It’s not always easy blazing a trail or, as Jeffrey Vinson termed it, ‘being on the tip of the spear,’ especially in a sector as heavily targeted as cybersecurity. But when the opportunity arose to apply for a grant to help identify ways to share threat information and protect the infrastructure, Harris Health System answered the call, and immediately got to work figuring out how to improve collaboration across the industry. “We need to share information across the industry,” he said during an interview with Kate Gamble, managing editor at healthsystemCIO. “Knowing is half the battle.”
It’s a battle Vinson knows well, having gained experienced in the military and with the National Security Agency before coming to Harris in 2013. And the key to winning it, he has learned, is ensuring that CISOs and other information security leaders are involved in critical discussions. “We want to be at the table to make sure technology is being utilized in a way that we can protect not only the data, but those who benefit from the technology,” he stated. “We have to understand the mission and how we enable the business and protect it at the same time.”
Since his arrival at Harris, Vinson has worked to elevate the role of information security teams and create an environment in which cybersecurity is “part of the fabric.” In this interview, he talks about how he has worked to change the culture, what he considers to be the biggest hurdles to safeguarding data — and most importantly, patients, and why he believes it’s so important for cybersecurity professionals to come out of the shadows.
LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE.
- On building a culture of cybersecurity: “Cyber is ingrained in the fabric of the organization… We’ve been preaching and advocating from the beginning to be involved.”
- On working with HHS: “From a public health standpoint, we need to share this information across the industry; knowing is half the battle. We want to get that message out.”
- On maintaining a balance: “We certainly don’t want to be the ones that stunt the growth of new technology, but we want to be at the table to make sure it’s being utilized in a method where we can protect not only the data, but also those who will benefit from the technology.
- On advising the business: It is paramount at Harris Health that cybersecurity plays a significant role in the mission and strategic vision and works closely with the CEO… we’re not an afterthought. We’re out there messaging and sitting next to the CEO and our compliance and IT partners to make sure we’re mitigating that risk.”
- On CISOs speaking at events: “We’ve historically been in the background, protecting things behind the scenes. But as we look more at risk and at the evolving cyber program, it’s important that we sit at that table and help create messaging around the importance of cybersecurity.”
Q&A with Jeffrey Vinson, Chief Cyber & Information Officer, Harris Health
Gamble: Hi Jeffrey, thanks so much for your time; we really appreciate it. I’m looking forward to getting your perspectives.
Vinson: Thanks for having me. I look forward to the conversation.
Gamble: Let’s start by getting some information about the organization. Can you provide a high-level overview of Harris Health — what you have in terms of hospitals, where you’re located, etc.?
Vinson: Sure. Harris Health System provides care to the underserved here in Harris County, which is the most populous county in Texas and the third most populous in the United States. We are a public safety net.
We have two major hospitals, Ben Taub Hospital, which is a Level I trauma center, and Lyndon B. Johnson Hospital, a Level III trauma center, and 30-plus clinics around Harris County. We’re critical to the success of the county itself, as well as the entire state of Texas, for what we bring to bear at Harris Health System.
“Cyber is part of our culture”
Gamble: I would imagine that for you, having care that’s offered outside of the hospital adds some complexity to the role — we’ll get more into that later. But first, what do you feel are some of the biggest challenges for cybersecurity leaders? What are the biggest hurdles?
Vinson: When you look at information security, healthcare is still the most attacked industry in the United States. Other industries and sectors have evolved, including financial services. In healthcare, it’s a very delicate balancing act, because our mission is to provide patient care and quality service.
When you do cybersecurity in that realm, you certainly need to lock down your systems, but it’s not necessarily a forethought when we talk about the healthcare sector in itself. At Harris Health, cyber is part of our culture. It’s ingrained in the fabric of our organization. But when you look at healthcare overall and public health overall, that’s not always the case.
There’s a shift that’s been happening under this current administration with a number of cyber regulations going out. We had the omnibus spending bill in December of 2022, and now the FDA is getting more teeth. And so, we’re making progress, but we’re clearly lagging behind when it comes to cybersecurity in healthcare.
Challenge: vulnerable operating systems
Gamble: Do you think that’s a reflection of the fact that healthcare has lagged behind other industries in terms of digital experience? Or are there other factors?
Vinson: There are many factors. As I mentioned, it’s a very delicate balancing act. With medical devices, for instance, manufacturers build these solutions and set them and forget them. Some of them have been around for 20 or 30 years. And they’re good at what they do, but their operating systems have vulnerabilities, and the threat actors and cyber criminals know how to exploit the technology.
Now, we have historical data. We’re looking at mortality rates when there’s a cyberattack at a healthcare organization and you have ransomware locking up the systems and vulnerabilities being exploited. That has to change; you can’t do the same thing and expect different results. So that’s one challenge.
Challenge: lack of funding
Another, of course, is funding. You have organizations of different sizes: clinics, small hospitals, large hospitals, etc. The HIPAA security rule hasn’t really been updated; they have the Wall of Shame and fines are handed down, but there hasn’t been a true focus to say, ‘a hospital with this much revenue and this many patients must have these things in place.’ Or to offer assistance for smaller organizations.
