Published February 2023 –
Paul Curylo, VP/CISO, Inova Health System
Paul Curylo, VP/CIO for Inova Health System says the bad guys may always be on your heels, but you can ward them off, to some extent, with cyber-hygiene — getting back to basics. Second to that, focus on business continuity. In this interview with Anthony Guerra, healthsystemCIO founder and editor-in-chief, Curylo talks about how, as the key advisor on cybersecurity, he is always bringing reality to light by asking the hard questions about business continuity before he even approves a new application. His quarterly cyber-decision exercises force business leaders to think through every contingency of going to paper imaginable, right down to how to dispose of the extra paper records. These conversations are robust and bring about changes in the app designs, but also in the business continuity plans because they need to be living, workable documents, Curylo says, and “the information needs to be recoverable when you need it.”
LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE.
Podcast: Play in new window | Download (Duration: 33:26 — 23.0MB)
Subscribe: Apple Podcasts | Google Podcasts | Spotify | Android | Pandora | iHeartRadio | Stitcher | Podchaser | Podcast Index | Email | TuneIn | RSS
Bold Statements
“ … we also have a conversation with our stakeholders around what are you going to do when this goes away at a point in time that you didn’t choose? What does your business continuity look like with respect to this and other solutions that you have?”
“People think: ‘IT is always there, they’re always great, something blips, they got it back right away, so I can rely on them 100% all the time.’ That’s not an assumption that one should make.”
“They should certainly make an introduction to their local FBI field office or DHS (Department of Homeland Security) region and establish those contacts and relationships. It’s a small investment in time. But if an organization has a crisis, it is great to be able to pick up the phone … ”
Guerra: Paul, thanks for joining me today.
Curylo: Well, thank you. It’s a pleasure being here, Anthony.
Guerra: Great. All right. Looking forward to a fun chat. Paul, let me start with you telling me a little bit about your organization and your role?
Curylo: So yes, Inova Health System is located in Northern Virginia. We have five hospitals and three emergency centers. We cover quite a large region across the area. I joined the organization in 2019, so about three years ago, to rebuild the cyber operations capability. I was asked to stay on as the CISO to rebuild other programs within information security, and establish data governance, and drive better cyber hygiene across our capabilities.
Guerra: Let’s talk a little bit about the idea of rebuilding. Can you talk about any of the major things when you came in that you thought needed to be put into place?
Curylo: Yes, Anthony, the major thing was getting back to basics, understanding what we had in our environment with respect to end of life systems, end of life operating systems, in particular, whether or not we were effective on our security patching cycles. As what happens in many healthcare systems, the team that’s responsible for patching really does want to do a good job and take care of the systems. But there are other priorities or situations that inhibit that cadence. So over time, the cyber hygiene begins to dry up. And those are the fundamental things that we addressed when I first started.
Guerra: Yes, I’ve heard it said before – Erik Decker, says it, and I’m sure a lot of other folks say it — it’s that idea that, there’s some exotic and cutting-edge stuff we want to be doing, but 80% is dealing with the basics. As you said, if it were easy doing the basics, everyone would be doing them. So I think what you’re implying is that it’s that prioritization, it’s that being pulled in other directions, putting out fires, which comes with technical debt. And then when there are a lot of fires, we couldn’t do a regular proper cyber hygiene because we have a limited staff who’s being pulled in 50 directions.
Curylo: Exactly. Yes, the motivation is there to do the job. And what I hear a lot is we just simply don’t have enough people to do all this work. We have projects that get prioritized over maintenance, maintenance then begins to slide. That’s a common theme. And I don’t know that that’s unique to healthcare, exclusively, and probably is not. But that’s the shift that we have to get in the right direction. It’s important to ensure that there is time to do maintenance on the systems. One of the things that we have started to do here recently was to rationalize the projects that are coming down the pipeline in terms of what technical debt they may introduce down the road. We do that by evaluating whether or not there are systems currently in the environment we can remove and whether or not we have systems in the environment that can actually deliver the capabilities, or at least 80% of the capabilities, that are being sought. And that is helping to some degree, that is slowing down the pace a bit, so that the teams that have to maintain existing systems have more time to actually maintain those systems.
