Swathi West, CISO, Summa Health
When Swathi West started at Summa Health in early 2023, she embarked on a 90-day assessment that included reviewing job descriptions, along with policies and standards. It’s an approach she heartily recommends for a number of reasons. First, in reviewing job descriptions, West founds a lack of detail that could cause confusion around roles and responsibilities. Adding detail to the job descriptions, along with some net new positions and additional layers of management, helped her expand an organizational chart that had been extremely flat; leading to more career advancement opportunities and enhanced manager oversight. On the policies and standards side, West’s investigation allowed her to understand exactly what IT security had promised to deliver, putting her in the position to do a gap analysis. In this interview with healthsystemCIO Founder & Editor-in-Chief Anthony Guerra, West covers these issues, along with her other priorities of reducing third-party risk and getting her arms around AI.
LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE.
Podcast: Play in new window | Download (Duration: 35:38 — 24.5MB)
Subscribe: Apple Podcasts | Spotify | Android | Pandora | iHeartRadio | Podchaser | Podcast Index | Email | TuneIn | RSS
Bold Statements
I said, ‘We have a technology stack, so I’m not going to ask you for money for anything new. I’m not going to bring in another piece of technology to fix a problem, but let’s invest in people and process.’
When I first started my one on ones, I was very vocal in that I mentioned, ‘This has been tried, the way this is right now has been tried by a different individual. That’s the beauty of change, we tried it, some things worked and some didn’t.’ Now, when a new leader comes in and changes something, some of it might work and some might not – I just ask them to be open to change, to come along on this journey with me, to just be part of this.
If you only do a few things as a leader when you start, come in and make sure you do that 90-day assessment, pick a framework, I think, even before that. I think the third important thing is to look at the job descriptions because it’s so hard to keep people accountable if they don’t know what they’re supposed to be doing.
Anthony: Welcome to healthsystemCIO’s interview with Swathi West, Chief Information Security Officer with Summa Health. I’m Anthony Guerra, Founder and Editor-in-Chief. Swathi, thanks for joining me.
Swathi: Thank you. Thanks for having me, Anthony.
Anthony: All right. Excellent. Why don’t we start off, tell me a little bit about your organization and your role?
Swathi: Sure. I am Chief Information Security Officer for Summa Health. Summa Health is a health system based in Akron, Ohio. We are a provider, also a payor. We have 3 hospitals, several health clinics. We have more than 10,000 users today, it’s a pretty decent sized hospital. I manage access management, security operations and governance and compliance. Anything that you can think of, audits, assessments, training, provisioning, deprovisioning, transfers, etc. We have quite a few things going on in the team. Today, we’re 13 people strong and I think we’re hoping, by end of 2025, we’ll have more than 20, 25 people.
Anthony: Okay, very good. You mentioned all the things that you’re in charge of, a question popped into my head. Is it pretty standard stuff? I supposed the CISO purview can vary a little from place to place.
Swathi: It’s a very good question, Anthony. I think when I first started at Summa, I was also a consultant. Prior to Summa, I was acting like a virtual CISO, if you will, for other health organizations. I worked with Mississippi Hospital Health System there. I think there’s no black and white rule for what a CISO would have in health system. I think every health system is a little bit unique for a CISO. You will see that throughout the titles, there will be a couple CTOs that also are CISOs in some health systems. There is a CSO title even – if you just think about Cleveland, a Cleveland Clinic CISO has different responsibilities compared to Akron Children’s and then University Hospitals.
For us, in ’23 when I first started and even now, we’re just transitioning it but we still manage our edge firewalls. That’s an interesting thing. There’s no black and white for that, in terms of where it would sit. It more has to do with the expertise and the skill sets and the type of people that you would have. Our network team is very good, so we’re shifting those responsibilities into that team and now we do Imprivata and we do Epic.
As a CISO now, we’re provisioning Epic providers and users and sometimes you don’t see that. Epic teams usually own the Epic provisioning, but for me I have it. It just depends on the skill set, I think, for hospitals also people too. I think that’s another important aspect for us. I’m very passionate with training so we’re also doing targeted training. We’re also focusing on that.
At Summa, our cybersecurity department is almost like an enterprise cybersecurity department because we have a different entity, a payor, Summa Care. We also will work with the payor space and also providers. We have to be skilled in both compliance frameworks, if you will. It just depends.
