 |
 |
 |
Dee Young CISO, UNC Health Care
When it comes to keeping UNC Health Care secure, connected medical devices are top of mind for Dee Young, the organization’s chief security information officer. But she doesn’t do all the work alone; Young relies on her security team, which includes engaging with credentialed police. She likes to think of it as, “us against the world.” In this interview with Anthony Guerra, healthsystemCIO founder and editor-in-chief, Young explains how despite having great people to rely on, ultimately, the buck stops with her. “I joke with my teams that I don’t get the easy buttons,” she says. “I don’t get the ones that are just simple. I get the gnarly, the really hard ones, because everyone else has tried to figure this out.” In an era of staffing shortages, Young has had 100% retention of her team by hiring carefully, allowing for ownership and mastery of projects and encouraging a sound work/life balance.
LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE.
Podcast: Play in new window | Download (Duration: 35:09 — 24.1MB)
Subscribe: Apple Podcasts | Google Podcasts | Spotify | Android | Pandora | iHeartRadio | Stitcher | Podchaser | Podcast Index | Email | TuneIn | RSS
Bold Statements
… clinical engineering reports up through IT. We made that move about three years ago because of all the connected devices, and that’s been just a game changer in the cyber world for us.
… one of the things we’ve done that has been really, really beneficial is we’ve done cyber tabletops. But we’ve done them at every entity with all of our leadership. And it’s not talking about the technical response, it’s talking about business continuity and clinical operations.
I think making sure, again, that with those work efforts I’ve done a little, had a little movement each week or each month, to make sure that I don’t look back in six months and realize, “Oh, I haven’t done anything.”
Guerra: Dee, Thanks for joining me.
Young: Thanks so much for having me, Anthony. This should be a great discussion.
Guerra: I’m looking forward to it. Can you tell me a little bit about your organization and your role?
Young: Sure. UNC Health is an academic medical center. And we also have an integrated health system. We’re across the state of North Carolina; we have about 1,200 plus physician clinics and physician practices, and a really big tie with the University of North Carolina System.
Guerra: Very good. All right, I’m going to start out with an open-ended question here – just to see what’s top of mind for you, what are you thinking about?
Young: Always top of mind is medical device security. In healthcare, that’s such a key risk area for us. And I think all CISOs and security professionals in healthcare are really trying to get our arms around the proliferation of connected medical devices that are really pivotal for patient care and clinical operations. As you know, many of these devices are very precision-oriented devices that can be in the clinical setting for years and years and years. And a lot of times, their operating systems aren’t as robust as we would like in our industry. And so we deal with a lot of legacy operating systems that our clinical and business leaders still need to work and run. So we mitigate those risks quite a bit.
The other area that I think is really kind of top of mind for us right now is just getting our arms around some of the AI initiatives. Right now in the news, we’ve seen chatGPT and some of those other technologies that are really kind of getting a little more mainstream. And how do we set these up where, again, our clinical and business leaders might be able to use some of these tools or technologies. And we want to make sure that we do them in a way that we have governance and some of the protections that are needed. Emerging technologies is always an interesting space, whether it’s digital therapeutics – such as your inhaler that can now send information back – or AI; those are always fascinating to me. I think about how I can enable the business and keep us safe and secure.
Guerra: Let’s start with medical device security. How do you break down medical devices versus non-medical devices that are still connecting into the network? Is that two buckets to you? Or is it one bucket with some nuances in there?
Young: I want to start at anything that connects to the network. So that’s my first bucket. And, within that it could be tablets, phones, laptops, desktops – the traditional devices that IT is used to – industrial control, and medical devices. And medical devices in my mind can kind of overlap on all of those. So the very first thing is, I want to know what’s connected to our network.
And then within that, we do bucket it out to a degree, because we have a clinical engineering team, and those medical devices are things they’ve worked on for years and years and years, even prior to a lot of them being connected. So they have their preventative maintenance they need to do and all the FDA requirements for those medical devices.
And now in the last bit of time, maybe six, eight years, they’re now connected. So there’s an IT component. For our system, clinical engineering reports up through IT. We made that move about three years ago because of all the connected devices, and that’s been just a game changer in the cyber world for us.