Again, there is traction toward that, but until that truly happens, we’re going to continuously lag behind in healthcare. And we haven’t even touched on the resource challenges that we all face, regardless of industry.
“It takes a village”
It’s absolutely an uphill battle. During Covid, several security companies offered their solutions for free, but you need people to implement those solutions. As I stated before, it’s a delicate balancing act. These security solutions can sometimes unintentionally disrupt patient care and quality of service. You certainly don’t want to cause challenges with patient care because you’re going to secure a system.
And so, it does take a village, and it takes a lot of communication to implement these solutions. The challenges have existed in healthcare for quite some time; we don’t see them going away, but there’s certainly a lot of positive traction happening at the national level with the current administration.
You mentioned rural hospitals. There has been some funding made available to help rural hospitals moving forward, and that’s important. We certainly like what we see.
Getting the message out
Gamble: I would think it’s very validating to hear about cybersecurity discussions on the Hill. As you know, it requires a lot of people constantly beating the drum and elevating those conversations.
Vinson: Exactly. To share a bit more about Harris Health, we received the first ever cyberthreat information sharing grant in 2015 from the Department of Health and Human Services. We have certainly been on the tip of the spear. From a public health standpoint, we need to share this information across the industry; knowing is half the battle. We want to get that message out.
Harris Health System’s headquarters is in Bellaire, but we’re also part of Texas Medical Center. And so, there’s a tremendous amount of collaboration we’re doing to make sure we’re protecting the area from a cyber perspective.
“Guardrails” for AI
Gamble: When you look at some of the trends we’re seeing with artificial intelligence and machine learning, clearly there’s a lot of potential there. But there are concerns from a cybersecurity perspective. What has your approach been there?
Vinson: We’re absolutely monitoring the usage at our organization. When you bubble that up to the larger public health picture, a lot of positive things can happen with this technology. But as we know, with anything positive, the threat actors and cyber-criminals know how to reverse engineer-that and use it to their advantage.
And so, although we’re certain it will continuously turn the healthcare sector on its ear and provide great quality care in the meantime, we do observe. We monitor. We look at what’s happening from an industry standpoint. There’s a lot of talk on the Hill to ensure the technology isn’t being used for bad, but only good.
“Painting a picture” with data
We’ll make certain that we put in guard rails for our organization and understand how it’s being used. Because as you know, with ChatGPT and other forms of AI, once the information is fed into it, it goes out there for public consumption. There’s something in the cyberworld we call data aggregation; you might think it’s a little piece of data, but once you start aggregating all that data, you can paint a picture. And so, although there are certainly many privacy concerns as it relates to AI, there’s a lot of good that can happen from a patient care standpoint.
Enable & protect the business
Gamble: It seems like a lot of your role is about striking a balance or trying to maintain balance.
Vinson: Absolutely. At Harris Health, we’re integrated within the business, which means we don’t look at it from just a technology perspective. We have to understand the mission and understand how we fit in and enable that business and protect it at the same time. We certainly don’t want to be the ones that stunt the growth of new technology, but we want to be at the table to make sure it’s being utilized in a method where we can protect not only the data, but also those who will benefit from the technology.
“We’re not an afterthought”
Gamble: You alluded before to having a culture of security — I want to talk a bit more about that. What are the keys to making that a reality?
Vinson: It’s setting the tone at the top. I’ve been here for a decade, and we’ve been preaching and advocating from the beginning to be involved in various meetings from the bottom up. It takes time. And I will say that after a decade, we’re there; from the boardroom all the way up to the mailroom. That’s what I mean by being part of the culture.
Our CEO, Dr. Esmaeil Porsa, gives us great support. He attends our threat intelligence meetings on a monthly basis, and we speak at town hall meetings. Our board certainly is in tune with what’s happening there. We advise the business, sometimes on a daily basis, with our messaging.
It is paramount at Harris Health that cybersecurity plays a significant role in the mission and strategic vision and works closely with the CEO. I’m happy to say that we’re not an afterthought. We’re out there messaging and sitting next to the CEO and our compliance and IT partners — as a matter of fact, all of our partners — to make sure we’re mitigating that risk, because we certainly want to contribute to the great mission at Harris Health and be part of that success.
That’s how we’ve able to do it. Messaging, branding, talking about cyber and staying in the know. It was really important to receive that grant back in 2015. Things have matured across the industry, but we can see the work we did back then continue to blossom from a national strategy standpoint, and even looking at medical device security. Sometimes it’s not easy blazing a trail and being on the tip of that spear, but we’ve been doing things quite well for a decade now, and things are really starting to blossom.
Cybersecurity’s 10-year evolution
Gamble: Being in the role for a while now, you’ve seen the evolution of the CISO. And you touched on it a bit before, but would you say it’s been a gradual process of security leaders becoming more strategic business leaders and less focused solely on cyber?
Vinson: In the past decade, it has really grown. But you have to take care of it, right? You have to water it so that it matures. We’ve historically been in the background, protecting things behind the scenes. But as we look more at risk and at the evolving cyber program, it’s important that we sit at that table and help create messaging around the importance of cybersecurity.
