Having been a CISO in the past, David Reis is definitely a security-minded CIO. But that doesn’t mean he protects the University of Miami Health System with a my-way-or-the highway mentality. In fact, Reis wants to make sure clinicians can use the tools they say they need (within reason) meaning his application portfolio is a bit larger than he might otherwise like. It’s a balancing act that starts with getting security involved at the beginning of any new application request, rather than the 11-th hour fire drill to bolt on cyber measures that many have suffered through in the past. In this interview with healthsystemCIO Founder and Editor-in-Chief Anthony Guerra, Reis talks about his work with CLEAR to streamline identity verification, how running apps in the cloud requires a different approach, and his two-tier strategy for application rationalization.
LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE.
- Advancing Identity
- A Two-Tier App Rat Approach
- Cloud Versus On-Prem
- Security by Design
- CIO/CISO Relations
- Partnering with Marketing on Messaging
Anthony: Welcome to healthsystemCIO’s interview with David Reis, Chief Information Officer at the University of Miami Health System. I’m Anthony Guerra, Founder and Editor-in-Chief. David, thanks for joining me.
David: Thanks for having me, Anthony.
Anthony: David, can you tell me a little bit about your organization and your role?
David: As the Chief Information Officer for the University of Miami Health System and the Miller School of Medicine, we’re really focused on a full suite of digital tools to help our providers and caregivers provide friction free, high-end specialty care to the patients that we serve.
We have about 2,000 physicians that work across the University of Miami Health System and the Miller School of Medicine. We’re the only NCI-designated cancer center in south Florida. We have our primary hospital in the downtown Miami area and over 30 care locations across south Florida.
Anthony: Very good. One of the reasons I reached out to you is your organization put out a release about a deal you’ve done with CLEAR. I want to just ask you to describe that.
David: Our deal with CLEAR is really focused on maximizing what they’re best at which is matching identity. What we see across our health system in general and certainly here at the University of Miami Health System is that identifying humans through digital means is a really difficult thing to do as identity theft becomes more prevalent and as evil doers across the globe try to impersonate users’ systems.
What we’ve done with CLEAR is take what they’re best at which is matching a picture with a known identity and facilitating that identification process over the phone. What we’re endeavoring to do is use CLEAR and their tools connected with our tools so that when our employee would make a phone call and request a service, the person that we’re getting the service from internally can use the CLEAR mechanism to validate that the person on the phone is who they say they are, and that’s using proprietary technology that CLEAR provides to us. That’s the first step. We’re doing that with our staff. Our ultimate vision is to be able to create a frictionless way for patients to be able to use our patient portal and the sign-up process facilitated by CLEAR.
Anthony: You have an extensive background in security, having been a CISO before. Did you see this as a unique approach?
David: We did. I’m a CLEAR user at the airport. I know many use CLEAR at various airports to speed up the time through the security line, and when we heard CLEAR had an interest in working in healthcare, the first thing we said is how can we get the same benefit for our employees and our patients doing identity matching in the health systems arena that we get when we speed through security lines in the airport. That was really the genesis of it. If we are trusting CLEAR’s tools with the TSA to make sure that who’s getting on the plane is who they say they are, then how can we bring that same level of friction reduction to the healthcare enterprise.
Anthony: What does this take in terms of roll-out and making it a reality? What’s the work involved? What are some of the challenges to get this done?
David: It depends on the environment that you’re trying to do it in. Our first focus has been internally on using CLEAR to do identity matching for our staff when we are engaging in phone calls. If the staff needs to call the IT help desk, for example, the help desk is now using CLEAR to verify the caller is who they say they are.
That took a couple of months worth of custom development work and workflow redesign, mainly around our help desk ticketing system and training of the agents to now use this CLEAR process. The CLEAR part is plug and play. What we had to change was the business processes that underpin it and plug them into CLEAR.
Anthony: I hadn’t thought about that, but was that a risk vector, an attack vector where phishing calls go into help desk or is that just a convenient place to roll this out?