For OT and facilities, that’s another group that manages those. So in my mind, I don’t really care who manages it. But I need to see that visibility. So that was the number one thing when I took on this role in February 2020. It was a great time to change jobs as a CISO, right before the pandemic (laughing). But one of the things that I really wanted to have, first and foremost, is visibility into the network.
Guerra: Right, you have to know what’s coming in. So it breaks down into facilities dealing with the non-clinical and then clinical engineering would be dealing with the devices, and you will be working with both of those groups?
Young: Yes, and for us, there’s one more, which is our physical security group that does badges, cameras, alarms – those types of duress systems. And so, it’s really three main groups that we’ve tried to work with: clinical engineering, the facilities, and protected services for the connected devices in our organization.
Guerra: Can you tell me any more about the physical security group and what they do and the relationship that a CISO should have with the physical security group?
Young: Yes, I think it’s paramount. And in my prior organization, we actually had physical security that reported to the CSO, and also had the CISO report up. So that was a wonderful thing to see. And so they were able to align all of the cameras and the doors and protective services, along with the cyber tools, and they got a more holistic view of their environment.
In our system, it’s a partnership that I’ve worked really hard on; we actually have credentialed police in many of our organizations, working with the police force to better understand and look at some of those devices that are so key in investigations – whether it’s cyber or physical investigation – and working with them for retention logs, and making sure that we have great business continuity plans. And so I think that relationship is one of the most critical within healthcare and I think the CISO, or the security person, needs to try to align as much as possible, because you think of the badges, the keys. And for us, we’re doing a HIPAA risk assessment, and physical security is one of the things that we look at, do we have good door locks? Do we have egress issues where someone could walk off or take equipment, those types of things?
Guerra: It’s really interesting. So when you think of some of the technologies that enable workflow, tap-and-go technologies, where people don’t have to keep signing in, you think about possibly somebody walking into the health system throwing on a lab coat, an imposter, somehow gaining access to a workstation, perhaps the person was not logged out. These are extreme cases, but they can happen. So there is a relationship there between cyber and physical. You also have those sorts of CSI show episode ideas where there’s some hacking where you need to be in a certain proximity to what you’re hacking. That’s where cyber meets physical. So these are kind of interesting things here. And, again, your thoughts as a CISO, on what you want to be doing to at least bring awareness that these kinds of things can happen.
Young: I think everyone is an expert at their area. So whether it’s facilities or protective services, they know their risk. But I think having that communication and sharing our insights and our perspective really helps align these initiatives. When we’re talking about a prolonged cyber event that could happen at a hospital, one of the biggest concerns I have is what are our life safety systems and issues: whether that’s HVAC systems; whether that’s a Hugs system to restrict access for newborns – the doors to make sure that those NICUs and PICUs are locked down; whether it’s the med dispensing cabinets that could be impacted. So it’s those types of scenarios where I really look to clinical and other experts within our organization to help us assess and mitigate things that might keep me up at night, and that others are working on possible solutions as well.
Guerra: It’s such a great point. I’ve had a lot of conversations with CISOs. And it seems like an important best practice for some of these folks, and even for emergency management, when you’re talking about business continuity planning. One said he’s not going to figure out how clinicians are going to go to paper, but he does have to talk to emergency management, because he needs them to understand the possible cyber scenarios that could happen. So then they can go work out those details. He says, “I have to let everybody know what cyber incidents can entail, because they may not know, and I cannot assume that they are game-planning out all these things. I have to take the baton so far, and then pass it off. I can’t just sit here.” Does that make sense?
Young: I think that’s so important. Because as a CISO, my biggest fear is that we have some major incident and our patient care is impacted. That’s why I want to make sure that systems are available and people are able to work to take care of our patients. That’s number one. And so one of the things we’ve done that has been really, really beneficial is, we’ve done cyber tabletops. But we’ve done them at every entity with all of our leadership. And it’s not talking about the technical response, it’s talking about business continuity and clinical operations.
