There’s an old adage that people won’t comply with the “what” if they don’t understand the “why.” For information security professionals, communicating the ‘why’ around the need for compliance with security policies has always been a challenge. Trevor Brown, Deputy CISO with Yale New Haven Health, says one of the best ways to get the point across is embedding the messaging in a risk context, which clinicians – who deal in it daily – well understand. In this interview with healthsystemCIO Founder & Editor-in-Chief Anthony Guerra, Brown discusses this issue along with the importance of leveraging phishing exercises to keep users sharp; why it’s a huge benefit to hire folks who know clinician operations; vetting new applications to mitigate third-party risk; and much more.
LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE.
when the early phishing emails came out, they were very recognizable; bad spelling and the sentences just didn’t make sense. Now the phishing is so realistic that you get them and you’re like, ‘Well, I am expecting an Amazon package today, is this it?’
… our approach when we’re discussing information security – since we deal with a lot of physicians, nurses, a lot of patient-centered individuals – is to really portray it and put it in a risk perspective, because those individuals are dealing with risk every day with their patients.
I’ve been here over 10 years and earlier in that timeframe, people didn’t want security involved. They wanted to just get their projects done because they knew there could be some time holdups or certain type of requirements, extra requirements to delivering the end product. Later in that period of time, it’s completely flipped where now no one wants to do anything without ensuring that it’s gone by security for that check.
Anthony: Welcome to healthsystemCIO’s interview with Trevor Brown, Deputy Chief Information Security Officer at Yale New Haven Health. I’m Anthony Guerra, Founder and Editor-In-Chief. Trevor, thanks for joining me.
Trevor: Nice to be here, Anthony.
Anthony: All right, very good. Can you tell me a little bit about the organization and your role there?
Trevor: Sure. So I’m currently with Yale New Haven Health, we are about right around 30,000 employees, primarily focused in Connecticut as Connecticut’s largest healthcare system. We have five main hospitals and probably around 350 off-site locations. We’ve also expanded into Rhode Island and New York and always – like companies our size in healthcare space – we’re looking at to pick up acquisitions where we can. And in terms of the security group, we have about 40-45 people in security, primarily focused on risk and audit, identity access management, cybersecurity, and security architecture.
Anthony: All right, very good. I want to start with an open-ended question, just see what’s on your mind. What are you thinking about these days, any big trends you’re looking at, big projects you’re working on. So, what top of mind for you?
Trevor: There’s a few tracks. I mean, one on the actual tool side we look to use best of breed tools. We do shift from time to time and there’s usually a project ongoing in that space. One initiative that I’ve really been pushing this year is end-user training. So, a lot of organizations, they talk about end-user training, but we’re really pushing it to the point of going to locations, meeting with department staff before their shift starts, providing that user training on the spot, and also, pushing out quarterly phishing and really making sure that those users who are failing are provided with the proper training. Sothat’s something that we really want to push, just because the prevalence of ransomware, any type of malware coming in through email, is so prevalent that your weakest link is your actual user base. So, just clicking a link could be catastrophic. I mean, hopefully it’s not. We have some pretty good tools in place and people, but really pushing that training out.
Anthony: Okay, very good. Let’s talk a little bit more about the training. Is it mandatory? Does it happen just when they join the organization or more often than that?
Trevor: So the one annual training we have on information security and compliance is mandatory. We just did a full revamp of the program. It hadn’t been updated for almost four years now. So we just did that and then we rolled it out this year. And then we have the quarterly phishing training as well, so if you fail that, then you’re brought into our learning management system for required training. It’s the two-pronged attack.
Around identity and access management, we’re very good at onboarding, pretty good at terminations – the area that we, I won’t say we struggle, but I think like most organizations, definitely all the big organizations I’ve been at, it’s around the transfers. Sometimes you transfer someone and something happens along the way, in that they maintain their old permissions, and then you have that type of privileged access internally. We have done a lot of work in that space, but that’s always something we’re looking to improve on.