David: It’s a combination of both. I think we could see that it was going in that direction, when you read the media and you read the different security websites, you can pretty quickly discern that under very specific conditions, cyber criminals were targeting help desks and doing direct impersonations.
We wanted to make sure that we had a couple of mechanisms in place through multi-factor authentication and other proprietary methods of caller identification. We want to augment those existing tools with another tool in an attempt to both make the call more easy and at the same time more secure, and it all revolves around identifying the caller is who they say they are.
Anthony: Again, this is a step one of rolling out CLEAR. This is almost like a pilot. You get this working and then what’s the future vision?
David: The future vision is to see learned lessons by doing it internally and then see where we could take it, see where the technology makes the interaction easier. We’re looking at different ways to do that on the patient side. I think we have some ideas but we want to see how the rollout for internal use goes first.
Anthony: Where are you right now with this – middle, beginning, in terms of just the help desk section?
David: We’re at the end of the beginning.
Anthony: What would you say to other CIOs and CISOs that are intrigued by this? Make a call, check it out?
David: Definitely make a call, check it out. It is definitely worth investigating and the CLEAR team has been really great to work with.
Anthony: Let’s talk a little bit more about how it bubbled up to the actual to-do list. Did it go through the governance process and things like that? Does something have to fall in a particular bucket? Does this fall in the security bucket? Does this fall in the patient engagement bucket? Does it cover a lot of buckets?
David: It immediately checked a few boxes. It checked a user satisfaction box. It checks a potential patient experience box. It absolutely checks some security boxes. It checks compliance boxes. When all those boxes checked pretty quickly, the governance process was very simple to move forward because it checks so many boxes.
I will say too, Anthony, it really pushed more into our digital transformation, it focuses us as well because what we’re trying to do is not do more of something, we’re trying to do easier things that enhance security. We’re trying to both enhance our security and enhance our user experience at the same time, and CLEAR has demonstrated excellence in that sphere of increasing security and reducing friction and we’ve been pushing ourselves is to bring that same example to internal use first and then hopefully, ultimately external use as well with our patients.
Anthony: It’s interesting you use the term “trying not to do more.” There is a negative correlation between complexity and security, right?
David: There is. We want to have just as much complexity as required to be safe. But we certainly don’t want layers and layers and tools and tools just for the sake of layers and layers and tools and tools.
Anthony: Let’s talk a little bit about that application rationalization. A lot of people are working on that and that’s where you’re trying to balance IT’s desire to have the smallest suite possible with the user’s desire to have the preferred tools that they want. You’ve got this small niche of very brilliant clinicians who say I need this tool, it’s the best one for what we do. How do you balance those discussions and debates?
David: That one is really simple. Our core tenant in the IT organization for the University of Miami Health Systems is to get to yes and be servant leaders. In that regard, the portfolio rationalization is an interesting topic for us in the sense that we certainly don’t want multiple competing EMRs. As an organization, we’ve standardized on one leading electronic health record.
But beyond that, we recognize that there are, especially in subspecialty care like we have, there are specific tools for specific clinical, business and education opportunities that meet needs which just aren’t met elsewhere. Our portfolio is broader than what you might normally expect to see. But that’s in keeping with our idea of getting to yes, having the right tool for the job and seamlessly integrating all of those.
Anthony: Right. But you do want as few as possible, so there is a balance there. Tell me your thoughts.
David: I think the balance that we try to strike is we’re not managing to a number, we’re not managing to a target, we’re managing to outcomes, and we offer choices. It’s those choices and those managing the outcomes that frankly get to a decision pretty straightforward and relatively simply. What I find is we find people who have the best interests in the organization what’s best for the patient. We talk about choices and options. The choices and options become really clear very quickly and, in some cases, that means we’re going to expand the portfolio, in other cases, it means we’re going to take a tool from the portfolio that we have and use it in a novel way.
Anthony: Is IT supposed to drive the conversation to see if there is an opportunity for consolidation?
