What it means to be a good CISO changes over time. In the past, it was all about rolling out some technologies that protected the enterprise. Today, however, that’s just stakes to play. Today, CISO are being defined by how good they are at keeping the business up and running, and how quickly they get operations moving again if the worst does happen. According to Mauricio Angee, AVP and CISO with the University of Miami Health System, CISOs are also being judged by how well they digest and act upon the copious amounts of threat intelligence and alerting that are being offered by both public entities and private vendors. In this interview with healthsystemCIO Founder and Editor-in-Chief Anthony Guerra, Angee covers this topic, as well as how cyber and emergency management work together to ensure that everything that can be done to prepare for a cyber incident is in place and well rehearsed.
LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE.
… it’s very distinct what emergency management does to ensure continuing operations for patients and what we do in the sense of cybersecurity.
In the terms of who makes the decision of when and what gets shut down or not, or what is the right time; leadership is looking to me, especially with the ransomware attacks, to say, ‘how bad is it and is it the time, the time to pull the trigger or pull the cord.’
My job now is looking at what threats are coming, what am I hearing about higher ed or healthcare that all of us in the industry are facing, looking at threat reports. So I am being judged by a timely passing on of that information. For example, since I received an advisory, how long did it take me to process and review it, send communication out and get it fixed so we’re not exposed.
Anthony: Welcome to healthsystemCIO’s interview with Mauricio Angee, AVP and Chief Information Security Officer with the University of Miami Health System. I’m Anthony Guerra, Founder and Editor-in-Chief. Mauricio, thanks for joining me.
Mauricio: Thank you for inviting me, Anthony, great to be here.
Anthony: Very good. Mauricio, can you tell me a little bit about your organization and your role?
Mauricio: I’m the CISO, an enterprise CISO for the University of Miami, and the structure of the University of Miami has what we call the academy – students coming into classes with faculty staff, the regular university. And then we have the health system comprised of the hospital, clinic, and research is big at the University of Miami, and then we have, as I said before, The Miller School of Medicine because the medical school is under the realm of the health system. It’s a big university, but it’s also a big health system in the Miami area, Miami-Fort Lauderdale-West Palm area.
Anthony: Alright, very good. Top of mind for me, as we’re getting ready for this interview, you had the hurricane very recently, Idalia was the last one. A big area I’ve been covering is business continuity, disaster recovery, that kind of thing. Obviously, you’re in Miami, you had a hurricane recently. This must be very top of mind for you, making sure you’re resilient and can continue operations. Tell me how you/cyber works with emergency preparedness.
Mauricio: Anthony, this is a question I get asked frequently. We live in South Florida and every year from June 1st to November 30th, it’s hurricane season and it ramps up between the late August to late September, that’s when it’s most dangerous. We do have an emergency management system who really coordinate the hurricanes to ensure patient care and patient safety – that is number one for the University of Miami Health System.
We have a continuity plan, and we have disaster recovery. And it’s interesting that the emergency management coordinators or the director of that area always includes the security team, the cybersecurity or the office of the CISO in every testing; we test our plan annually. So when the hurricane season is over, emergency management starts planning, testing and recording lessons learned. And our role during the hurricane is to help ensure everybody is going to be able to work. If we have no electricity, if we are impacted by an internet outage, how do we get the workforce to take care of patient care, patient safety. That’s my number one while we’re in a hurricane mode.
So it’s different than ransomware. And I always tell the story that a hurricane, you see it coming, it’s coming, this is the path, get ready, the warnings goes on, and then it goes from critical to it’s here or we missed it. At every single level, there’s communication and we’re sensing it, right? So as the news are saying it’s coming or where is it heading, we have to start preparing. I’m preparing clinics, hospitals, laptops, Office 365, you name it. A ransomware is different because you have, like it would have been nice if bad actors say, ‘hey, it’s coming. It’s 24 hours out.’ (laughing) We don’t know this, so we have to be prepared. And as I said before, patient care, patient safety, number one, top of mind for everyone.
