If you don’t want to keep learning, heading up IT security for a health system is probably not for you. At least that’s one obvious takeaway from speaking to WVU Medicine CISO Hunter Barbour, who lists the impending marriage of AI and quantum computing as a possible game changer for security professionals. So Barbour is going to keep his eye on that, along with never taking his eye off all the other threat balls. In fact, Barbour says not being distracted by what are often intentional feints by the bad guys is an important characteristic of any successful security program. In this interview with healthsystemCIO Founder and Editor-in-Chief Anthony Guerra, Barbour discuss these issues, along with how he learned a lot about security, (not surprisingly) from his time running IT for a prison.
LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE.
- Top Three Threats
- When AI Meets Quantum
- Staying Up on Evolving Threats
- Sophisticated Misdirection
- Jail Tales
- Good Governance
- In HITRUST We Trust?
- Not No, But Yes If
Anthony: Welcome to healthsystemsCIO’s interview with Hunter Barbour, Chief Information Security Officer with WVU Medicine. I’m Anthony Guerra, Founder and Editor-in-Chief. Hunter, thanks for joining me.
Hunter: Hi. Thank you for having me, Anthony.
Anthony: Hunter, do you want to start off by telling me a little bit about your organization and your role?
Hunter: Yes, sir. As Chief Information Security Officer, I’m responsible for pretty much the security of all assets and data within the health system. That includes managed devices, unmanaged devices, IoT, IoMT and setting policies and procedures around the use of that data and how we handle that with regulatory organizations.
I have a really strong governance team with privacy, compliance, HR and our insurance, legal team where we meet on a regular basis to go over governance and issues that we’re running into throughout the health system, but it’s a wide array. We are, at this point, 25 hospitals, in the neighborhood of 850 clinics, that’s ambulatory and other clinics, and then we have, of course, some different institutions where we do special research such as like neuroscience, cardiovascular, things like that. We have a pretty robust program around research and development within the healthcare space.
Anthony: Very good. I want to start with an open-ended question and just see what’s on your mind. What are some of the trends you’re looking at, things you’re working on?
Hunter: Right now, I’ll tell you the emergence of conversational AI, the emergence of that into the healthcare industry I think is both disruptive and also something that we’re having to address right away. Your larger firms such as Microsoft have announced they’re partnering with ChatGPT and AI platforms such as that. We’re having to adapt to that and adapt our policies and procedures around how we handle AI. We do have an internal AI group within WVU Medicine where we build and develop our own AI – it’s ground breaking and amazing, and has created lots of different avenues for us to pull data and make the lives of physicians easier. There is a place for AI, it’s just that I think a measured approach is needed. So that’s something that is on the radar.
The FDA announcement where they are setting the bar differently for biomedical devices – that is going to be, hopefully, a major turn in how the biomedical industry deals with FDA approvals and therefore, making it easier to protect our network and our assets because the products are better designed, programming should be better, things like that. Biomedical IoT, IoMT devices are another big area that is of interest. \
Then, we’ve seen a lot of activity over targeting healthcare from outside. We do see a lot of information coming from the outside, specifically targeting critical infrastructure and healthcare falls in that space. We’re constantly under threat from outside entities and that’s one big.
That’s your top three.
Anthony: AI was the first one, right?
Hunter: Yes, sir.
Anthony: Let’s go into that a little bit more. There’s a lot of interesting challenges around AI. You talked a little bit about – you’ve got your organization, your clinicians, these are smart people and they want to try stuff and they want to do cool things. AI is something pretty cool and there’s a lot of cloud stuff out there, and so it’s easy for them to either spend the departmental budget or whip out a credit card and just get going, right, without even letting IT or IT/security know what they’re up to.
Anthony: And then on the other side you have a concern that bad actors will be able to leverage AI to write better phishing emails, and I’m sure there are even more advanced uses they’re going to come up with, right? There’s a lot going on there.
Hunter: Right, yes. AI, I believe, in the next 10 years, using it internally with your applications and your databases, and it’s controlled, will revolutionize how we do healthcare. I strongly believe that. We need to be prepared for it and we need to be able to be agile and move into that space. From the outside world, how it’s going to be used from our bad actors is yet to be understood fully, I think, with quantum computing coming along faster than we thought it would. I think within the next two to three years, you’ll have a real problem when quantum computing becomes more mainstream and AI can be used in that fashion.