Anthony: And that’s because of the size of the staff and the amount of changes that happen. I mean, there’s changes all the time, especially in healthcare people are moving around, sometimes temporarily, sometimes to handle a certain need in a certain area. And then, there has to be that communication with security.
Anthony: Tell me a little bit more about that. That’s why it’s hard to get your arms around it, right?
Trevor: Yes, we have a pretty good process. A lot is dependent on that HR communication, it’s an automated feed that yes, this is the termination date. But sometimes those don’t go in or sometimes, as with most health systems they have a lot of non-employee users as well in their EMR systems. So you could be an outside provider and an employee of Yale New Haven and you leave Yale New Haven, but you still need EMR access. And then there’s a lot of very nuanced type of scenarios where they need access for this but not that, and that’s when you get into a manual type of review by one of the analysts on the team.
Anthony: And the goal there is to make the manual stuff as rare as possible because that could just be endless, right?
Trevor: Exactly. Yes, and we operate on the premise of minimum necessary. So minimum access to data, minimum privileges required to perform your job. We really push that minimum necessary.
Anthony: So let’s talk a little bit more about the quarterly phishing training. Any thoughts on that or things you want to share about doing that well and making it effective?
Trevor: Yes, it’s interesting. So when the early phishing emails came out, they were very recognizable; bad spelling and the sentences just didn’t make sense. Now the phishing is so realistic that you get them and you’re like, ‘Well, I am expecting an Amazon package today, is this it?’ so feedback has been mostly positive. It is required for all employees and it’s something that we try to push out and show the benefits of that training so that the security posture is enhanced as a whole across that 30,000-employee base.
Anthony: Healthcare is not big on punishing people for these mistakes. Does that ever have to change? Is there ever a stick to go with the carrot?
Trevor: There is to some extent. I mean, it depends. We have HR policies and information security policies in place so that if you do something beyond what would we deem is just inappropriate, there’s an off-boarding process and a number of steps that would be involved. In terms of phishing, what we’re doing is we’re building that out where (after failing a phishing test) the employee is sent to training and their manager is notified. So we found that’s quite helpful. Sometimes the manager and the employee both failed, so it’s going to one level above.. So when you have that discussion with your manager, usually you’re going to do the training.
Anthony: Crafting these emails, these phishing campaigns, is this something you use outside help for? Is this something you try and design yourself?
Trevor: Yes, a lot of them. We do use a third-party tool that has various templates that you can choose from. We did a holiday-type phishing exercise where they were like, ‘your package is being delivered.’ They also come with an external banner, so if emails are coming in, you are expected to know that, ‘hey is this external?” I think the vast majority of companies have that in their email, that’s the first indication to pause, I would say, from an employee perspective.
But yes, the templates themselves, the tool we use is pretty good. There’s a lot of standardized phishing-type tools out there. I think they all offer pretty much a similar package where you can choose phishing templates and then you can choose types of escalation emails for those that failed. We build those in and then, I would say, that last 1 percent we go to a manual-type process where we’re working with them and making sure that they understand the benefit of the training.
Anthony: Right. So one angle of creating the culture of security is the testing. How do you get people to care? What’s the messaging there that, here’s why you should care.
Trevor: Yes, so we do have those types of monthly, quarterly email blasts that go out, newsletters. Also, our approach when we’re discussing information security – since we deal with a lot of physicians, nurses, a lot of patient-centered individuals – is to really portray it and put it in a risk perspective, because those individuals are dealing with risk every day with their patients. ‘Should that patient have surgery? Should they not?’ There’s risk to each of them. So we portray that from an information security perspective, and I think once you have those risk discussions, it really starts to click with the end users, and they do understand where you’re coming from.
Anthony: Very good. So you mentioned the culture of security. What might be number two that’s on your mind, either a trend or something you’re working on, something you’re looking at, trying to follow?
Trevor: I would say the number two thing is really making sure that we’re sound in the identity access management space, making sure that those users who no longer need access or are terminated or transferred, that they’re accesses is provisioned correctly. It’s really streamlining those processes. So that’s a big initiative that we have is around the user access space.
