After more than a quarter century with the organization, John Houston knows how to find his way around UPMC. And when it comes to being an effective security leader, that not only helps him move complex issues along, but also ensures everyone else knows who to come to for any security-related concerns. His guiding mantra? Reduce risks as much as possible without becoming an impediment to business. It’s as much art as science, if not more so. In this interview with healthsystemCIO Founder & Editor-in-Chief Anthony Guerra, Houston covers these areas and much more.
LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE.
- The Relationship Between Security & Data Governance
- Third-Party Risk Management
- Security is More than Technology
- Security Frameworks
- High on HITRUST
- Third-Party Risk Management II
- The Nexus of Security & Application Rationalization
- No Saying No
Anthony: Welcome to healthsystemCIO interview with John Houston, vice president of information security and privacy and associate counsel with UPMC. I’m Anthony Guerra, founder and editor-in-chief. John, thanks for joining me.
John: Good morning. Thank you.
Anthony: Alright, very good. John. Please tell me a little bit about your organization and your role.
John: UPMC is a very large integrated delivery system based out of Pittsburgh, Pennsylvania of over 40 hospitals. I forgot the exact revenue, but it’s somewhere around I think $27 billion. We also have a large health plan as part of UPMC. So we cover, I believe, all of Pennsylvania and maybe parts of few other states.
My role is I’m responsible for information security. And frankly, what we found is that security and privacy are becoming more and more merged. And so I’m also responsible for privacy, and you can’t really do either without really being responsible as well for data governance which is a big part of my job too. I think if you look back a few years when the office of Civil Rights was doing their audits, one of the things they found was that a lot of organizations weren’t doing an adequate risk assessment. The reason why they weren’t doing adequate risk assessments is because they didn’t know where their data was at. So when people ask why do I do data governance, it’s because of that. You have to know where your data assets are in order to be able to appropriately secure them and then overlay appropriate privacy principles as well. So it’s really a merged function that is together just because of that.
Anthony: Very good. Now John, are you essentially the CISO or is there a CISO I’m not aware of?
John: I am the CISO. I guess, I’m bucking the trend in titles.
Anthony: You don’t want to just add it on, throw little acronym in there? (laughing)
John: I guess I could but to me, the title works for me. If you think about it at the end of the day, if something bad happens they know who to come to anyway, regardless of the title.
Anthony: But I did see, if I’m not incorrect, the health plan has a CISO, is that correct?
John: Yes, the health plan has somebody that does mostly application-level security. I don’t want to misstate his responsibilities, but he works and they work closely with us. My team, if you think about it in terms of function, my team does infrastructure security mostly. We do work with the application teams to ensure that their applications are secure as well. But my team stands up a lot of the security infrastructure that’s necessary to ensure that we have appropriate security at UPMC. And then we work then with the different groups like the health plan, like our application developers and integrators and the like to make sure that the applications we use have appropriate security embedded as well.
Anthony: Interesting. Can you talk more about the relationship between security and data governance?
John: I look at it this way. My team is ultimately responsible for understanding where our data resides and where it’s going. And as we move more and more to the cloud, understanding where data is going is even more important.And so, we’re really focused on working with the different individuals throughout the organization who are responsible for deciding where the data goes. We’re working with the applications themselves to make sure we understand what their data management plans are. Where they’re sending data. Things of that sort. Making sure we have appropriate approvals when somebody on the business side decides they want to send data somewhere.
Really our data governance program really is based around this notion that we have information owners in the different areas. And those information owners are ultimately responsible for making decisions about whether data should go to a particular destination or, if somebody needs to use it for some purpose, they have to sign off on that purpose. So we have a chief medical information officer who really, ultimately, is the person who makes the call when it comes to clinical data. Our CFO is responsible for financial data. So they would ultimately either directly (or somebody that they appoint to fill that role as a data steward) would make the decision whether a request to send data somewhere is going to be honored.
Anthony: So they’re making the decision based on clinical need or business need where they want the data to go. You need to be brought into that process to make sure that that is a secure arrangement, that the destination is secure. And does that fall under third-party risk management?