Anthony: Very good. I think you’ve been there just over a year. Can you talk about the process of getting acclimating and matching up the responsibilities with resources, as we just discussed?
Swathi: That’s a great question. It takes me back to ’23 and it’s only been a year but I started with Summa in February. I think I had a few months and I officially took the position in August. When I came in, I started with policies and standards. I wanted to see what was our intent, what we wanted to do. I think that’s where I started – ‘hey, where are our standards, or access provision standards, or risk management,’ and I looked at our information security charter, our risk register, our risk management policy standard.
I started with the standards and then I made my way to doing a 90-day assessment. What is the framework that we should be using, I think that’s one of the questions I was asking our leadership, executive leadership, what was promised in the past or what have they heard in other hospitals. We, today, have adopted and established a cybersecurity framework. We’re using the NIST Cybersecurity Framework. I did a 90-day assessment to see where our major gaps are, and I’m very big proponent for cyber resilience, not just cybersecurity. You’ve spoken with so many CIOs and CISOs so you know that, in healthcare, the threat in landscape is just changing, and it’s only growing by the day, so we’re shifting our focus here at Summa to cyber resilience.
When I did the NIST Cyber Security Risk Assessment, I realized that we need to put a lot more emphasis on the response and operations space. I’m sure you heard that in the cybersecurity world, it’s not if, it’s when. We want to be ready, right? When it happens, how long would it take for us to be back up and running. We’re putting a lot more effort into security operations, and I think that’s something you’ll see in our org chart and everything that we’re going to do in ’24 and ’25.
That’s what I did, started with standards, reviewed that and had my one on ones with the executive leadership so everyone that reported up to our CIO, our stakeholders. I met with privacy, legal, the four pillars in the organization – privacy, legal, internal audit and compliance. I met with my peers in that space, understood what they thought about cybersecurity from their perspective, in terms of what are some things that we should be doing that we’re not doing.
At that time we, as a department, were relatively flat. We had just analysts, architects and engineers, so I started reviewing job descriptions and, using the cybersecurity framework, we added knowledge, skills and abilities to the resumes and then we started changing the org chart. That’s how we created these different pillars in the cybersecurity department of governance to compliance, the IM (identity management) and the operations.
Yes, I think there was a lot of organizational support, but the first 90-day assessment, that’s something I would definitely do again in the future if I go to any organization. I think that would give you a great understanding of where you’re at with the cybersecurity department and where you want to go in the next 2 to 3 years.
Anthony: Very good. So you go to the policies and standards first because then you can at least see what the organization is trying to do, and then you can figure out if it’s falling short, correct?
Swathi: Yes, for sure. I think policies are as good as how you can really keep them. I think that’s where my philosophy came about, so when I said okay we have two information security policies, an acceptable use policy and everything else is standard. When I first came in I was reviewing all that and started interviewing our stakeholders, like our CTO, our director of infrastructure and network, just to understand how they were communicated. And there’s so much change or churn that happened in a year or two that they got lost, no one really knew where they were at or they weren’t able to get on board with some of the things that they promised they were going to do.
I think that’s one thing we realized, we had to put a lot of emphasis on communication; and the second thing is even in the standards, the process sometimes is not being followed. What are those major gaps that we have today? What is something an ideal state can look like and what are we doing right now?
We started being advocates for our technology team. I think that was a big change. Two to three years before, I think security and technology, you would see in some organizations, there’s some friction. But we were doing really good here at Summa because we’re being such an advocate by helping them. ‘I know this is a great thing for you to do but you’re not able to do it because you don’t have the funds or you don’t have a test environment, let me help you.’
So I think that was a really good effort we pulled together in 2023. I think bringing everyone together and writing those policies – we had a big exercise into Q4 and Q1 ’24 and said why don’t we sit together and figure out what could we do for patching, what should our vulnerability standard look like. That’s another thing. After doing all these exercises, Anthony, we figured out that people and process is where we want to focus in the next three years, and I promised the board and the executives the same thing.