We also have a number of activities ongoing to support a lot of the patient-facing type areas. So we’re embedding and working with the teams in those areas, and also from the employee experience viewpoint, making sure that whatever actions we’re taking, that security is built into that. So there’s a lot of work in progress with the various projects going on and making sure that the right security person is involved.
Anthony: How do you get people to come to security; to know it’s part of the process of selecting and onboarding new tools. You don’t want to have to find out later or chase them down. You want them to really appreciate that it’s important to do this. Has the environment around this gotten easier?
Trevor: Yes, it’s definitely changed. I’ve been here over 10 years and earlier in that timeframe, people didn’t want security involved. They wanted to just get their projects done because they knew there could be some time holdups or certain type of requirements, extra requirements to delivering the end product. Later in that period of time, it’s completely flipped where now no one wants to do anything without ensuring that it’s gone by security for that check. And we’ve done a lot of work with our project management teams and we have a really good intake process to make sure that projects are going in through that vetting channel and that the right technology groups, including security, are involved.
That being said, are there ones that slip through? There always are. But I would say that number now is very, very limited. The number of 11th-hour, ‘hey, we’re putting this in,’ without notifying security, I mean, that’s a rarity now, and I think that’s something that we built over time. Like any organization, it takes time for that type of culture to switch and change where they see security as an asset opposed to a hindrance. So we’ve really put a lot of work into that. I think that it’s really shown through the organization.
Anthony: What is the usual method of finding something that someone has purchased or turned on without the proper vetting? Can you think of any ways that it pops up on your radar? How does that happen?
Trevor: Yes, a lot of them, and they come in through other employees either in the technology group or other departments. They might be detected through a number of our scanning tools that we have. Those are really the two main methods. I think it’s really important to have those key contacts outside of the technology group. People that are aware in finance, compliance, other areas where a lot of times they’ll come to us and say, ‘did you know about that third party tool or did you know about that new donation site that they’re spinning up?’ And they come in and then we get involved. So having those, I would almost say, allies, from a security standpoint, that are embedded through the organization that we work closely with really helps us.
Anthony: Yes, and again, from what I hear, it turns into a rather friendly, ‘hey, we saw you turn this on. We’re here from security.’ It’s not a punitive, how dare you? It’s a – ‘we’d like to explain to you how to protect the organization a little better.’ Is that the dynamic?
Trevor: Yes, it is for the most part. I think in healthcare in general, it’s more cordial and more supporting each other than in some other industries. But I think once you do explain the benefits, then I would say the vast majority of people are on your side and they want to make sure that whatever product they’re rolling out is properly secured, both from a patient and employee perspective, and for the organization as a whole.
Anthony: So you mentioned that they’re much more likely now to come to security. I think they understand, they want that stamp for their own benefit …
Trevor: Yes, yes.
Anthony: So they are coming to security, and you want to make sure it doesn’t fall into a black hole like they feared in the past. You want to make sure you turn it around and give them good service, right?
Trevor: Sure, sure. We have a pretty well-defined security design review process. So we have a number of individuals internally that do reviews and also we leverage an external company for some of the more technical, I would say, specific reviews where we need to leverage outside expertise. We have questionnaires. If there’s a vendor involved, we’ll meet with them. We’ll meet with the internal types of sponsors and then we produce our end product as a risk assessment. If there’s risks that are identified, we list those as needing to be addressed or implemented prior to the projects going live, or they can be remitted after. And we have a review process, an annual review process, where we go and we validate and we check and follow up on those risk issues.
Anthony: I assume you’re seeing the gamut from the vendors in that some are responding quickly with exactly what you asked for, and maybe some you don’t hear back from. And then you may have to go back to your internal user who wants this app and say, ‘we’re not getting the information we need or they’re not responding back to us in a timely manner. So, hey, maybe you want to reach out to them because they’re not getting back to us.’ I don’t know if that dynamic happens.