The threat of AI is definitely something we all need to be aware of and, as healthcare systems, we need to be talking about this in conjunction with each other. What is one health system doing that another health system can leverage? I know that a lot of that conversation is going on. I don’t think we talk enough about our common interests.
WVU Medicine is very open with our partners, our other healthcare systems, about the threats that we’re seeing and how that affects us and giving that information to other healthcare systems because, at the end of the day, we’re all in the same boat. It’s important that we share information. We don’t get that information timely enough from the government. I’ve talked with the FBI and HHS, those type organizations, they’re doing a lot of the analyzing of the data, but the threat reports don’t get out to us as quickly as we would like. That’s something we’re trying to work with the FBI on and get a group within healthcare that can get these threats and actionable intelligence out more quickly.
Anthony: Tell me more about your concerns of AI and quantum computing coming together.
Hunter: Quantum computing, that’s something we’re preparing for and NIST is preparing for it. It’s probably, they say 10 years, but it’s probably more like 5 years where the mainstream, you and I, could go out and buy or produce a machine that has the ability to do quantum calculations. That’s going to become more readily available.
With more computing power, you’re going to get AI that is going to be able to learn faster. It’s going to be able to move more quickly and, depending on how you train it (how you train it, what information you’re feeding it, all of that matters quite a bit). But if you’re a nation state actor or you are a well-funded organization (working on behalf of a nation state), you could be able to train AI to get it to write scripts and look at code and look for weaknesses in that code. I think that’s a real possibility and something that our endpoint detectional response providers and anti-virus, our firewall companies – those companies, I think, they’re already working on that, what that looks like to be able to prevent those threats.
Anthony: So you’ve got to make sure your vendors are up on this stuff, correct?
Hunter: We’re already talking to our vendors about these things. They’re already preparing for the different modifications that will be coming down the road for how do they deal with the risk analysis now, does that change that side of the industry, do we have AI that’s as smart as the AI that is going to be producing results that could be against us. We have to have the same level of precision and accuracy as the bad guys do. I think that’s something that’s very much on the table for your firewall vendors and even networking vendors – how do they produce networking equipment that can help with these things.
These conversations are being held within the healthcare space – well, within the entire industry. All verticals are concerned about the AI situation. It’s something that’s going to come. We have to be prepared for it but it’s definitely something where we need to do as much research as possible so that we’re ready when the time comes to react.
Anthony: As a CISO, you really need to stay up on these trends, and they’re moving so fast.
Hunter: Oh yes. We do internal roundtables each week where we, the incident response team and CTO, CIO and CISO, we get together to talk about it – what’ new and emerging in the marketplace, what have you seen over the past week. We like to keep abreast of any new technology way before it becomes mainstream. With AI, we saw that coming months before it got to a point where they’re going to release this to the public.
That’s one thing we do. We have to stay very educated on that. You have all kinds of feeds that are coming into your mailbox to be able to keep up with the daily threats and what’s new, that type of thing. You have to stay up and stay educated. That’s for sure.
Anthony: Right. That’s where your threat intelligence vendors help, right?
Hunter: Yes, we use several threat intelligence vendors that provide us info on what’s out there, not only from the healthcare perspective but what is occurring with government entities that may apply to me and not necessarily just looking at my vertical but looking at all the verticals of the industry to see if their threats may fall into our circle of influence. We need to make sure that we’re keeping an eye on it all. It’s a big job.
Anthony: Yes, for sure. Let’s talk a little bit more about threat intelligence which is an interesting topic. Nothing’s cut and dry, there’s always ways to manage it. You can be getting tons and tons of alerts. I’ve talked to a number of CISOs and we talked about – you have to have the people to manage all these alerts, to follow up on these alerts. I don’t just want alerts that I can’t do anything with because I don’t have enough people.