We want everyone to be a cyber ambassador — that messaging comes from our CEO. As I stated earlier in the conversation, healthcare is one of the most attacked industries, and so, resiliency is extremely important. We have to be out there talking about how cyber issues can impact clinical operations, how they can impact our organization, and how we can survive when that happens.
“We’re part of the strategic vision. We’re in this.”
That’s been the evolution of cyber over the past 10 years for our organization. Years ago, a lot of people would’ve looked at us as the technology base, but now we’re part of that strategic vision. We’re in this. We’re bringing technology in; let’s look at the risk. We have to make sure everybody knows that we’re here. We’re part of the fabric of the organization, from the clinical units to purchasing to legal and compliance. Thus far, it’s been a great journey.
Cyber leaders as “advisors to the business”
Gamble: Sure. I would think that’s where having strong relationships with other leaders comes into play, so that cybersecurity isn’t viewed as being blockers or hall monitors.
Vinson: Absolutely. It’s very important building those relationships and that trust, because as you mentioned, we don’t want to be looked at as the stop gap. We want everybody to look at the risk and say, ‘is this a good decision?’ or ‘have we thought about this?’ We’ve evolved into advisors of the business in certain avenues and can give assessments.
As advisors, we’re here to support and enable the business. Truly, the business needs outweigh the risks. And as we move forward, it’s nice to be brought in and to know that our advisory matters.
Gamble: As you said before, healthcare is constantly under attack, and as big organizations suffer data breaches and other incidents, there seems to be more awareness. Has that made it easier in some respects to convey the importance of cybersecurity investments?
Vinson: It has. The awareness is everywhere — even TV shows talk about ransomware. Most people in the US are aware of what happened a couple years ago with the colonial pipeline and the problems we had on the eastern seaboard with fuel. And there have been challenges with meat plants because of security issues. Everyone is fully aware.
And so yes, it does help. It goes a tremendously long way to socialize our mission and why we’re here. I’ll tell you, it’s very little resistance. People get it. It’s an evolution.
Path to Harris
Gamble: Right. So, I’d like to talk a bit about your career path. You’ve been with Harris for about 10 years — what about before that?
Vinson: My journey to cybersecurity started when I got my undergraduate degree in industrial technology electronics from Elizabeth City State University. I was in ROTC there, so I went on to the military and became a signal officer. It was a natural progression to go into communications and security.
During my time in the military, I was also a reservist. Back then it wasn’t called a SOC; it was a network surveillance center. I worked there for several years monitoring information and I ended up working at one of the premier intelligence agencies — the National Security Agency — for several years. I transitioned there and went into financial services to be head of cyber for an organization.
“The only safe day was yesterday”
That’s been my journey. I’ve been doing this for more than a quarter of a century. This industry is exciting — the only safe day was yesterday. It is a journey and it’s something you have to stay very proficient at. The threats evolve on a daily basis. The threat actors evolve. There are also insider threats — whether it’s intentional or unintentional, it happens. That’s been part of my journey.
It’s been a long tenure at CISO. As you probably know, the career expectancy for the role is about two and a half years at most organizations. Harris Health has afforded me the opportunity to do what I do best. And we continuously have fun with our mission here.
Early career experience
Gamble: I always think it’s interesting when leaders have a military background, which has really become pretty common in healthcare. It’s not surprising; there are a lot of connections.
Vinson: Absolutely. And of course, the experience at my old agency didn’t hurt either.
Gamble: I’m sure that was great preparation, along with being in finance. The transition to healthcare couldn’t have been easy, but obviously you’re enjoying the challenge.
Vinson: I am. Being in financial services is completely different from healthcare. You can be a lot more rigid in that industry, because at the end of the day, you’re protecting the investments. In healthcare, you’re trying to protect those lives. That’s why I talk about the delicate balancing act.
“It’s not all about technology”
There’s a lot at stake. There’s a lot of disruption that can impact care quality as well as patient outcomes. You need to be aware of that. You need to understand the business. You need to understand the mission. You have to be part of the business and understand what the core outcomes are supposed to be, and make sure you’re moving toward them. Because it’s not all about technology; it’s about articulating the risk, understanding the risk, and mitigating that risk so that we can do our mission and do it very well.
Gamble: The last thing I want to touch is a trend we’re seeing, which is that more cybersecurity leaders are speaking at conferences and doing interviews. There’s been a shift, and it’s been really refreshing. It’s a step in the right direction.
Vinson: It absolutely is. For the past several years, cyber has been one of the most talked about things on the news. It matters, and so, you clearly need to have a leader that can articulate those concerns and talk about emerging threats that are out there. Because historically, we’re born out of technology. We’re born out of the IT mission, but cyber is its own domain. If you look at the military, they have their own cybercommand now — that’s how important it is.
The evolution of security leaders speaking and being out in front absolutely matters. And we should be, right? We’re part of the business, and so, we should be able to articulate what’s happening, understand and present those challenges, and explain how it impacts the business. That’s how I like to look at it. Everybody should be a cyber ambassador and understand the bottom line and the outcomes of what you want to achieve.