Trevor: We have done that. We will escalate to our sponsors and there have been instances where the vendor is just being so non-responsive that we, as an organization, decide not to use them and to go with someone else. Or if they’ve came back with their security posture just so low that our strong recommendation is not to use them. Obviously, that can involve many types of escalations and dynamics around the need or the necessity of that vendor. I think we’re respected enough that, if we have a strong opinion, then that business or clinical area will decide to go with another vendor.
Anthony: Right and you use the term ‘sponsor’ for the internal person who’s requesting this app or championing this app. And I would imagine that transparency can go a long way here in convincing that sponsor or helping them understand why we don’t recommend you go forward with this. Here’s what happened. Here’s where they’re falling short.
Trevor: Yes, and it’s interesting. The vendors that we do say no to, usually those business or clinical areas have had issues with them as well. I find it goes hand-in-hand – if you’re a bad vendor on the security side, you’re usually a bad vendor from like a delivery standpoint and responsiveness. It runs the gamut like that.
Anthony: Very good. Let’s talk a little about medical device security. This is an interesting area where it seems the small number of device producers don’t have to be very responsive to individual customers. What’s your take on the current state of things? I know they can even be hard to find, let alone secure.
Trevor: Yes, so one thing we did do is several years ago we weren’t good with tracking our medical devices or knowing what we have, and we put some pretty good scanning tools on the network that would detect these types of devices. We did build that really good inventory base and asset inventory on those. In terms of the security governance type of issues, I think vendors are really seeing that you better be pretty tight around this area because there is a lot of influence and some policy creation coming from the government side. And I think most of the larger vendors are pretty good in this space. Some of the smaller vendors, we’ll see things where they’re still running very old operating systems, or they’re embedded so you can’t even do patching on them. We try to work with the vendor to upgrade those or to isolate them.
It’s all a risk decision too. For example, if you have a medical device in a locked room where only two people ever access it physically and it doesn’t hold a lot of data, then it’s probably something that we may not address. But if it’s something that is much higher risk, we’ll work with the vendor. Then again, if they don’t see that as a benefit, we can always look for other types of vendors. There are some that are very specialized, but usually you do have a close competitor as well. I think that from a vendor’s standpoint, keeping up with good security hygiene is a selling point to customers.
Anthony: It’s certainly become more and more of one, yes. You mentioned risk-based decisions. IT security folks are supposed to identify, quantify and then translate risk to operational leaders who will make those decisions, correct? So it’s important you can translate security speak to business speak I assume.
Trevor: Yes, so I think it really depends on what the risk is. We do have influence. If there’s something that’s a large risk to the organization as a whole, we would have that authority to say no or heavily influence that decision as a consensus to say no.
When it gets to some of the smaller risks when we’re going through those closeout meetings and through the risk, we will make those individual decisions with the sponsors, with the project teams. And sometimes we’re fine with risks being accepted. We have a good risk tracking tool to document accepted risks. We would follow up with them either biannually or annually to make sure that they still are an accepted risk, whether we need to mitigate, whether it’s even still in the organization. Maybe the application that they’re using is no longer used so that risk has gone away. But I do think it’s really important to write them in a business/clinical type of presentation, whereas I try to really work with the team to keep a lot of that technical type of wording limited so that your point is coming across, but it is understood by the sponsors in the business areas.
Anthony: And do you think that that’s a maturation process as an IT security professional, for example, you’re working with someone junior, perhaps mentoring them, and that might be a typical mistake they make? ‘This is way too technical for the people we’re going to go talk to in an hour,’ or something like that.
Trevor: It definitely is. It’s a skill set, and it’s something that you mentor and you work with people on. I’ve seen some risk assessments that I read and I’m like, ‘this is so technical that no one’s going to understand it.’ So we do mentor the younger staff. We work with junior employees, security analysts to make sure that they’re presenting in a certain way that a large audience can understand and that’s also how we write policies. Policies are written by the policy committee with the thought that the person reading it has never read it before and has no knowledge of security, but it’s still understandable for them about what they can and cannot do.