Hunter: Obviously, advanced threats are right there in our face. We see critical and high risk vulnerabilities right off the bat, and they are your number 1 target. You have to separate this out. We have a pretty sophisticated vulnerability management platform where we score vulnerabilities and then we address them based on the score and our methodology, and what we think the actual risk to the organization is.
Then, at the same time you’re dealing with the actual remediation of those vulnerabilities, you have to always have your eyes on new threats. Guys are doing penetration testing, ladies are doing risk management, you have to be able to separate the team so that you have your eyes always on the infrastructure and are always looking for the bad actors. At the same time, you have to have a team that can remediate the vulnerabilities that already exist.
We have a very sophisticated way that we do vulnerability management and risk management in our organization where there is a scoring and we take them as they come and the highest scores get remediated first and then we move down the list. That is reviewed with senior leadership once a month and reviewed with our team internally once a week.
We take that pretty seriously, and I think we have a pretty robust process that’s matured over the last 7, 8 years, and so we’ve gotten to the point where we have a pretty good process for that, but it definitely has to be something that’s watched. If you just look at alerts, if it’s not tuned correctly, you could get alert fatigue. You want to have your different systems going into one platform where you can assess all the risks in one dashboard and be able to score that and say, “Hey, these are the ones we needed to attack first.”
Alert fatigue is a real thing. I was an engineer long before I was a CISO and I know from my own experience, if you don’t have the right software in place and you don’t have a single pane of glass to work from, it can get really confusing really fast. That’s key.
Anthony: It sounds like another element you were describing is if you get caught up in one area, you might miss things going on somewhere else. Tell me a little bit more about that.
Hunter: The sophistication of attacks has gotten beyond exponentially better in the last five years. It’s gone from a badly typed email that’s easily recognized to really convincing looking phishing emails and things like that. There’s often misdirection put in by attackers where maybe they’re performing a denial service in one area, hoping that you’re concentrating there, well, that’s not really the main goal. The main goal is that they’re doing an end around and they’re coming in from a different direction hoping that you’ve taken your eyes off your other infrastructure to deal with the current threat.
It’s misdirection and it’s sophisticated misdirection. You have to be able to respond to the event in a thoughtful way and then also still be monitoring the other areas of your infrastructure to make sure that the attackers aren’t taking a back door or something like that in your network.
Anthony: It’s just like regular military strategy, there’s decoys…
Hunter: It is. That’s exactly what it looks like. I was in the ROTC at Virginia Tech and we studied warfare and basically how to make battle plans, things like that. That’s one thing that has really become useful in cybersecurity is understanding that misdirection, understanding where the threat can come from and keeping your eyes over there at the same you’re remediating the current threat. Yes, you’re right. It’s a lot of military type stuff.
Anthony: Very, very interesting. Well, let’s talk a little bit about – I have to bring this up. It’s very interesting. Now, you were an IT director for jails and prisons.
Hunter: Yes, absolutely. That was…
Anthony: Which is pretty wild because that you didn’t have a cybersecurity – it wasn’t a cybersecurity position, it was IT director.
Anthony: It was for jail.
Anthony: Now you’re doing cybersecurity for a hospital. Here’s the question, did you learn anything in that environment that either made you want to go into IT security specifically as opposed to general IT or in that overall environment, did you learn anything that you took with you?
Hunter: Yes, I was very fortunate to learn. I’m just basically a systems engineer. I started out in accounting. I did that for a while, for about 10 years, accounting information systems. Then, I moved into corrections. I was able to be a systems engineer there, and I was dealing with everything from hypervisors to the physical servers to the security. I was your one-stop shop, right? I was pretty much a generalist and had to deal with all of it. That helped me a lot. I had to deal with the firewalls, I had to deal with firewall rules and security and endpoint detection response, things like that.
I was involved with the security, all the way from the beginning, all the way through when I got to Hanover County, where I was directing the jail there – when I got there, they really didn’t have a lot of infrastructure, per se. So I had to go in and do, not only cybersecurity but physical security.
Hunter: Biometrics, yes – scanners, you have x-ray machines for x-raying baggage when it comes in and you’re x-raying different things that come through when people come into the jail. It was extremely interesting. We rolled out a program there where it was the first jail in the country to have tablets where the inmates could actually do video visitation and things like that. Having to secure a network where you were getting people who are obviously not convicted of a crime but they’re in jail awaiting trial but having to secure that network is really interesting and came with some unique challenges.