John: It does. It absolutely does as well, but you think of this way, we’re the ones that need to make sure that that approval occurs before the decision’s made to actually send the data. And then make sure that we have a secure environment where we are going to send the data. We also a third-party risk management function as well. And in that regard, we do a lot of work to understand the security posture of those third parties who we’re sending our data to. I will tell you that is an enormous challenge. That’s an area of focus for me for the last probably three or four years. It’s one that’s we’re spending a lot of effort on, and it’s one where we see an enormous amount of risk.
And in fact, I did a presentation at the end of last week and asked for a show of hands – How many organizations had a breach within their organization; and there was basically no show of hands. But when you asked the question – How many of you have had a third party that’s had a breach? – About everybody raised their hands. So a huge area of concern and a huge area of focus is third-party risk.
Anthony: There are so many things connected to each other here between security, privacy, and data. I’ve also heard quite a bit of people talking about the merging of the CISO and CTO roles. What are your thoughts around that?
John: It’s interesting because my boss has a CTO-responsibility role, and he and I obviously worked quite closely. And his span of responsibility is all of our infrastructure security, things of that sort. It’s important that there be the ability to combine security with the other functional areas to make sure that we do have a broad-based effective integrated security program.
So I guess to answer your question, I think it’s incredibly important that you have a technology leader aligned with your security leader. But there’s a lot more to security than simply applying technologies. I think sometimes CISOs get caught up in trying to solve everything with technology. The old adage – when you’re a hammer, everything is a nail.
There’s a lot of effort that goes into, again, things like governance, third-party risk programs. Yes, technology is incredibly important to having a secure environment, but a secure environment is not everything. When the vast majority of your data is out with third parties somewhere in the cloud, multiple copies of very sensitive data, you have to rely upon others. And part of that then is having a robust third-party risk and security program which is very little that’s based around technology because you’re really dependent upon their technology, not yours.
Anthony: Your third parties, and your users. What are your thoughts on how to create a security-minded culture where your users are a robust front line of defense?
John: I have a number of people who are focused on education and awareness. We do a lot of work in that area, not just our end-users but our technology staff as well. On a biweekly basis we have a Teams call where we talk about current threats, current challenges and security. And it’s open to anybody who wants to attend within UPMC. We have hundreds of people that attend that call. It’s not mandatory. It’s open to all staff and that’s a way of raising awareness in IT, by example, but we have all sorts of campaigns that we do. We do annual training to try to raise awareness. At the end of the day though, there’s still a balance between end-user awareness and putting technology controls in place to prevent people from doing stupid things because it’s amazing what people will do unfortunately.
Anthony: So it’s a combination. But if anything, don’t you think that CISOs probably shy away from the human-centered stuff and go more to their comfort zone of tools and tech?
John: Again, if you’re a hammer, everything is a nail. That’s why a CISO has to have a broader understanding than just technologies and tools. They need to understand the bigger picture. Again, if you were to say to me, what is my most important initiative? It’s around third-party risk, as I said before. And third-party risk, yes, somebody’s got to be applying tools but it’s not us that’s doing the application tools. What we’re doing is trying to make sure we’re doing an appropriate assessment and evaluation of our third parties and ensuring that they have adequate security. That’s all around process. We are also really focused on ensuring that we are using a security framework to guide our program.
We use HITRUST. We’re HITRUST-certified. I think that that’s incredibly important as well is making sure that you’re applying a framework and you’re doing it in a mature fashion. And by doing so, you’re addressing new risks because as security frameworks mature or evolve, as new risks evolve, those frameworks evolve. And then by applying them you’re able to keep up with those risks and those trends.
Anthony: So let’s talk a little bit about HITRUST and this new entity you’re working with Health3PT. Now with HITRUST, any entity can be HITRUST-certified. UPMC can be HITRUST-certified. Vendors…
John: We’ve gone through the process. We’ve been using HITRUST as a framework for many, many years, probably eight or 10 years now. We were originally doing our own self-certification using our internal audit staff. A number of years ago, probably four or five years ago, we started using an outside auditor that was themselves certified to do HITRUST assessments. And so, we now use them to do an external independent review of our HITRUST program, so that we can be formally certified by the HITRUST organization and we’ve actually just finished this round of HITRUST certification. So we do that both at the infrastructure layer and then at the application layer for about a dozen or so applications within our portfolio.