And really, what we’ve seen is there’s a shift as soon as we do these tabletops with the leadership where we facilitate the discussions and it’s about those clinical operations, because it’s a prolonged downtime for which most hospitals aren’t equipped. They’ve never gone through something like that, thank goodness, because of the IT resiliency and systems that we’ve matured. And so having that communication with them – that helps me sleep at night because then I have the emergency preparedness group, we have the clinical, we have the business and we walked through the scenarios, and it allows them to see steps and gaps that they might need to take to make sure that they can take care of the patients. And then we can resolve the issue technically, but even with that, an all-hands-on-deck approach of emergency preparedness is critical. And I think so many times the business and clinical leaders think it’s just an IT issue until we have those tabletops. And then I think they really understand it’s a business, clinical, and patient safety issue.
Guerra: How do you come up with useful scenarios for tabletops?
Young: We really try to choose a system or application that would cause some disruption and have them go through what would happen. So whether it’s PACS – so all imaging – whether it’s all the Pyxis machines for biomedical dispensing; something that would be realistic. It allows them to see some steps we would need to take.
And I think one of the key variables with a cyber event is sometimes we don’t know what’s going to be impacted. We don’t know what might ripple down, where we start with one system and then realize that it spread, or we need to take down more keys of the kingdom to really protect the environment. And so I think that uncertainty is one of the things that we really discuss during the tabletops: how do you, as a clinical leader, make that call on (for example) if some medical devices are up and some aren’t, what are the clinical indicators of when you might need to divert patients or move surgeries or different procedures.
So it gets very complicated quickly. And I’ve been in the IT field long enough that I can remember when we worked to get people on electronic charting. And the issue now is we have many, many clinical experts that have never not charted on electronic charting. So when you have a prolonged downtime, you actually have the variable of teaching people how to chart (on paper).
Guerra: And clinicians have no spare time to learn paper charting, so it’s tough. If a health system has to go to paper, it’s going to be very painful, no matter what, right?
Young: It is. And what I love about healthcare is we’ll figure out a way; we’ll get through it, and we’ll do the best for our patients. And so some of this you really can’t plan in advance, but I do think documentation and practicing downtimes in the daytime especially, with different staff, is critical. So many of the technical downtimes and trying to prepare are usually nights or weekends. And what we found as an organization is we need to make sure everyone understands how to work with a downtime.
And the other issue that we’ve seen is most people practice for EHR downtime of four hours at the very most, rarely do you go past eight and almost never 12, but a cyber event does that. So just simple things like, do you have enough paper, are really important. Just basics, but I think the industry is doing a really good job with giving every hospital organization great tools for their response.
And I think it’s also paramount to point out, one of the things that I’m really trying to do is working with our IT leadership to find better ways for us to be more resilient as a network. We have all these threats and threat actors coming at us, and how can we weather the storm so that we don’t have that catastrophic event.
Guerra: I’ve been trying to get my mind around how CISOs like yourself are thinking about the job in terms of how you’re spending your time and prioritizing. I mean, again, is it a bucket situation where we have a bucket for prevention and another for recovery, etc.? How do you approach the job?
Young: I think it’s always a challenge, absolutely. And what I’m trying to do is just move those workstreams forward. I might not be able to focus all day, every day, on prevention. And I have great teams and great groups that work on different initiatives. And my goal is to make progress in each area and try to give my teams the tools and the technology or training that they need to be able to help us move those forward.
But I do think it has to be a cognizant decision. If not, you spend so much time firefighting. Like what I mentioned earlier – with AI and medical devices – it’s about getting out of the weeds of the day to day and saying, “Okay, how do we want to move this forward?”
I’m having a planning session with the GRC side of my team (governance, risk and compliance) on what we’re going to do for the next six, eight months within those workstreams to make sure that we’re ahead of the curve with some of the regulations or requirements that might be coming at us. So I think it’s something that all CISOs really work towards. Some days are better than others.
Guerra: What do you personally put your hand into and work in, as opposed to having people report up to you and update you on what’s going on? Where is a good place for you to be spending your time and capital?
Young: I think it’s something that I continue to refine. I personally like to help an initiative get started. So if we have a new initiative or a new area, I want to work with the team as much as I possibly can to give them direction. I always say, give them navigational buoys. And then I hire excellent people. So they know how to drive it forward. We do touch base.