Guerra: So I’ve come onto this theme recently, and I find it really interesting. It seems to me like this would be a new place that the CISO has been pulled into recently, for good reason. Meaning that, application rationalization perhaps didn’t always include security to a large extent, but when we see that the third-party risk grows with every third party. And if we keep adding in more and more vendors haphazardly, there are major security implications for that. We realize that the CISO should be involved in bringing on new vendor decisions, and the whole important element of application rationalization. Can you talk a little bit more about that?
Curylo: I certainly can. You’re exactly right. And I’m glad that I sit at the table to have that conversation with our business partners. I think it’s critically important that the information assurance function of an organization is included in those conversations, from initial inception of the idea through the contracting phase, through the rationalization phase, and then through the project phase, the acceptance of the project, design, evaluation and implementation evaluation. It’s critically important because there are risks that we tend to accrete to the organization, that if we can identify them early enough, perhaps addressing those will be easier for us then, rather than at a very late stage in the game.
When I first arrived at Innova — and this is true for other places that I’ve worked — typically, what happens is security is brought in on go-live day or a week before for some major stumbling block that is preventing some forward movement, only to realize that that major stumbling block is an architectural change to the environment bringing massive risks to the organization, and nobody wants to own that risk. But everybody wants to move forward. Had that been reviewed during the design phase, we would have come to probably a different conclusion and perhaps had other options. So having a seat at the table is important for the CISO in conversations with senior leaders but inviting the information assurance team in to evaluate and assess the idea of the process, the technology, the solution set, is important. We offer a partnership to help evaluate what the risk is and provide advice to decision makers so that they can make informed decisions.
Guerra: Very interesting. So would you say that a key point in time in this whole thing is before versus after contracting with the vendor, that you have much more ability to influence things before contracting than after?
Curylo: Oh, absolutely. There’s, without a doubt, more leverage before than after. But even after, there’s still some leverage, best practices, the realities of risk and liability. It’s just harder to have that conversation after the fact. And because the contracts already signed, there’s the potential for loss of investment. If the decision is made that the contract actually cannot move forward, the time invested, the money invested may not be recoverable. So having the conversation before the contract is signed is important. One other aspect is to ensure that the terms and conditions that we from a cybersecurity perspective and an operations perspective would want to have present in that contract are actually in the contract before the signing. After the fact, it’s very hard to get a vendor to be compliant with expectations, particularly with vendor monitoring, activity monitoring, and third-party access to the environment. So it’s really important to have that conversation about the expected behaviors, and put those in the contract — not to necessarily restrict innovation — but to ensure that both parties have an understanding of how operations and cyber hygiene shall proceed.
Guerra: I have the image in my head of concrete drying, that as the concrete is wet, it’s much easier to affect change in the concrete. But as the process goes on, contracts get signed, things happen, that concrete dries more and more, much more difficult for a security professional to come in when it’s nice and hard and make the changes that they need to make in order for the risk to be acceptable to the organization.
Curylo: Yes, exactly. Now, we have had situations where we needed to renegotiate contracts, primarily because of the high risks that manifest or perhaps we experienced a security incident. We’ve experienced several security incidents that manifested in third-party vendor environments. So that, of course, precipitates a discussion around the contracts and expectations for going forward. So we’ve walked that road; it’s not an easy road to walk. Those are difficult conversations to have. But I think it’s important though that we try to capture our expectations before we get into the relationship.
Guerra: So ideally, we don’t want contracts with third-party software vendors and application vendors; we don’t want those getting signed without security having been brought into the process to look at it. So there are two elements to it, right? There’s one element, which is the formal governance process, the rules and regulations, that say you cannot sign any contract with any software, that cannot be signed unless there’s a checkbox from Paul or Paul’s team. So that’s one thing. That’s one element. That’s the formal concrete stuff. On the other side, we are creating a culture where they’re not afraid to come to security. So we want both, correct?