I am the one who would do the tabletop exercises. I call the emergency management system because if this gets out of hand and we have no way of treating patients, how do we do this? We work together. So, it’s interesting because I’ve seen the more we prepare for the hurricanes and the more we provide guidance and the more we update our security, SOPs (standard operating procedures), the more we learn about our system that may be vulnerable, that may not have a backup or high visibility, and it helps me in the ransomware situation.
So it’s interesting you ask that question because as we go to Idalia, I was asking what if the bad guys come right after the storm or during the storm; what do I need to do to secure it before it happens? It’s interesting.
Anthony: Yes, it is. It’s very interesting and I’m especially interested in the relationship between emergency management, the overarching emergency management team for a health system and the CISO. So it sounds like for something like a hurricane, they are certainly going to be running that. They will bring you in as necessary but you’re not leading that, right?
Anthony: They’re bringing you in, but when it comes to a cyber event essentially, you will be the main point person, but I would imagine they still have to lead it because there are many parts of a ransomware event. For example, the clinicians going onto paper, there are many elements of that that you are not going to deal with. You are not going to make sure there’s paper. You’re not going to make sure the printer has ink. They have to do that, but yet you have to make sure they understand what a cyber event could look like, is that correct?
Mauricio: It is correct, and you have it so right that we run two command centers. When is the time that this cyber event goes to the command center of the emergency management team for them to protect patient safety and continue operations. So as I’m dealing with the preventing, detecting and recovery side – or actually preventing is my first one – and I report to the command center or the emergency management team to see who’s affected, how many computers were affected, can they treat patients? And then the two commands in different locations, we’re communicating and at that time they’re talking to clinicians. They’re talking to leadership. They’re talking to Miami-Dade County operations just in case we need to move patients. And I’m talking to the three letter agencies, to our MSSP about how do we recover. But it has to be in a very harmonious and succinct way because, first of all, we can have no panic. Second, continuity of operations, and third, and most importantly, it’s very distinct what emergency management does to ensure continuing operations for patients and what we do in the sense of cybersecurity. Very good point.
Anthony: It’s so interesting to me this whole process and this is not fantasy. This is reality. This happens.
As the CISO, it said all the time that your job is to communicate risk, especially to the people who will make decisions about what risk they want to accept. You are not deciding, you’re not making those decisions…
Mauricio: Absolutely not.
Anthony: You are an advisor and you’re communicating risk. So it’s very interesting. In a ransomware scenario, I’m sure it could be a million different types of things happening. But as you said, you’re communicating with the three-letter agencies – FBI and whoever else. You were also communicating with your hospital leadership, and potentially at some point, a decision is being made of whether or not we need to shut down system. You’re trying to figure that out. You may have people from the FBI talking to you, advising you on what you might want to do. But ultimately, you’re communicating to your CEO and perhaps a committee trying to explain what you’re hearing over here so they can make a decision. Because they’re the ones that are ultimately going to make the decision, right?
Anthony: So tell me a little bit more about your thoughts about how that could unfold.
Mauricio: It’s interesting also because the CISO role has become more about risk management for every organization, but in the health system, we have a committee for risk management in which they take the word of the CISO, I have to participate everything that we do in that committee and it is more about risk.
In the terms of who makes the decision of when and what gets shut down or not or what is the right time; leadership is looking to me, especially with the ransomware attacks, to say, ‘how bad is it and is it the time, the time to pull the trigger or pull the cord.’
They’re looking for us to give them clear direction of what the situation is. In that sense, we have, like I told you, that command center where there is communication at all level, in every single direction. And there is a clear channel of communication between me and the CIO at all times, working with all these direct reports for applications, for clinical, for everything else that is being affected.
Sometimes I personally go into – here are the recommendations I made because of this, or sometimes I just provide the data and let senior leadership see the situation and say, ‘okay, it is time, let’s make a decision.’ But they’re looking to us because they’re not IT people, and they’re saying, ‘hey, is this critical now? Do you think we need to pull the trigger now or pull the cord?’