I said, ‘We have a technology stack, so I’m not going to ask you for money for anything new. I’m not going to bring in another piece of technology to fix a problem, but let’s invest in people and process.’ And I think you’ll see we’re going to hire a lot of cybersecurity individuals, and we have a lot of projects going on, we’re rewriting all our policy standards. So we’re putting a lot of emphasis on people and process. So that helped immensely starting with those standards and just the roadmap and understanding of the standards that we need to focus on with communication and adoption. I think that’s such a big thing we’re going to work on in ’24 is adoption. We communicated that this is the best practice, are you able to adopt it by ’24? So we want to keep maturing in that space.
Anthony: They have to be readable too, the policies. I interviewed a CISO the other day who talked about the fact that those need to be reviewed so they are understandable by the average user.
Swathi: Yes, 100%. I think more, like I said, what helped was bringing the technology partners along in the policy and process journey. I think that really helped because we’re communicating with them, we’re interviewing the stakeholders, we’re saying, ‘hey, what is your understanding, how long would you take to remediate a critical thing we should be doing?’
I think having those conversations really helped us make that a little bit easier for the organization. For sure, I agree with that. It’s harder sometimes when you bring all these frameworks and add it. I think that helped a lot bringing the technology partners in.
Anthony: You mentioned moving some duties and responsibilities around and changing or updating job descriptions. When you want to initiate change, sometimes people are resistant or reluctant. How did you overcome that?
Swathi: Oh yes, 100%. I think being transparent helps in organizations when you have a new CISO. Even any new leader, any CISO, any executive leader, when you come in you would want to try things, I think you mentioned that. You would want to try something else that maybe works. When I first started my one on ones, I was very vocal in that I mentioned, ‘This has been tried, the way this is right now has been tried by a different individual. That’s the beauty of change, we tried it, some things worked and some didn’t.’ Now, when a new leader comes in and changes something, some of it might work and some might not – I just ask them to be open to change, to come along on this journey with me, to just be part of this.
After I reviewed the gap analysis, I gave it back to the team and I asked them what did you understand by this, what did you glean from everything that we did in this gap analysis, and I was very surprised but at the same time, I was very happy because everyone said we’re missing things, such as there’s major gaps in training. ‘We have the technology part of it, but we don’t have an individual to do it.’ Could we have someone from the team actually step in to say, ‘Oh, let me help. I’m really interested in this. I did my masters in cybersecurity, that would be something I really like.’
The same thing with operations, we never had that department. We outsourced it. So how about we now triage some of the incidents that come in. Someone might say, ‘I did that consulting work back in the day, I would love to do that.’ I think we have, internally, tried to ask those questions and I think there’s a lot of autonomy which I was very happy with, even my leadership. As I figure out the skills that we currently have, is there anything that we can pre-appoint, move around; and there’s a couple of positions, Anthony, here at Summa that we opened up internally to say, ‘Hey, this is a great opportunity, are you interested in it? We’re going to give you training. We’re going to give 3 to 5 months that you can get specific training,’ and we have several dollars in our budget just to train individuals because we have a gap. I mean, there’s an almost 700,000 person shortage that we’re looking at in cybersecurity, we’re not going to get all of that today, but how we can train and retain as much talent as we can? I think that’s always top of mind. But being transparent and also bring them along that journey I think helped with the team, for sure.
Anthony: It’s great when people volunteer or agree to do what you want them to do, but what if they don’t want to but you need them to? How do you handle that? What helps?
Swathi: I think what helped for us is the job descriptions. If you look at the job descriptions that we started with, you were asking for experience and that’s about it. If you only do a few things as a leader when you start, come in and make sure you do that 90-day assessment, pick a framework, I think, even before that. I think the third important thing is to look at the job descriptions because it’s so hard to keep people accountable if they don’t know what they’re supposed to be doing.
Because within healthcare or cybersecurity or some of the departments, we inherit a lot of people from different departments because it takes a long time and it’s hard to find cybersecurity talent out there. We have the server engineers, and we have system engineers, we have network engineers, but they just don’t know what they’re supposed to do sometimes. I think having that job description and standardizing it really helps.
When I started in this journey, I was like, ‘I don’t know where to start.’ I was just lost because the job descriptions didn’t have anything other than just the required experience, so now I just took the Cybersecurity Workforce templatewhich has the knowledge, skills and ability. That really helped and I started with my management layer. I re-did my CISO job description, Anthony. I think that gave me an understanding of what I am supposed to do, what a good job description can look like and what I can inherit right now; maybe not right now but this is what our next CISO for Summa five years from now should be doing, all of these, and I’m going to pave that path to that person. That was my mindset.