Curylo: That’s right. That’s right. So establishing that latter part is hard to do, especially if there’s large activity volume. But committing to a service level for us, for instance, we commit to a five to 10 day turnaround on every assessment. There are some exceptions, if the scope is particularly large, or the information is particularly lacking, we may extend that. But we’re committed to delivering an assessment or written assessment to our customers, the stakeholders, within five to 10 days, based on the preponderance of information that’s available. We’ll opine upon the risk; we’ll provide recommendations and suggestions. But within five to 10 days, that’s it, we’re going to give something back. Hopefully, it’s useful enough. But that helps with the setting of expectations. So now folks know, ‘All right, I want to do this new whiz bang widget. I want to get this into our environment, I need to allot at least five to 10 days in this process for an engagement with information assurance.’
Guerra: That sounds totally reasonable to me, five to 10 days.
Curylo: Yes, yes. Now, what we do ask is that folks consider coming back to us at different parts of the journey — pre contract, pre-project start, design assessment, because most of the time the entire design is not known until the project gets going. So design assessment. And then of course, go-live implementation assessment. Two weeks before go-live, come back with what the implementation is going to be. Because between design and implementation, things change, and there’s no need to keep coming back to information security every single time before a thing changes. Just change it, and then come back for an implementation assessment. And at that point, we discussed what changed, and then conduct appropriate tests on select controls.
Guerra: So a couple things here. One is, I really like how you described your users as customers, which I think would put you in a proper mindset, because you’re delivering a service to these individuals. So describing them as customers puts you in the proper mindset to structure your interactions with them in a positive way. Correct?
Curylo: Exactly. Our customers are the business owners who own the relationship with the vendors. They’re also the vendors. The vendors are providing a service to us in some respect. But for us, they’re still a customer, they’re still trying to deliver a service to the organization. And we’re trying to provide information back. So we receive a design and we’re trying to assess that design and opine upon how it affects our environment; whether or not there are any additional controls that need to be considered. So they’re a customer as well. So being mindful and respectful of that relationship is a bit of a culture change for traditional security people.
Guerra: Well, it’s very interesting. And that’s a great point about it being a two way street with the vendors. Because anyone who’s provided a service to someone knows that you need something from that customer in order to provide them with that service, I need this information, I need you to do this. You don’t want to put all the work on your customer. But I need a, b and c or I can’t deliver the service you’ve asked for. So what you’re saying is, you’re being sensitive to your customers, the vendors and saying, I understand you need certain things from me to deliver the service we are getting from you. And I am going to make sure you get that.
Curylo: Exactly, exactly. It’s establishing that service level agreement and over time, that will begin to engender confidence in our inner contacts with business owners and vendors and create the environment of collaboration. It does take time. It’s not a thing that happens overnight. We’ve been at this now for probably about two and a half years. And we are beginning to see the fruits of our labor. So it does take time to change that culture. But it’s worth the effort. We’re able to turn around reports and advice on a regular cadence. The information received so far from feedback we’ve gotten is adequate and helpful in making decisions. In some cases, we’ve decided not to proceed in certain directions. In other cases, we’ve made architectural changes to our environment to accommodate the new thing that we’re about to do. But at least we’re having the engagement and we’re able to deliver value to the organization by helping understand the cyber risks with respect to third party vendors, with respect to how now everybody’s rushing to the cloud. We now have this push to put as much as we can into the cloud. And I think that’s industry wide. But understanding what those risks are, before we take that step, is critically important.
The other aspect of that, that we haven’t touched on yet, is not just cyber risk — that is the risk of intrusion, the risk of disruption or degradation of services — but we also have a conversation with our stakeholders around what are you going to do when this goes away at a point in time that you didn’t choose? What does your business continuity look like with respect to this and other solutions that you have? Have you thought about that? Because this is not a 100% uptime solution. We have a lot of those conversations. And they’re good conversations to have. Because now our stakeholders are thinking about what I would say is the inevitable at some point, the system is going to become unavailable. Maybe it’s only for a day. Maybe it’s only for a week. In the most extreme cases, as we have seen over the last three years, it could be eight weeks, or forever for certain solutions. So having that conversation to provide advice, allows us to have the conversation around business continuity.