Anthony: Now, HITRUST embodies the…and tell me if I’m incorrect, HITRUST embodies the principles of NIST but goes beyond it. And you cannot get certified by NIST, but you can be certified by HITRUST, correct?
John: Yes, that’s correct. And really what HITRUST tries to do is, it started in healthcare, and so what it tried to do is build a framework applicable to healthcare included NIST. ISO actually took a lot of the principals out of HIPAA itself for regulatory compliance. But what they tried to do is build a framework that was applicable to a healthcare entity. So it took, I don’t want to say, the best from all worlds, but it took the most applicable requirements and standards and tried to build out a framework that would apply to healthcare. So yes, you have ISO. You have NIST. You apply some of the HIPAA regulations to it as well to make sure you’re meeting those. So it’s really intended to be a one-stop shop for security within healthcare.
Anthony: I got one more for you. Tell me how this fits in, SOC 2 Type 2. Where does that fit into the picture?
John: As part of our HIPAA program, in our HIPAA certification, we do end up with a SOC 2 Type 2 as well. The problem with SOC 2 Type 2s are that they’re only as good as the way that they’re scoped. I’ve seen SOC 2 Type 2s that are incredibly thorough, incredibly good and you can really hang your hat on them. I’ve seen other ones that they’re not worth the paper to print it on.
And so I think it really all depends upon the scoping and the actual particular SOC 2 Type 2. The value of HITRUST to me is that – and by the way, we are really pushing our large third parties that hold our data to be HITRUST-certified. The value of that is that even things that go though independent assessors, which can be from a variety of different firms, in order to be certified they have to send their work papers to HITRUST, and there’s a rigorous quality-assurance process to make sure that the assessment itself was sufficient in order to be relied upon for a certification. So when I see a HITRUST certification from a third party, I know what they’ve gone through. I know the time they’ve spent and I can feel comfortable that they have a good mature security program.
Now let’s be clear about this. In the old days, I used to send out a questionnaire to my third parties and they’d fill it out and they’d send it back. On a scale of 1 to 10, my level of comfort was maybe a 2, maybe a 3. That’s not because my staff was bad but because sending out a bunch of questions and relying upon them is fundamentally a flawed concept.
John: If I see an organization has HITRUST certification, I figure it’s not perfect but it’s a 7 or an 8.
Anthony: And also, they’re not giving it to themselves, correct? Some outside entity is…
John: It’s an independent assessor that’s been certified by HITRUST.
Anthony: Right. So that’s why it’s different than a questionnaire as well.
John: Yes, exactly. You can argue the same thing about a SOC 2 Type 2, but HITRUST everything gets submitted to a central organization which is the HITRUST organization, and they verify and ensure that that assessment was appropriately performed. So again, it’s not perfect, but if I’m going from a 2/3 to a 7/8, that’s a big jump in confidence. So that’s why we prefer to see HITRUST certifications, we feel much more comfortable and we can rely much more on that certification as a good housekeeping seal of approval for that organization’s security program.
Anthony: So you’ve used the phrases – we prefer to see, we are pushing. You have not said that we require HITRUST certification for any vendor that is going to be doing business with UPMC. Why are we not doing that?
John: Only recently has HITRUST come up with a more tiered program. The problem with HITRUST, especially for smaller organizations, is it’s expensive. It’s also time-consuming. So, yes, we are pushing hard to get people to be HITRUST-certified. We’re also working with other organizations and they’re pushing their vendors to be HITRUST-certified. And really the hope is that if a group of healthcare providers is really pushing hard to get HITRUST certification, we move the industry, and I’m increasingly seeing more and more organizations that are HITRUST-certified or are saying to us, ‘We’re negotiating with them to acquire their services. Oh yes, we’re going through HITRUST now. We’ll have our certification within six months.’ But it is a bit of a journey, so we’re really trying to move the industry. And I think we’re being successful at that just based upon anecdotal evidence.
Anthony: It sounds like it would not work from a business point of view for you to put that absolute requirement in place; you have too many vendors, too many applications that your users would want to use; and it just wouldn’t work.
