we’ve got to take care of this.” And that’s what happens.
Guerra: So it’s an interesting point you made, which is, if this has been a vendor that’s been with us for a while, and they’ve been fine, we’re going to take that into consideration in terms of, “Okay, you can renew those licenses, we’re still going to do our process, but we’re not going to prevent things from moving forward.” If you had a different scenario where perhaps there had been issues, might you handle that differently? Could there be other scenarios where you would not want to go ahead?
Powers: Yes. And it would be a couple of things. We do use some third-party vendor management tools that let us assess a supplier’s risk from an information security standpoint. We may see that there’s been reported data breaches or something that may have happened with the supplier. If that comes up, then yes, we will pump the brakes and we will do a thorough review and make sure that things are handled. One thing I’ve seen though, is usually when an organization experiences a breach of sorts, or some security incident, they do a really good job to make sure that things are now where they should have been before, or perhaps they had a social engineering attack or something that got through. But by and large, after an event happens, the security hygiene is drastically improved at a supplier.
Guerra: I find it very interesting. It’s almost like a dichotomy. So I speak to a lot of CISOs and CIOs at health systems and the attitude that we all have is, if you’re doing your best, that’s great. You’re following NIST, you’re following some guidelines, but things are still going to happen. You’re going to have breaches, and we get that, and we’re very forgiving. But at least now, I don’t know if that is extending to third parties. The attitude is just a little harsher when it comes to third parties, but perhaps they’re due, as you mentioned, the same forgiveness if they’ve really tried as hard as anyone else. What do you think about that?
Powers: Yes. And it actually happened with Asante. We had one of our third parties – we call them Community Connect in the Epic world. (We use Epic as our electronic medical record system.) And these are other health systems that actually use our EMR to facilitate their own patient care operations. Well, we had one of those fall victim to ransomware. And we had to do a very thorough investigation on our own network because they were connected to it to make sure we were fine. But coming out of that we put in place contractually better information security hygiene requirements for this partner. And they went all in, they’ve done a ton of stuff, to the point where we meet with them quarterly now to go over what they’re doing.
It’s incredible what happens when any event happens at some place; it really just opens the eyes of others. Leaders not in information security know that in the back of their minds there could be something like this, but it’s not something they’re thinking about all the time, until it happens. And then it’s like, “Oh, my goodness, what do we need to do now?” So we’ve experienced that. And we’ve seen what an event will do to a third party.
Guerra: I’m guessing it’s just like everything else. You want them to be doing the best they can; doing everything reasonable. And then I would imagine, you definitely want that communication as soon as possible. You don’t want to find out they sat on something that had you exposed for longer than they needed to, correct?
Powers: That’s right. In this particular instance, that happened. Asante actually wasn’t informed of something that happened for about eight hours after the initial event happened. So going back to that contractual language, we now have a line in there that within 30 minutes we need to be notified if something happens. And you know that been good so far. And you’re right, because everybody’s behind the eight ball after a certain amount of time. After eight hours goes by, your network could be compromised, for all we know. It’s very difficult to remediate.
Guerra: Were you the CISO or was it David (Kennington) at that time when that went down?
Powers: So it was actually David. I was the manager at the time. And we went ahead and we worked very closely together. And we just did what we had to do, but it was a very stressful, stressful time.
Guerra: You know, at that time, I’m sure it didn’t feel good, but in a certain way to have that on your resume is very beneficial, in a sense, because how many people have gone through it, worked through it? And now on the other side, you have a perspective that not everybody else has?
Powers: That’s a great point. And it’s true. Going through it really does bring to light the things that you need to have in place for better prevention. You know, prior to this, we didn’t have a couple of what I would call core technologies that deal with the ransomware threat in place. We had a lot of good ones in place. But we just had a couple of gaps. And those gaps were identified by third-party assessments that we do routinely and everything, it just becomes a matter of funding and getting it approved. Well, events like this definitely speed up getting approval for funding. You know, as unfortunate as that is, that’s just the reality. But yes, going through it, you get all this good information. And then you know exactly how to put stuff in place to deal with the threat. And that’s what we’ve done.
Guerra: You talked a lot about prevention, but I’m sure, from going through that, a huge part of being prepared is being prepared to respond, right? Well, we tried to prevent it, it didn’t work out. Now, what are we going to do? Do we have to take systems down? Have we prepared the organization for what that might look like? And I know there’s only so much that can be done from the IT side, and even IT security, to make sure that the organization is prepared to go to IT downtime procedures, meaning we cannot use the application that we’ve used to do deliver our service or care. What do you think is security’s role in making sure that your organization is prepared to go to paper? How much do you have to do to ensure that when you say, “Guys, I got to shut us down,” that they have any clue, or they’ve done any practicing, on what to do?