I started with my management layer and I showed that to my team, and I said we know we’re going to hire a management layer because it’s really flat. I showed them, my team and I said, for the manager role, this is what I’m expecting from them, etc. I said in ’23 we were flat, but now we have a ladder. There’s a lot of retention for us. We have an analyst 1, 2, 3 for each department focus group. One, we can always get someone from external right out of college and grow them, or even internal, I removed that type of ‘oh my god, I’m not ready for it’ dynamic. For a person in IAM – we just had this conversation a couple of weeks ago, who does tickets and provisioning, deprovisioning, she did a masters in cybersecurity, I mean she’s a phenomenal individual. Because we created the job description of GRC Analyst 1, all we’re looking for is a little bit of experience and I said, ‘I want to help you get trained and certified,’ internally we’re able to work with an individual. It’s almost like a job rotation that we’re able to create. That worked immensely well.
I think that’s so important for a new leader to figure out – you get one chance and you have to take it, the people part of it, you have to trust the process and make sure you have the retention ladder so you can move people around, and job descriptions are critical to that.
Anthony: I think that’s brilliant and I think that’s great advice and people can go to – it’s called the NIST Cyber Workforce.
Swathi: Yes.
Anthony: They have templates out there? That’s great. Awesome. Let’s talk a little bit about this concept of flat. So too flat means you have too many people reporting to you – it’s not good for you or them, and they have nowhere to move up for career advancement, right?
Swathi: That’s it.
Anthony: There’s nothing in between – so there’s some other benefits here. You don’t want to be too flat but you don’t want to be the other way. You want to be just right. I guess that’s something you’re working towards.
Swathi: Oh, 100%. That’s exactly my thought process when I go in to have those performance conversations and those 365 reviews and whatnot – what is the next thing that you want to look at? And I believe thoroughly that if you’re with me for a year or two, you should learn so much that you’re such a viable candidate, you’re out there, and someone like you has a job for the next two years. I’m thinking about how I keep the people that I have but also make sure they can grow in the cybersecurity area?
It’s hard if you are so flat and I agree with you, if you have too many management layers, that’s hard too, but I feel really good today where we’re because we have different verticals. So you can move people around, such as, ‘oh I want to try that for the next 6 months.’
It’s very important to make sure your team feels like there’s something to look forward to, just within the team and even the growth pattern. I think that really helped when I first came in, doing that exercise.
Anthony: Right, right. Excellent. I’m going to ask you an open-ended question to see what you’re thinking these days. What are some of the major trends you’re watching?
Swathi: If I don’t bring up AI, I’d be lying. I think everyone is right now. We could do so much good. I mean, we’re changing artificial intelligence at Summa to like a chatbot, ChatGPT for a chatbot here, that’s what we’re using. I think there’s the unknown part of it – when I talk to my compliance, privacy, and legal partners – I think the unknown of what can be done is concerning. We know hackers are using AI for attacks that they’re doing.
Another thing that we’re looking at is third party management. I think that’s such a big thing. Every CISO, I’ll be surprised if they’re not thinking about third party management along with everything that’s changing, it is hard. It is getting really, really hard to manage all the third parties that we’re using. They just come into the door and there’s the legal perspective, adhering to information security addendums that we need to follow. The disclosures, if there was a breach, the disclosures – are they doing their disclosures, who need to be reached out to, what’s the process, are they removing our data? Things like that – that’s still top of mind. I know I’ve just been here a year but I think that’s one thing we’re going to look into. I would say definitely third party management has been top of mind for us. We’re looking into that.
I think telemedicine has been top of mind for me and our CIO here. We went that route with Covid, everything that happened. Telemedicine is one thing the world is going towards, but how do we also think about our cyber risks and everything related to it – that’s top of mind for us.
Anthony: Very good. Let’s just go a little bit into those in a few minutes that we have left. AI, I’m guessing one of the main things from a CISO point of view that you want to do with AI is you want to have policies. You want to make sure that the brilliant physicians out there are not doing all kinds of crazy Frankenstein experiments with AI, right? So you have to get policies out there that say, ‘here’s what you can do, here’s what you can’t do and the rest, check with us, make sure you run it by us.’ Is that where you are? To just make sure things aren’t getting out of control out there?