Emergency management is also on the other side saying, ‘hey, we’re affecting patients. Patients are being affected. We can’t do this. We can’t administer. We can’t see the chart. It’s time to go on paper.’ In that sense, the management responses can be working with the clinical team to say, ‘this is the time. We can’t wait anymore. It’s taking too long. We have to do something.’ And at that time it’s got nothing to do with the CISO or the CIO, the medical teams are going to make that decision. But it has to be well orchestrated. And I want to make sure we understand that this is a plan that is tested annually. Like everybody said, it may not be perfect, it doesn’t have to be perfect. What lesson did you learn about Idalia?. And we take that seriously – what did we learn? Were we prepared? Who was monitoring the storm? And every year, we’re going to say, ‘okay, team A, team B, who is going to be here?’ The families, it’s well-orchestrated and I never worked in an organization where emergency management has this well-oiled machine where they asked the security teams, both physically, the physical security, and the CISO – are we ready? Are we prepared? So it is good. It’s a good exercise.
Anthony: It just seems to me with what’s going on that we see it left and right, incidents left and right that you have to be ready for this, because it’s going to happen. You have to assume it’s going to happen and it’s almost like a CISO is going to be judged on how well they’ve prepared the organization to deal with a cyber-induced downtime.
Mauricio: I think you’re right. I think under the leadership of the new CIO, my CIO (David Reis), I’ve been with this organization for a little bit over two and a half years. The CIO has this mentality, you just said it. The first thing is communication. We’re being judged by how much communication, how quickly do we provide communication? Sometimes it’s informative. Sometimes it’s, ‘hey, we’re going to make this change. This is what the change means,’ – that helps. Many times I talk to end-users or clinicians that say, ‘hey, you know what, we’ve improved so much because if our EMR is going to be down, you’re telling us from what time to what time. You’re telling us what’s going on.’ And we’re being judged by that.
Sometimes (in the past) people said, we never heard about this change, how come we never heard? Especially me, like at the CISO level it’s very hard, but I’m going to tell you this. I was worried at the beginning of my tenure here. Do we have the right tools? Are the endpoints protected, like hygiene like you said. Then we went to this massive rollout of firewalls and AI systems and then we went to monitoring. I sleep well at night, and I can tell you that my endpoints are good, and my users are secure. My job now is looking at what threats are coming, what am I hearing about higher ed or healthcare that all of us in the industry are facing, looking at threat reports. So I am being judged by a timely passing on of that information. For example, since I received an advisory, how long did it take me to process and review it, send communication out and get it fixed so we’re not exposed.
You’re right in the sense that communication, transparency, and being ahead of the game is what it’s about today.
Anthony: You’re saying you’re being judged on how quickly you can digest new threat intelligence and change your defenses appropriately? How quickly can you respond and adjust when new intelligence comes out?
Mauricio: Correct. And I’ve seen a lot of my peers, a lot of my peers say, sometimes, ‘hey, did you see that CISA Alert?’ and they say, ‘what CISA Alert?’ It has been three or four days and I’m like, well, hey, they made it easy for us. CISA and the FBI have made it very easy. Just subscribe, you get them daily, as soon as they come out. So I have analysts, their job is threat intelligence from anywhere and they’re digesting and they know our system. We profile all our systems. If this comes out, does it apply to us? What versions do we need, talk to the administrator, get it done. How soon, how quickly and communicate that. So yes, that’s the process.
Anthony: Are you talking about rolling out patches that type of thing?
Mauricio: Not just patches. So MOVEit is a very good example. The University of Miami doesn’t use MOVEit. The MOVEit advisory comes out, ‘hey, MOVEit transfer has been impacted. Don’t know how bad it is.’ We didn’t just sit down here and say, ‘oh we don’t use MOVEit so nothing to worry about.’ We went through a very stringent process of saying, ‘it’s MOVEit transfer. It’s not just MOVEit. It is what product? Who do we use to transfer data? Give me a list of all the companies that we transfer data to. Now, reach out to those companies and find out what they use.’