Anthony: Very good. So your CISO, Glynn Stanton did an interview and he talked about the experience gap. I guess some of the folks that are brought in, junior folks come in maybe out of college, obviously they have to get up to speed, so to speak. And one of the things he mentioned was, I guess they have a hard time judging what’s important and what’s not important? What’s a real risk and what’s not. What are your thoughts on that dynamic?
Trevor: Yes, that’s a really good topic area. And one thing we really try to emphasize to an individual employee is that you are part of a wider team, so don’t think that you need to be making these decisions on your own, especially when you’re writing a risk assessment. When you’re going to finalize it, always run it by another teammate, your manager, another individual in the security area that has more experience. I think having that type of learning experience as you’re writing these really helps. But you’re right, I mean sometimes people will come in and they’ll say, ‘hey, this is a huge risk,’ and I think what we try to do is emphasize for them to look at it from an organizational impact, not just that small area that you’re identifying and is it really a huge risk. And sometimes it’ll be like, ‘oh actually it’s very low risk.’
So that’s that mindset and it can go the opposite way too. It’s rarer where someone would come in and think it’s a really low risk and it’s actually really high, but it could be when you’re looking at it from an organizational perspective. I think for, an example, someone wanted to connect from…they wanted to work remote from a different country to connect to this application and we said no, and they thought it was a very small risk, but from an organizational standpoint, we explained because of these reasons it’s a very huge risk, so they were understanding that.
Anthony: Yes, and I recall a conversation I had with another CISO who said it’s important to understand context. He talked about the fact that you might accept more risk for an application that your clinicians say unique in the market and has very high patient care value. He said you have to understand the context to make a real risk-based decision.
Trevor: Yes, I know. I completely agree. And one of the things that we’ve really tried to do from our staffing perspective is to bring in really good people that are in other roles in the organization. And we see them, we work well with them, we see that they have a good risk mindset, security interest, and then we bring them in and then they bring in that clinical business knowledge into the group. I find that’s really beneficial because if you’re working at a healthcare system and all of your information security hires are from the outside and they’ve only worked in information security, you’re going to miss a lot, a lot of that operational understanding, a lot of that clinical understanding. I say it’s almost like a 50/50 where half of our staff have been in other areas of the organization and we bring them in and as long as, obviously, knowing that they’re competent individuals and they can learn the security side, but they bring in a well of knowledge. And then for some of the specialized security areas we will bring in specific individuals external hires, but I do really like those internal hires coming in from other business and clinical areas.
Anthony: Yes, if you’re going to have to talk to a well-respected and experienced physician about something they’re not doing properly from a security point of view, you have to know how to have that conversation. You’re not going to send your junior person out of the basement to go yell at them.
Trevor: Yes, and we have physicians that work in the technology group. So if it’s going to involve, it depends who it is, another physician, we’ll bring them into the conversation and have that.
Anthony: Make it more collegial.
Trevor: Yes, exactly.
Anthony: Yes, that’s awesome. All right, Trevor, I think that’s just about all we have time for. Any final thought based on your experience, your career, best piece of advice for someone in your position at another health system, something that you feel has contributed to your success?
Trevor: I think just keeping in touch with people outside of your organization, being a member of different security groups, going to conferences. Whenever I go to a conference, I always either talk to someone or I see some type of presentation of things that I never thought of and there’s so much new coming at any individual. You’re not going to know everything. So really finding those great people that can work on your team that you can delegate to and you have full confidence that they’re the expert in this area and you’re comfortable with delegating to them, I think it’s very important for anyone in a deputy CISO, CISO position. You can’t do it all. You need those really good people to work with on your team. I think really stressing that, I mean, that could even be the number one thing that will benefit you for creating success in your organization is having great people to work with.
Anthony: Great advice, Trevor. Thank you so much for your time today. I really enjoyed this.
Trevor: Yes, I appreciate it. Thank you.