David: Yes. I think what we’ve settled on so far is the portfolio is what the portfolio is. What we’re really focusing on is being purposeful about how we add new tools to the portfolio. The first thing that comes up when someone wants to introduce a new tool is we say, ‘Is it a Best in KLAS tool? Is it in the Gartner Magic Quadrant? Do we already have that tool in use somewhere else or do we have a peer tool that’s ranked higher?”
So that first quantitative review very quickly brings a certain level of clarity to the choice. And then from there, if we find that yes (it’s additive to the portfolio but meets an unmet need), that’s how we get to yes. If we find that there’s tools that we already have that look similar, we will schedule demos with the part of the organization that wants to bring in that tool and then say, ‘Here’s the tools that we currently have, here’s the functions that they can perform, how does that compare with the demos or ideas that you have about this new tool?’ and if the existing tools can meet the need, we just move forward with the existing tools.
We haven’t had to get into this whole yes-no vote, raise your hand, where’s the funding coming from. When we take the approach that we have which is choices, options, what’s best for the patient and what’s best for the provider, we find that the choices make themselves nine times out of 10.
Anthony: That’s excellent. You definitely have two buckets in your mind and completely different approaches for existing portfolio versus new stuff. The new stuff is getting a pretty good look; the existing portfolio, we’re not so much going back and trying to beat that number down.
David: That’s right. We’re not re-litigating those decisions. We’re working on making good decisions for the future.
Anthony: Speaking of re-litigating. When it comes to third-party risk management, many have not only upped their game for new vendors, but are reviewing all their existing vendors. It can be a huge undertaking. What are your thoughts there?
David: Yes, I think everyone in the industry and across industries in the US, we do have to think as we look at the portfolio that we have, about the safety and soundness of that portfolio. And we have, I think, done a great job over the last couple of years of categorizing the scale inside the existing technology portfolio and focused intently on what’s frankly run in-house, what’s run in the cloud, going back and making sure we have great third-party reviews of the items that are running in the cloud. And then with a specific purpose, re-examining the security around the existing tools. And we have on more than one occasion said this tool that’s running in-house today, it doesn’t meet the safety and soundness standards of today. We need to move off of it and sunset it, and we’ve done that more than a handful of times in the last couple of years.
But you have to provide choices, right? You have to say something like: “We’re going to sunset this one because it needs to be upgraded or we’re going to sunset this one because we have a better, more future proof option than what exists today.” What we haven’t done is use a Draconian security approach that says, “You have to turn this off.”
Anthony: You mentioned the cloud, when it comes to security, and I like my bucket concepts because it works with my brain, do you see two buckets, cloud, non-cloud?
David: Yup, definitely.
Anthony: Meaning different level of treatment from a security point of view, tell me about that?
David: It’s not levels of treatment being different, it’s the types of treatment. The same level of security and security posture exists both for on-premise solutions as well as in-the-cloud solutions. But the way we go about meeting that level of security is obviously very different. I think what we find now, more and more, is the cloud tools have been the flavor du jour for many years. They were perceived to be safer and seemed to be more secure. They will certainly be pushed more aggressively by our vendors and partners. I would say over the last maybe 9, 12 months, as we think about cloud, cloud security, cloud stability, we’re saying that there’s not more security in the cloud necessarily just because it’s in the cloud and, in some cases, the complexity of cloud-based applications makes them perhaps even less secure.
What we’re looking at now really is the layers of technology it takes to deliver a cloud application and, in some cases, we’ve begun to really say that’s a tool that might actually be better served in a hosted data center. I think we’re more cautious in the way we engage cloud-based vendors at this point than we had been in the last few years.
Anthony: That’s fascinating, and it’s not the first time I’ve heard that. It’s almost like – as you mentioned, the pressure, it’s almost like this huge wave that swept everybody into the cloud and now some of that wave is coming back as people are saying, “Well, there are some issues here.” A few years ago, everybody was saying, “I don’t want to be in the data center business.” Not so much anymore. There’s a little different tone out there. Correct?