As far as my day-to-day. I’m really trying to block out time for those initiatives that might take some think time and research, whether that’s AI governance or emerging technologies, just to allow myself time to have deep thought.
As far as meetings, usually it’s the high-visibility, high-risk types of meetings. So our enterprise risk management group, our audit and compliance work group, working with our leadership on new initiatives or new designs of data centers, or that emerging, “how do we get our arms around this” type of meeting. I think a lot of my time, the last year or two actually, has been on investigations – whether it’s a third-party breach and we’ve been notified and we need to better assess our risk. Or a situation or an issue within our health system that maybe was a near miss and we need to strengthen our processes or education to make sure that we don’t have a major event. Or, assessing new vendors or new technology at the system level that we might need to incorporate.
Guerra: I think that’s really interesting. I think making the right decisions about what to handle yourself as a CISO and what to delegate is crucial to success. Do you agree?
Young: Yes, I wish I could replicate myself sometimes, because there are so many meetings that need the CISO when there may be hard decisions involved. I joke with my teams that I don’t get the easy buttons. I don’t get the ones that are just simple. I get the gnarly, really hard ones, because everyone else has tried to figure this out. And by the time it gets to me, it’s not easy. It’s not simple. It’s not fun. And that’s what I try to remind people is, that’s why I’m in the role, is to really try to help make those decisions with great resources and amazing leadership with other parts of the organization.
So it’s not me alone, but yes, I think that’s key. I had a boss at one point who played football in college. And he always said, “It doesn’t matter what you did last week, you could get cut this week.” It was kind of that football gametime mentality. And it reminded me that it doesn’t matter what I did last week. I need to refocus; look at this week. So I really try to manage my time in those types of blocks. I work long term as well. But I think making sure, again, that with those work efforts I’ve done a little, had a little movement each week or each month, to make sure that I don’t look back in six months and realize, “Oh, I haven’t done anything.”
Guerra: It makes me think of getting a plane in the air. It takes a lot of effort and energy to get it in the air, and then it should be alright. But you have to help get that thing started. And also give them their marching orders and make sure they have general ideas of what you’re looking for.
Young: Absolutely. Also blocking and tackling. A lot of times with these new initiatives, they’re change initiatives within the organization. And so, while I might have an amazing senior security analyst driving this effort forward, sometimes they need the weight of the CISO and the information security office to help move these initiatives forward. And so I think that’s where helping them and starting it out gives them a more successful project.
Guerra: I could talk to you for another hour. One more question. We talked about having great people. Everyone talks about a lack of cybersecurity talent. You have great people, you want to have great people, and that means hiring is super important. And then we want to make sure that the people we have, we don’t burn them out. So your thoughts on hiring, and then managing. I would love to ask you about how you keep yourself sane. Jump in where you want there. And we’ll make that our final question.
Young: Sure. Having a great team is one of the things I thrive on, because I really enjoy working with other experts. And and I think everyone on the security team has their expertise. So one of the things I really tried to do when I took on this role was, I didn’t want to break the team because the existing staff was wonderful. They knew their jobs, they knew their roles, but we also needed to start adding people. So we really take a cross functional approach while interviewing and looking for the right people to come onto our team and to add value, and to really help support our culture within our office.
One of the big things for me is it’s us against the world. So the security team is tight. I love it. We help each other when we can; it’s a safe space. Very collaborative. Also, I really try to focus on having each person have something they can own, because it’s important, so that they can have mastery. And luckily, so far, in my little over three years, we’ve not lost anyone voluntarily. And in the hiring, we’re careful, and I don’t have open roles that I can’t fill.
As far as burnout, we’ve really tried to allow people to have the time to recharge and to take care of their families and to do what they need to because I want them in the role and on the team for the long term. That’s one of the things I really focus on.
Guerra: That’s great. That’s a great philosophy and a great way to approach things and a wonderful interview. I can’t thank you enough for your time.
Young: It’s been wonderful, thank you.
Share Your Thoughts
You must be logged in to post a comment.