Anthony: I bet. There are probably some unique stories you could tell me if we weren’t on the record.
Hunter: Oh yes. Yes. It was interesting and I loved it. It gave me a lot of autonomy – I could go in, I could build my own servers. I could learn about hypervisors. I was building all that stuff myself and creating security rules and putting in the firewalls. Through my whole career, really as a systems engineer, I was dealing with security the whole time and then when I got in the healthcare vertical, I was really recruited by a former professor, great guy and he got me in the healthcare realm and I started basically just in networking, but we worked closely with security because of firewall.
Then, we got to WVU Medicine, now you have the incident response team and the network team and that’s what I’ve managed here for 3.5 years. I worked closely with the CISO, I handled the incident response team. I was the in the know on the daily goings-on of the security infrastructure so it was an easier transition for me into the CISO role now.
So that’s a broad overview of my career and how security got in it. My degree is in that as well. I have a degree in networking with a concentration in cybersecurity. The end goal has always been to be in cybersecurity and to end up in this role. I’m very thankful that WVU Medicine has given me the opportunity to do it.
Anthony: Very good. Let’s talk a little bit more about governance which you mentioned before, a governance team of executives at the health system. A lot of success seems to flow from proper governance. What are your thoughts there?
Hunter: It is critical that you have transparency and communication with the business operations. A lot of people run into trouble when they are siloing IT and operations and there’s not input from the business. First and foremost, security ought to be a business enabler and we should be there to help the business. With the governance committee, you want to make sure that you’ve got a nice cross-section, not only IT professionals but privacy and security risk, compliance, legal team, HR and then also med staff affairs and you’ve got research going on in a little area. So you have to divide it up. If you get all these people in one room, it becomes a bit of quagmire.
We break it up into different committees that, all encompassing, becomes cyber governance. That way we can have pointed conversations. I may talk with my privacy officers and legal staff in one meeting. And then in another meeting, I’ll talk with my research team to understand what projects they’re approving and what’s coming through the research side. So I’ll have that meeting. And then we’ll have an overall meeting with everybody involved that will just covers updates of here’s what’s going on throughout the enterprise. In addition, you’ve got breakout meetings with your different companies within the system. And you need to take into consideration their needs because – and you and I both know this –there’s a balancing act between operations and security, and that is a tight line to walk.
If you don’t have your business on board, and they don’t have the trust in you from a security perspective and understanding that you have their best interest in mind, you will have trouble. I think if you approach it like that, it gives you better visibility in each area as well as understanding, okay, what are the goals of the organization and how do I align my security goals with the organizational goals and translate those organizational goals into a security mindset and a security perspective. That’s critical.
Anthony: You mentioned that if you get too many people in a room, it can be messy. It makes me think governance has to be a living, changing thing that gets adjusted if it’s suboptimal. Do you agree?
Hunter: That’s exactly right. As the threats change and the landscape changes, we try to be as agile as possible where we can change committees, we can move members, and we can even – for example, maybe we’re spending time on them when we don’t need to be spending time; maybe we’re not getting actionable intelligence and actionable things are not being done. When it gets to that point, I feel like our leadership team here is very open to moving things around, adding new people when we need input. It’s a living organism where it’s constantly evolving and changing as the needs of the business and the threats and the risks are evaluated.
Anthony: You mentioned NIST. You mentioned HITRUST – that seems to be a big favorite now among some CISOs that I’m speaking to. They’d like to see that. They want to see that stamp on vendors they’re working with. It’s interesting to me. What are your thoughts on HITRUST?
Hunter: We have a very sophisticated security risk assessment process. I have often found that we are asking questions to these vendors that are HITRUST or SOC2 certified, but they do not meet our security risk assessmentbecause I think we’re asking the right questions. Oftentimes, what I see is they may be HITRUST certified but we are asking questions that they didn’t think about.