David: There is. What’s core to the mission evolves over time, right? For years, it had been thought that running data centers might not be core to the mission of the healthcare enterprise or running data centers might not be core to the mission of a higher education institution. And now you sit there and go, probably not at scale is it core to the mission but, maybe in particular use cases, it’s better to have a controlled tool on premise that we are very crystal clear on how access is provisioned to, rather than a cloud-based tool which gets more and more opaque over time in terms of how access is provisioned for it, how security is wrapped around it, what vendors are supporting it in the different layers that exist within the cloud.
I think we’ve begun to understand I think, from an investment – if you compare cloud security today to investment mindsets in the mid 2000s, you have to understand the investment, understand the risk that you’re signing up for when you make the investment. I think it’s the same thing now in cloud; you really have to understand the cloud tool in all its layers to understand the risk that you’re signing up for.
Anthony: As you said, cloud security has a high degree of complexity and requires specific skills. I supposed if someone doesn’t have those skill sets on their team, they may want to think twice about it.
David: I think it’s buy, partner or build, right? I think when you talk about the cloud, you need to think in that mindset as well, which is if you’re going to the cloud and you don’t have a team that’s well versed in delivering solutions in the cloud robustly and by robustly, I mean securely and reliably, then you have to think about the partner or buy models as well. You just can’t go and build in the cloud what you build on premise.
Anthony: This is really interesting. Now we know that you really need to have security designed into everything from the beginning. For you, it’s probably a no-brainer because you were a CISO, I wonder if it isn’t for everybody. But it seems like it has to be. Before we got on the phone, I was thinking about the analogy with airports, right; you don’t design and build an airport and then have the safety guys come in and say, “Hey guys, add the safety stuff.” That’s how I’m thinking about security now with IT.
David: Yes. Because it is, 100%. Security, it’s reputation risk, it is important and it is vital and it always has been. I just think it’s coming to the forefront now. That security is considered at the front is critical because that way we can help be a yes organization rather than a no organization. That’s really, I think, my intent here as we think about how to manage risk across the technology portfolio is to involve the security experts early; put them in a position to say, “Yes and here’s how,” rather than these binary, “Yes, it’s secure, no this isn’t secure,” which is what traditionally the security departments have been put in the position, at the end of the process to either give a quick yes or no.
We put that all the way upfront and say let’s do security and risk management from the start. That way there is no 11th hour check that creates a lot of unnecessary anxiety because we’ve done security risk management all along the way.
Anthony: Do we think that 11th hour paradigm, that was the case because security used to be seen as an impediment to doing business, the old style CISO was a hell no, we’re not doing that, brought everything to a screeching halt so it’s almost like let’s wait until the last minute so they don’t have a choice. It’s like a fait accompli, right?
Anthony: That’s how it used to be but now, every security professional worth their salt talks like you talk about enabling the business. It’s a big shift.
David: It is. I think which one’s the cart and which one is the horse, I don’t know but what I do know is the following. When we used to talk about security, it was always through the lens of compliance. We had to do security because it was a compliance requirement. At some point, the conversation has shifted from just because you’re compliant doesn’t mean you’re secure but if you’re secure, you are definitely compliant. I think the paradigm that you’re referencing that we flipped is we stopped thinking about security as a compliance matter and we started thinking about it as a systemic risk matter. In that way we weren’t just trying to check the compliance box; we were trying to produce a scalable and sustainable solution over time.
Anthony: Your CISO’s name is Mauricio Angee?
David: Yup, Dr. Mauricio Angee.
Anthony: Did you hire Mauricio?
David: I did.
Anthony: As a former CISO, what were you looking for in a CISO who is going to report up to you?
David: Someone that had a “yes and here’s how” mindset. Your referenced earlier the old paradigm mindset. Certainly, I wasn’t looking for that. I was looking for someone that really was a business enabler, a clinical enabler, an educator enabler, a researcher enabler, and was more interested in how to get to a safe, secure and sustainable solution rather than just flexing the power of yes and no.