Guerra: Yes, and I think that’s absolutely huge. That’s been an area I’ve focused on in my conversations with CISOs. In trying to understand in a health system who is making sure that the clinicians have some idea how to go to paper, when and if they have to. And if an IT security incident forces an application offline, who has workshopped that outage and the specific communications that will happen with business leaders? Drilling down into the details if there’s a security event, where either that application is taken down, or Paul has to take it down. I need to call somebody and say, ‘Hey, in an hour, this is off. You know, hope you know what you are doing.’ What you’ve said, which I haven’t heard before, is that you’re starting that conversation with the business leaders almost at the time that they go on the application that they say, ‘We want this.” You say, ‘Okay, you want this I’m going to do the security check. By the way, you might want to think about if and when you don’t have the use of this what you’re going to do.’ Is that what’s going on?
Curylo: Yes. So many of my conversations include some element of business continuity. So whether it’s reviewing systems that are coming in, or systems that are being upgraded or changed in some aspect, or whether we do this thing called executive rounding, where we circulate within our system office and our sites of care and our service lines to actually talk with frontline team members and frontline managers and leaders about their experiences. So I often bring up business continuity in those contexts, as well. What would you do if? Do you feel confident that? Just to start the dialogue from that perspective. We also do a cyber decision exercise. So it’s a series that we started. Our goal is to try to do about four of those a quarter. We piloted it last year, and it was based off of an executive cyber tabletop exercise that we have conducted two years in a row with our most senior leaders about preparedness and business continuity. It comes with a briefing on the current cyber environment, so we understand risks and how bad things really are, which we know they’re pretty bad. But then we very quickly get into a conversation around not what we’re doing with respect to containment of the cyber incident, or recovering systems, which is an IT function, but rather what is that business user going to do? What decisions do they need to make? And when and how much information do they need to make that decision?
So we walk through those scenarios to highlight where those decisions may come. And the kinds of information that they would expect to hear from different inputs — from me, from the CIO or from others. And then, the impact of those decisions, you know, everything from, ‘Do you have enough staff to be room sitters? Or to run medications up and down the floors? Do you have enough paper on hand to actually start printing forms? What do you do when the printer breaks? By the way, what happens when you run out of paper, or somebody prints off and uses the last form?’ What’s our play in those situations because those are things that can derail operations very quickly. And those are just some examples of things that we talked about in those exercises.
Guerra: And then there’s the concept of how it might look when we’re ready to bring you back up. And here’s how we’re going to deal with the data that’s all on paper now. That whole process, I’ve heard that can be extremely complicated.
Curylo: So complicated that it doesn’t actually happen. It happens for the medical information, that does have to get into the medical record — but for other business units, it may end up sitting in the boxes until the retention period is over. And the information is then destroyed per policy. That might be the solution. The other aspect that we talked about is if we have gone to paper for a particular process, where are we storing all of that? Because in most cases, hospitals have retooled and repurposed the physical storage locations for paper forms or paper material to something else.
So in a crisis, we may experience higher volume. You’re not putting paper in the hallways. Where are you putting the paper, it’s got to go someplace. It can’t say in the unit, can’t stay in the department, it’s going to be in the way very quickly. So we talked about things like that. Do we actually have a contract for somebody to remove that paper? Or is that something we have to negotiate in the crisis? So they’re good robust conversations, and they do result in follow-on actions and changes, changes to the business continuity plan.
So yes, we have that conversation as often as possible, and at key points to raise that awareness. One of the things I’ve rationalized when we start doing business continuity is, it cannot be just a special event we do once a year to produce this massive book that nobody really trusts because the information is too old. It really has to be a living process, with pieces of information placed at good strategic points so that that information is recoverable when you need it.
Guerra: So, you know, in my conversations, there are many different structures people have in their organization, different C-suite titles. There are emergency services or emergency management, which would be the entity that deals with any disaster or outage. So there’s an organization in health systems, I think it’s called emergency management or services, that deals with the tornado, the flooding, whatever, and then we have a IT outage, and maybe an IT security outage being one variety of the outages you could have in a health system. What I guess the biggest question here is, what is the CISO’s role in business continuity? What is your responsibility that you need to initiate and drive versus a lot of people talk about collaboration, and we will work together. Well, that always makes me concerned when people say, we will have to work together. I don’t see anybody driving it, then well, who’s driving?. So what is the CISO’s responsibility? What’s your best advice you can give to a CISO in a health system?