Swathi: Yes. Definitely. I think the more you stop something, the more curiosity kills the cat; the more they would find a way to do it. There’s a funny meme about security which shows a gate and people just going around it. That’s exactly it – we’re going to put in rules and you’re just going to go around those things. I think what we’re stating is do not use it for patient care, and ‘please, if you have any questions, reach out to our CMIO and CNIO. If you have questions, let us help you figure out if that’s the right path of using it.’ Everything else, like I said, I think from the third party perspective we’re starting to control that more. Internally, we’re watching what the production network is doing, with how many people are reaching out to chatGPT and whatnot. The providers, we said, for healthcare, we’re not going to do it up today but we’re going to have conversations with the providers for sure. I think that’s the first step. Today we’re just saying, ‘hey, let’s not use it for patient care.’
Anthony: You talked about the third party risk and what came into my head was that it’s unmanageable.
Swathi: It is.
Anthony: There are too many vendors that are doing too many things with your data. You come in, you try to put things into place. You may be able to develop policies going forward. There’s hundreds of vendors that came in before those policies were put into place. They’re constantly changing, being bought, sold. It feels unmanageable, but one of the practical solutions seems to be application rationalization.
Swathi: Yes, definitely. You hit the nail on that with application rationalization. When I first came in, I think we had 4, 5 departments using the same application. That was interesting, not just application rationalization, even the resellers, even the technology stack too, just bringing everyone together. I think sometimes because you have so many different verticals – let’s just take the example of our CIO. Cybersecurity uses the same platform as the technology, as the e-mail collaboration team and someone in operations and someone in Summa Care – I think being transparent with that budget is important, and now there are a few conversations happening like, ‘okay, let’s just see if anyone else is using that.’ That was very, very helpful.
When I first came in, I sat with my director, my peers, with our technology network team, system engineering and collaboration to ask: what are you using today? And based on that, we changed the budget. I think that’s the first time that ever happened here at Summa, just going through what the technology team is using, IT and us in general to start with. We found like six or seven applications where we have different licenses, different resellers, and so we brought everything together. I think that helped so much and we started having conversation about enterprise agreements and things like that. That was huge. So what you just said I completely echo – I think starting with application rationalization would be very, very helpful.
Also, a good thing for us is we have a vendor management office. It really helps that all the IT contracts come into one place. I think that’s amazing, but what’s hard is it creates a little bit of lag for sure. Everyone else from the clinical operators, I don’t think they like it because it takes time. We have to go through certain requirements, go through BAs and create cybersecurity liability insurance requirements if the vendor is going to have certain records. I think that takes a little bit of time, but I appreciate that.
I think, as an organization, people need to focus on a vendor management office. And I think the one change we’re also seeing is how much cybersecurity is partnering with legal – we’re having a lot more conversations with them now than any time in the past like around things like information security addendums, AI addendums, information security assessments, and cyber insurance liability. I think they are truly a great partner for cybersecurity, and I think you will see that trend continue going forward.
Anthony: 100%. Legal would be your best friend, right, when you’re in cyber.
Swathi: Yes, yes.
Anthony: It’s got to be a good relationship. Quick, quick final questions, Swathi. Any last piece of advice for your colleagues based on your experience, your consulting experience, your experience working at Summa, best piece of advice that helps you be successful in this role?
Swathi: Share your good stories about what works. In 2023, when I went to conferences, Anthony, everyone was talking about AI. As I started the CISO journey, I wanted to learn what works for others. I started having conversations with my CISO circle here at Cleveland and I learned great things. We started doing things like CISO meet-ups and breakfast and things like that. I learned a great deal from that. I would say to anyone out there, just share what worked for you in that past.
I think, more than anything, that’s what we’d like to learn. Don’t get me wrong. I want to know all the great things about AI, but I also want to learn what worked for you and your journey as a CISO. That’s what we’re doing here. I think that gap assessment we did and focusing on the job descriptions and people management part of it worked for me, and I would say that to anyone as a leader just starting out, just make sure you do the 90-day assessment. Just share your stories, your successes and your failure so we can all learn.
Anthony: Very good, Swathi. Thank you so much for your time today. That was really great.
Swathi: Thank you. Thank you. This is great. It made me think a lot of the great things that I can also do going forward. Yes, thank you. Thank you for having me.
Share Your Thoughts
You must be logged in to post a comment.