We went through this assessment. I was comfortable as a risk manager to say, ‘we’re in a good place because the University of Miami and the academy do not use MOVEit transfer products. So, we feel comfortable that the risk is low.’ Nevertheless, there is information that all these organizations have it and potentially we were sharing information with these companies. So the speed and the velocity in which we are doing this these days is amazing. But there was nothing to patch. You see, Anthony, nothing to patch. We did the assessment, did the analysis, the list of applications, what is our exposure or the risk, communicated that and we were in a good place.
Now, when some others see something comes out, they say, ‘oh, let me see who uses that because we don’t even know what applications we use.’ And I see peers and other organizations take a very laid-back reactive approach. Here, what we do at the University of Miami Health System is proactive threat intelligence, communicate, discern, and see what is the impact. What is the impact?
So it’s not just patching, patching is, I think if we’re talking about patching these days, people don’t know what they’re doing because it’s another problem that we have. A critical practice for us is 24 hours, end of story, let’s move on.
Anthony: This is threat intelligence briefings that you get when there’s an alert for something like MOVEit or remember, was it Log4j, remember what was that called?
Mauricio: Log4j, MOVEit, we have many, yes.
Anthony: Do they always have, ‘here are the steps you need to take’ or is it sometimes just, ‘hey, here’s what’s going on. These bad guys are doing this. Good luck.’
Mauricio: FYI – good luck. (laughing) It’s three types of advisories which is great.
The first is ‘hey, we’re hearing this in the dark web, heads up.’ So they’re telling us we’re hearing noise, maybe you want to look at this. No actions to take. How I am trained, I then go do an inventory, where is it? What ports are open? Who’s coming?
The second type of advisory is: we have already collected enough information that this MOVEit or Log4j has caused this and here are indicators of compromise that we can act upon or put them in your firewalls or put it somewhere, indicators of compromise.
And the third one is – you must take action now and here is the patch for it.
So, three types: low, medium and high – which means take this action now. So it all depends.
Anthony: With Log4j, if I remember correctly, a lot of people couldn’t figure out if they had it. They didn’t know. So that’s why they talk about that software bill of materials, that SBOM. So at least you know what you have. Do you have any thoughts around all of that?
Mauricio: Yes. It is different, Anthony, depending on where you are. It takes a while. It takes time to get to the level of maturity that we have today in comparison with other systems. So, my job has become very easy in terms of risk. Just tell me how many systems are impacted. Tell me what the risk is and tell me if it’s a yay or nay, and then we take an action. That way, I can be better prepared to go knock at that door down the hall and say either, ‘we do have a problem and we’re fixing it; or we need to call the incidence response team right now and emergency management team because it may affect our patients.’
Anthony: Very good. I want to talk a little bit more about the CISO relationship with emergency management. What would be your recommendation? What is your advice? What do you think is the CISO’s responsibility? How far do they have to take that ball to make sure emergency management understands what a cyber event could look like?
Mauricio: I can tell you what works for the University of Miami Health System. Our emergency management response department is very well-known and very, very active in the community. Sometimes, more often than not, the emergency management director will come in and say, ‘did you hear about this? Are you are we okay? Do you need more? Can I help?’ But anything other than that, I’m going to tell you. I’m guilty as charged. When there is a hurricane, I don’t call emergency management and say, ‘hey, there’s a hurricane coming. Are you okay?’ I respect them to do their job. It’s about keeping an open and honest channel of communications where you know what your role is and you know what the role of emergency management is.
We have at least a quarterly meeting. What’s going on? What’s coming? Do you need me? We test the security. Emergency management needs the testing of the emergency management plans. And I say this proudly, this team takes care of testing, validating, getting all the stakeholders together, running the scenarios.