Anthony: Very interesting. Your description of a good relationship, a good CIO-CISO relationship, how do you think it should ideally work?
David: Constant dialogue, conversation. I think in many respects, authentic discussions. The CIO-CISO relationship is one that’s got to be rooted in a common understanding, and I think, most importantly, just an authentic professional relationship where the anxieties can be talked about, the fears can be talked about, real thought partnership can happen and, through a whole brain of thought, that we get to a robust response rather than a transactional or just a status report update. It’s really got to be a partnership because it’s those two roles that are managing large portions of the systemic risk that are presented to the enterprise.
Anthony: Phenomenal amount, right. When you think of those two roles, when you think about the budget – there’s a big budget there that’s being controlled by those individuals, huge risks to the organization if those two aren’t in sync and working well together, right?
Anthony: Very good stuff. What are the top security trends that you’re looking at, things that you want to prepare your organization to deal with, maybe technologies you’re looking at or in addition to the CLEAR stuff we talked about.
David: I think identity management continues to be one area of just necessary focus and need. Especially when you think about our organization which has students, researchers, patients, faculty and staff, the range of identities that we’re managing is pretty broad and they have a very long life span. So continuing to come up with the most robust and simple ways to use identity-management matching is really key for us.
Another one is – being a major player in the research space and education space and healthcare space – what we find is we move a lot of data as well. I think one of the things that has captured a lot of media attention over the last year, year and a half, is web-based tools that are used to move data around. Making sure that those tools are well understood and well secured is an area of continual focus. I think not only for us but the whole technology industry as a whole.
Then, beyond that it’s really continuing to make sure that we are equipping the teams with the skill sets they need to be successful today. From a security standpoint, I think we have to bake in a common level of understanding of security across all the IT teams that exist within the enterprise. Security is not just security’s problem. Security is an area that everyone has to be mindful of. Some people pay all of their attention to it, some people have to concentrate on other areas and be mindful of security. So I think raising the level of awareness and education across the IT enterprise about security and what security means is another key area of focus for us.
Anthony: Do you do leverage the marketing team to get the word out about the importance of security?
David: Yes. We have great partnerships with our marketing communications team. We rely on them quite heavily and that, I think, is one of the areas that I focus the most, which is carrying the message across the enterprise and making sure that the messages we produce – and we do a great job of this – produce concise, tight messages that deliver a clear action and that are seen in a way that helps us keep the organization safe but, at the same time, make things easy. I’m all about enhancing security and reducing friction.
Anthony: I had an interesting conversation the other day and the upshot was that you not only don’t want people to be punished for reporting when they may have done something that could create a breach (such as clicking on a link) but you want them to be rewarded for reporting it. What are your thoughts?
David: Yes, I couldn’t agree more. The punitive culture is just – it’s utterly and totally unhelpful. We want to be celebrating a security mindset – and I would say users clicking on things are not things that they did; they are things that were done to them. They’re victims of crime, they were not doing something untoward. It’s repositioning of the fact that you didn’t do something wrong per se, it’s that some security event happened to you, so it would help us to know that that happened so we can protect your data and recover from it. So it’s getting to a place where people see that this a reportable event, not from the standpoint that they did something wrong but from the standpoint of it’s a crime, they were the victim of something.
Anthony: David, final question. What’s your best piece of advice for someone in your position at a comparable sized health system, based on your experience and your career, what’s your best piece of advice for that individual?
David: My best piece of advice would really be focused on how we can enable patients to get access to care better, how we can make it easier, how we can help keep the user satisfaction up and, in particular, focus on physician satisfaction and be relentless in helping the organization get to yes.
Anthony: Excellent. Excellent, David. I want to thank you so much for your time today. I think our listeners are really going to enjoy this.
David: Thank you, Anthony. It’s great day, I appreciate it.