Curylo: I would say our role is ultimately to be advisors. Rarely, maybe in some organizations, the CISO has approval or veto authority to stop things or to change things. That’s not always the case. But we are certainly advisors. The expectation is for us to engage with business leaders and have that conversation and help. So I have an information assurance team. They do mostly assessments, but they also aggregate the cyber risk for reporting to the senior leaders so we understand what our cyber risk is. Well, that same group can also have oversight over business continuity operations and help evaluate and assess those business continuity plans. They’re just plans. The other very important aspect is that part of our cyber education is to conduct these decision exercises to highlight the need to think ahead and plan for things that might be set up in business leaders heads as de facto assumptions on availability. “IT is always there, they’re always great, something blips, they got it back right away, so I can rely on them 100% all the time.” That’s not an assumption that one should make.
And having discussions — whether it’s a decision exercise, or a tabletop or just a conversation — sometimes it’s refreshing to talk about the aspects of business continuity and what assumptions that particular business leader might have. And perhaps help that business leader understand that some of those assumptions are probably not as strong as you would like them to be, for various reasons. So as advisors and communicators, I think that’s our main role is to be that partner and help to drive understanding so that leaders can continue to lead their organizations within a company.
Guerra: It’s just amazing when I think about it, how dependent the delivery of any business and even healthcare, especially healthcare, is on technology, and no matter how much we want to assure these systems and secure them, there are going to be outages. And no matter how much we want to plan, it’s going to be extremely painful, right? I mean, it’s just never going to be like, “Oh, let’s just go to paper.” No matter what we’ve done, it’s going to be very, very painful.
Curylo: Right and this is our reality. Healthcare probably deals with this more than any other organization. This is our reality. We are here to deliver healthcare. That’s what a healthcare entity does; that’s what a hospital does; that’s what health systems do. Keeping records is a necessary component of that. Using electronic means makes that a lot easier, makes it flow easier. We can share information; we can get treatment information into the right hands. But to build a rock-solid bulletproof capability that can never go down is very expensive, onerously expensive. So we have to plan for those downtimes.
We have to plan for how we’re going back to paper, and we may have to carry your paper around. That’s just our reality. We will probably never get fully away from going back to paper. It will be part of our DNA forever, simply because it is just too expensive to have that bullet-proof system. Now at some point maybe technology gets to the point where we can separate the reliance on particular components enough so that doesn’t adversely affect operations. Maybe we can get there. A cloud offers that promise, because perhaps we can shift loads around into other data centers. So that does help. But until we get to that plateau, paper’s it so we have to understand how we’re going to handle that.
Guerra: Great point. Paul, we’re just about out of time. I can’t believe it. We didn’t touch on many things I wanted to. Let me ask you one open-ended question. Any other big trends, things you’re looking at that you want to make sure you’re preparing your organization to deal with?
Curylo: The activity within the cyberspace is not going away. I think all CISOs understand that. And I do believe most CIOs understand this now, as well. Invest in cyber hygiene. That is important. Part of raising the bar to make healthcare not attractive to ransomware operators or hacktivists, or people that would do us harm, is to ensure that our shop is relatively clean. Now, that’s easier said than done, especially for the small and medium hospitals. There’s a whole lot of technology that needs to be resolved. But cyber hygiene is where it’s at. Invest in the cyber hygiene, pay attention to cyber hygiene, the basics are important.
I would submit to small and medium hospitals, healthcare entities, that they should become partners with organizations like Health-ISAC (Health Information Sharing and Analysis Center). They should certainly make an introduction to their local FBI field office or DHS (Department of Homeland Security) region and establish those contacts and relationships. It’s a small investment in time. But if an organization has a crisis, it is great to be able to pick up the phone and actually get to a person and say I need help versus going the traditional route of reporting through IC3.gov (Internet Crime Complaint Center) or an 800 line and hoping somebody calls you back. So that’s what I would start with is ensure that basic cyber hygiene is top of mind. And then reach out to other organizations and partners. Just establish that channel for communications in case we need help later.
Guerra: Absolutely. Great advice. Paul, thank you so much for your time today. It was a pleasure; went too fast.
Curylo: Awesome. Thank you.
Share Your Thoughts
You must be logged in to post a comment.