So you ask me, what do we have to do? We have to know who the emergency management team is, first is basics. We have to know the type of event that the emergency management team is responsible for and carry out testing throughout the year for patient care and patient safety, continuity of operations. You have to be part of that committee because as I said, cyber or hurricane, as a CISO you have to know that there is a point where your ransomware is no longer your ransomware, it is now emergency management who takes over that control room – that is the ownership of emergency management.
Anthony: That’s so interesting. It’s almost like it’s your ball at the beginning as the cyber incident is unfolding, it’s your ball and at some point when it escalates to a certain point, that ball gets passed to emergency management.
Mauricio: Absolutely. I go in and remediate.
Anthony: As that evolves the organization goes to paper and emergency management is making sure patients are being cared for and things are being recorded on paper, you’re working with the CIO and perhaps the FBI and whoever else to clean up the systems and get them back online. That’s the goal, right?
Mauricio: I’m working with IT to clean up, recovery efforts, switching internet, extending out firewalls, compliance and privacy if there’s any issues, legal. I’m working on that side of the house and the cleanup in backup system, backup to continue the business and that is the support I brought. And I have to say, ‘hey IT is saying that it’s going to take an hour for the server to be ready.’ So my role is clear. I am so clear about my role that it’s amazing how we roll at the University of Miami Health System because emergency management has a role to play dependent on cyber and IT, and they include us in every single one of the tests and communication. So it is a good partnership.
Anthony: That sounds really great and like you guys are in very good shape. I saw on your LinkedIn profile, I’m just going to keep you for another minute. I saw on your LinkedIn profile that you are a board member for InfraGard, which is an organization I’ve seen on other people’s profiles. Can you tell me about it?
Mauricio: So InfraGard came about as a public and private sector partnership. It started in Cincinnati, Ohio in 1996. And then after that, every single field office of the FBI thought it was a good idea to have the private sector communicating with the public sector in very specific way. So InfraGard, the members alliance, I was the president for South Florida. People don’t understand how important this is. It’s better that you know your local FBI agents and cyber squad when something is happening. They pick up the phone and they call you and say, ‘hey, Mauricio heads up’, or you can call and say, ‘hey, I’m seeing something unusual could you help me validate?’ It is an information sharing group. And I have always said, hey, it’s better if you know who Bob is at the FBI, your local FBI, then when the FBI from Washington starts calling your legal department trying to get to the CISO.
It’s very important because it’s information sharing. We have amazing threat intelligence, every InfraGard does. We have a large group that communicate across the United States with different member alliances. We have an annual meeting to discuss what worked, what could be enhanced. A lot of times people don’t understand. They think, ‘hey it’s the government, we don’t want to share data with them.’ It’s the opposite. When you share that information and you become part of that group, there are profiles that are shared. And the FBI offers, ‘hey, can we go to your organization and do an assessment because when something hits you we already know?’ Anything from a bomb threat to a shooting or a cyberattack, it’s better when they can say, ‘okay, I know where they are, I know where they are, I know how we need to do this.’
And through the years it’s getting stronger and stronger. A lot of private sector companies are actually part of this group, information sharing is free for members who want to join. And it’s also an interesting journey because as part of InfraGard, the FBI shares with you data that otherwise they wouldn’t. The FBI Academy for members of the InfraGard, we do that once a year. So you learn what they do. I keep on going because I am a firm believer of this alliance.
Anthony: Alright, Mauricio, any final thought or final piece of advice for CISOs out there based on your experience, the success you’ve had in your career?
Mauricio: This is a journey not a destination, like everybody says. You have to understand the role changes and mutates into different things. We were network guys starting in the basement and today it’s a business role, a risk manager, so that’s what it is. So keep up the good work and be focused and understand that this is a different threat landscape. Thank you, Anthony for having me here.
Anthony: Great talk today, Mauricio. Thank you so much.
Mauricio: Thank you, Anthony.