John: You’re correct. Again, HITRUST has just come out with a tiered program that is much easier for smaller vendors to use and apply. We can’t say a hard no – that you absolutely must have HITRUST certification or we’re not going to do business with you. But we are going to push you really hard for you to become HITRUST-certified. It is a consideration. And if we are dealing with two vendors or we’re negotiating with two vendors or considering two vendors, one of which has HITRUST certification and one that does not, there’s a pretty good likelihood we’re going to go to the one that has it. That has happened, I will tell you that has happened. So it’s not a veiled threat that we’re making. And again, I think I see the industry is moving and I’m pleasantly surprised that some of the vendors come back, ‘Yes, we’re working on HITRUST right now.’ I assume they would say, ‘no, no, no, we’re not,’ but they are or they have it. It’s becoming increasingly common.
Anthony: Let’s talk about Health3PT. Why did you need to go beyond the pro-HITRUST stance you’re taking and get involved with something else?
John: First of all, it’s a consortium of organizations like UPMC that have come together to say, ‘Listen, we need to have a better understanding of our third-party security.’ And we’re all of the same mind that HITRUST is the appropriate vehicle for that purpose. So feeling that any one of us, if we tried to go to our vendor community and said, ‘You need to be HITRUST-certified we would get some level of support, some level of compliance.’ But we recognize if we went out as a consortium and all pushed our vendors to be HITRUST-certified that we’d have much more success.
And again, I think that’s happening. And as I said before, it’s really good when you go to negotiate with a new vendor, a new third party you haven’t dealt with before, and ask about HITRUST, and they either say they have it or they’re working on it. Because that means that somebody else has convinced them to do it. So I think that this idea of having a consortium that’s pushing the industry has been successful. And that’s really what the purpose of the council really is.
Anthony: Let’s talk a little bit more about your third-party risk management program, what this all ties to. I’ve heard nightmare stories from people about trying to get their arms around this. They not only have to deal with the usual flow of new requests, but many are being asked to review and re-tier their existing vendors, and that number can be over 1,000. What are your thoughts? How have you handled this?
John: Great question. I have a team of people that’s focused on third-party risk and we use a number of tools in order to assess risk of third parties, and we also have an annual process. So if you’re a current vendor that we use today, you’re on an annual basis that you’re going to be required to submit to our process. If you’re a new vendor, you’re going to be required to submit as well.
So I think that the biggest challenge is understanding who all those vendors, those third parties are. And again, one of the reasons why our data governance function is so important is because it helps us understand (especially for our current group of vendors and third parties) where our data is going. We can watch for outbound flows of data and the like, so that we can get a sense of potentially who should be part of our program. But finding all of those third parties can be a challenge. You have to work with supply chain as new vendors are being considered, work with the other teams within IT to try to identify where other vendors might be. We work, as I said, our data governance team really watches for outbound data traffic. But it also works with our electronic file transfer team to understand where they’re sending data to get a sense on who these third parties are.
So trying to corral them all can be a bit of a challenge, don’t get me wrong, and then you’ve got to figure out how to organize and manage all that and get good data about them and keep that data up-to-date so you understand what your potential risk profile is there. Because I will tell you, there’s a number of things that happen.
First of all, these third parties that we use often they change the type of services they provide. So say by example, you’re working with a third party and you’re sending 50,000 patient records a year to them for a particular service, and all of a sudden your business decides you’re going to add a service and it goes from 50,000 to 100,000 or it goes from 10,000 to 50,000 or whatever. So often the service offerings that these vendors provide changes. Things that you acquired that were run within your data center on-prem, now all of a sudden they’re now cloud-based and who told us? We may not even know that that changed. So we at least on an annual basis want to try to understand what’s going on with that particular third party.
We also at UPMC have an enterprise architecture process. So any new application, whether it be in the cloud or on premises that’s being considered for use at UPMC, has to go through an enterprise architecture review. And part of the enterprise architecture review is the security review. So we’re also trying to catch new third parties coming into our environment through our enterprise architecture review. And we’re trying to couple that as well with what our supply chain does. So supply chains pretty good about before they consider any new IT vendor, it’s got to go through our enterprise architecture review and our security review. So they’re good partners with us in that regard.
Anthony: So would you say it’s a two-pronged approach? The first is you encourage them to submit new apps for review, but the second is you have all these points that you try to discover new apps if they don’t?