Powers: Good points, good questions. So this is very much a joint responsibility across Asante as far as being prepared for this incident. So information security’s role for our downtime if we have to go to paper is really to make sure that backups are good, that they are stored properly, and the integrity of that data sound. We have a hospital emergency operations team that does have those protocols in place for paper. But we also have a separate informatics division that handles all the Epic stuff that has to go to any downtime procedures. So it’s very much a joint effort across the board.
Additionally, information security at Asante is responsible for coordinating those tabletop exercises, those walkthroughs to make sure that everything is prepared. We also go through doing other simulations with other systems. So for critical systems, we’ll typically do restore exercises on them. And we do annual disaster recovery exercises with the EMR. So actually working on the backup system.
So all these things go into annual exercises that are documented and just are used to say, “Okay, we’ve done this in the event that we may have to go to this or these things at times.” In late 2020, in the fall, we had a wildfire in Southern Oregon burning nearly to two towns down, and it within two miles of the hospital. And we had the realization that we may have to actually activate a plan like this. And I will say that when that happened, we were more prepared than I had expected because of these drills and these exercises we have done. Now, yes, it would have definitely been chaos and everything like that, of course. But you know, it was a little testament to some of the stuff we’ve done over the years, leading up to disaster recovery planning.
Guerra: So you actually felt more comfortable based on the work you’ve done – not perfect – but you felt like, “Okay, we’re not completely lost here.” As opposed to having that other feeling when a wildfire is coming close, and perhaps you’re looking for the playbook and you can’t find it and you realize it hasn’t been updated.
Powers: Yes, absolutely. And I think instead of thinking, “Gee, are we going to have the systems and the technology to facilitate patient care,” instead of that being the major concern, it was more so the facility; you know, the offices, the rooms, the surgery rooms, all those places, had the wildfire reached, that is a serious thing because Asante is a level-two trauma center. And we do take on a majority of patients in this area.
Guerra: That was the Katrina thing in New Orleans where they had to leave, got to get out of the hospital, the patients have to be moved.
Powers: Yep, that’s where we were.
Guerra: We only have a couple of minutes, actually, one minute or so left. I would like to end on a lighter note, work life balance, which doesn’t necessarily mean a lighter note, right? That’s a very serious issue burnout. They talk about it with clinicians, but I can’t imagine anyone is more prone to burnout than CISOs. I really do. I mean, you could probably just have this consuming your mind 24/7. Anything can happen. I read somewhere where you said you enjoy golf. So I mean, that is something that can take you away as long as you’re not one of those guys that’s taking business calls on the course the whole time and annoying your partners (laughing), but anyway, what are your thoughts on work life balance and making sure that you, as a security professional, get that mental break and perhaps, you know, push the reins off to your director or someone who works with you and say, “Let me know if there’s an emergency, but I think you got this for the next day or couple of days or week.”
Powers: Work life balance is very, very important. I do like golf. That’s what I do play when I’m not working. And I’m very fortunate that I have people that I work with that I can trust and do exactly that and say, “Hey, can you take this on for me while I’m gone?” In fact, I’ve had several people just volunteer that for me, just from making good friend and peers across the health system. So that’s been absolutely great.
I’ve actually extended the work life balance concept to the team, because we’ve been having smaller teams dealing with a lot more stuff. And so we’ve been considering things like four day work weeks, for example. That something we were entertaining; we are thinking about that. I mean, that is something that’s crucial to making sure that all your staff is able to just disconnect and do things and, you know, three days off’s a lot better than two. And now, having processes in place that can stagger that appropriately across the workload is great.
So, I’d say one thing that has maybe backfired is that before the pandemic, we were all in the office, we were working and we go in, we put our time in, and we’d leave. Well, now we’re all working remotely, in front of our computers all the time. And I could make a good argument that we’re working more than we were before. People are getting up earlier, they’re at their desk, they’re working a lot. They take their breaks, they come back to even pick it up at night after dinner, because it’s just there. So it’s really making sure everybody understands, “Hey, just do your work and take your time off and get away from it.” But that’s been a backfire of sorts, people have been working a lot more than they were before.
Guerra: I totally agree with you. I think people are working harder than ever, and not getting even those small breaks that you would normally get in the old world. Because you can have those Zooms back to back to back to back. I mean, I’ve talked to people who say they’re in meetings 10, 12 hours a day and really, very mentally fried at the end of the day. Not well. Not healthy. So yes, that’s something to be cognizant of. Alfonso, wonderful interview. I want to thank you so much for your time. I’m sure our folks are going to enjoy it.
Powers: Really appreciate it, Anthony. Thank you for inviting me.