They’ll often say well, nobody is going to ask that question. Well, we are asking that question because what we’re trying to do is make you a better vendor. That’s how we approach it, we’re going to ask the tough questions. Hopefully, what that does is for the next hospital down the road, it makes the vendor better for all of us. It’s really – we challenge HITRUST certifications all the time. There is no certification that would, for us, make it unnecessary for us to do a security risk assessment.
Anthony: Does it make you feel better at all to see them HITRUST certified or it just doesn’t matter?
Hunter: To me, it doesn’t matter. Because the questions that I’m asking are far deeper questions, and also based on our experiences. A lot of the questions that formulate our questionnaire are ones that we’ve run into over time. Over the last 15 years, we’ve run into these situations. So we add those questions in, and these are definitely questions that a lot of health systems are not asking. In fact, it’s scary. We’ve seen things implemented at other places where we would absolutely say there is no way that we’re implementing that in our health system. So that’s an issue. I want to make other health systems and the whole vertical better.
Anthony: If you’ve got an internal customer begging to have use of an app that you don’t think is secure, what are you going to say?
Hunter: It happens every time. Here’s the best response that I have come up with. We can do anything, right? The answer is yes, if – it’s never a hard no. Because I want to help the business, I want to help the physicians, I want to help our patients. As long as the vendor can modify their product within our checklist of things that we must have, then we can do anything you want to do. I mean, as long as the right security controls are put in place, then we can move forward, but oftentimes, you’ll find that vendors can get stuck in that area and don’t want to play ball necessarily and really, we’re all on the same team. I try to tell them, hey, I’m trying to make you better, this will help you down the road when you deal with other health systems because they’re probably going to ask a lot of the same questions that I’m going to ask. If you modify your product to have these controls, then I’m making you better. I’m making the healthcare system better. I’m making the healthcare vertical better. I’m improving all of our lives, and I think that’s where we need to be.
Anthony: You’re going to hold the line, you’re going to fight the good fight.
Hunter: Yes, we’re going to hold the line and, if we have to, we will not – there have been many times where the vendor said we just can’t deal with that and we say, well, when you get that, let’s talk. Thank you for your time, come back to us down the road.
Anthony: Yes, but then they go back to the internal customer and they say, “Hunter is being unreasonable.” Then the internal customer calls you up and says, “Hunter, why are you being unreasonable?”
Hunter: What’s great about my organization is that my board understands that security is a top risk for us. My CEO understands that and is a visionary. And then my CIO backs me – if there’s a security risk, he’s going to back me on security risk. As long as I’m able to articulate that, and it makes sense, then I have everybody behind me for support. That’s the key.
Anthony: That’s the key.
Hunter: That’s the key. You have to have great leadership and by far, out of every organization I’ve worked for, my leadership here says I will back you and I’ve got your back here and you do what you need to do to keep the organization safe. I appreciate that and it makes my job easier.
Anthony: If you’re a CISO and the situation I described happens and you get the call from the CEO or the CIO who says just let it go, Hunter. What do you do?
Hunter: I’ve never had them do that. I’ve had other organizations where they call and said, ‘Okay, we need to make this happen. What do we need to do to make this happen?’ We’ll put controls around that to make sure it’s safe. When we calculate a risk, if the organization’s risk appetite is okay to accept that risk, then a senior leader will have to accept that risk and say, “I’m okay with accepting that risk.”
We document that and we keep it visible, right? So it never goes away. We’re going to continue talking about that risk 10 years from now.
Anthony: Right. With a name attached to it, with the name of the individual that decided to accept it.
Hunter: That’s right. There’s some responsibility that has to be had from everybody in the organization. If they’re willing to accept the risk, I’m okay with that, I just want to make sure that we’ve documented it and I keep bringing it up for visibility purposes so that the organization – we are very transparent with the leaders. They have to know what the risk is to their organization. There’s no secrets. It has to be upfront in their face so they understand the risk so they can make an educated decision. And that’s the bottom line.
Anthony: Right. Hunter, I’ve taken a little more of your time than I promised.
Hunter: No, I really enjoyed it.
Anthony: I did too. Thank you so much for your time and I think the readers are going to enjoy this. I really appreciate it.
Hunter: Yes, sir. Thanks, Anthony. I appreciate it.