John: I think that’s a great way to summarize our program. First and foremost, we want to go through enterprise architecture review early. Because we really want to get through and perform the enterprise architecture review before we make a decision to go with that particular third party. We want to make sure there aren’t any issues, not just with respect to security, but with respect to the architecture they’re offering. We want to make sure there already isn’t something in our portfolio products that already does that. The earlier that we go through enterprise architecture review, the more likely we’re going to make a good decision from not just a technology perspective, but from a business perspective. However, if it gets the whole way to our supply chain review and process and then comes to our attention (we would prefer that it be earlier) but if it happens then it happens then. And as I said, we partner very well with supply chain to make sure that the enterprise architecture review is performed. So they’ll bring things to our attention as well.
Anthony: It’s amazing how everything seems connected. You brought up the application rationalization process and how important that is today in tighter margins. We don’t want to have seven apps to do the same thing. It doesn’t make sense financially. It doesn’t make sense from a security point of view. It’s all connected. And that also is now involving the CISO where they need to have a role and a voice, not ultimately making the decision of which of the three apps is going to stay, but in the process and driving towards that desired outcome.
John: Yes. I would say that a lot of times I filled the role of an influencer. It’s not uncommon that I’ll get involved because of security but I’ll bring up other considerations, like, ‘Has this gone through enterprise architecture review? Have you talked to such and such about this?’ Sometimes I’ll even know, ‘Aren’t we using Product X for this already.’ So it’s not uncommon for me to direct people to others within organization when something is brought to my attention because of security. It really is a team effort and my peers do the same thing. If they see something happening and they think security hasn’t been adequately engaged, they’ll send an email off to me or give me a call. But we’re pretty good about helping each other out in that respect.
Anthony: We’re almost out of time. You’ve been there 25, 26 years; you’ve got a lot of what I called gravitas in the organization. I’m sure you have a voice people listen to. Do you have any advice for someone who may be newer to the role?
John: I wouldn’t say that I have gravitas. I think I have respect both within IT and outside of IT. I know many people in the organization, so I know how to engage as necessary when there are security issues or concerns about new application or whatever we’re trying to pull into the environment. But if I had one piece of advice to a new CISO, it’s going to be that you can’t ever say no. You can say, ‘That’s not going to work the way you have it designed. But here’s I think how we can solve the problem.’ You want to help the business individual figure out how to solve the business problem, and it may not be the way they envision. So that’s what you need to be focused on is trying to get them to the solution that works for them and works for security as well.
So that’s really to me the most important thing. Sometimes, yes, you really do have to put your foot down saying, ‘Listen guys, this is dangerous.’ But then you want to hold out the olive branch and say, ‘But what are you trying to achieve here? Let me see if we can work with you on this.’ I will also tell you, there have been times where I’ve said, ‘Listen, this is a problem.’ And you find out that really the executive business leader when they find out about it, they say, ‘I agree with John. We’re not doing this. Unless John says it’s okay I’m not moving forward.’ And I’ve had that happen on a lot of occasions. It’s respect. I think there’s a lot of respect you want to try to build within the leadership team of your organization and then help to try to solve problems in a secure fashion.
Anthony: Would you say people get it now more than they used to with all the public breaches and hospitals being down for weeks and a month and the costs?
John: I think most do. Some still, I think, are so focused on trying to get their business done that they lose sight of the risk. And as an attorney as well, I really hadn’t said it before, but I get involved in most of our IT negotiations. That’s one of my responsibilities. And so, during the negotiating process, I will often get involved in fairly difficult negotiations around things like limitation of liability for security breaches and things of that sort. And so, really sometimes going through a legal negotiation, you’re often educating the user at that point in time, and they don’t even recognize some of the issues associated with what they want to do. Literally, about three weeks ago, I got done with a negotiation and the person said to me, “Listen, I really appreciate you being involved. I really didn’t understand what some of these risks really were until I sat in on some of the negotiating and saw how you press them on some things.”
So I think it’s important to understand that all I’m trying to do is mitigate risk. I’m not trying to get rid of preventing the business from doing what it needs to do. There’s an old saying – everything’s fine until it’s not. And you look great but all of a sudden you’ve got a big ugly issue. And everybody’s looking around the room asking the question, ‘Who the hell let this happen?’
Anthony: Brilliant, brilliant. John, I could keep you another hour, but I won’t. Thank you so much for your time today. I really appreciate it.
John: I appreciate the opportunity to talk to you. Thanks.