Published June 2021
CIOs and CISOs have a tough job in the best of times, but a COVID-19 pandemic only made things that much harder, according to Mark McArdle, chief products and design officer at Imprivata, a Lexington, Mass.-based healthcare IT security company. In this episode of the Partner Perspective Series, Anthony Guerra, editor-in-chief and founder of healthsystemCIO Media Inc., speaks with McArdle about cybersecurity and digital identity governance in today’s waning COVID landscape and some of the ways CIOs and CISOs can clean up the “mess” created by the huge influx and displacement of clinicians across an enterprise. The process isn’t one to be swept under the rug, won’t be easy to implement, and comes with a tough sell to upper management, but CIOs and CISOs who want to keep their organizations secure shouldn’t shy away from the difficult realities. Manual management of identities isn’t safe and isn’t cost effective. Proven ROI can help sell change to those controlling the purse strings.
Clinicians are very smart, and they’re devoted to their patient care mission, so things that get in their way are either quickly killed or worked around.
… it’s rare when the tumblers line up that by doing the right thing to lower and manage cybersecurity risk you also become more efficient at the other end.
… healthcare CIOs and CISOs should be looking to think about how cybersecurity risk is being more prescribed from a regulatory perspective.
Guerra: Mark, thanks for joining me.
McArdle: It’s great to be with you today, Anthony.
Guerra: Tell me a little bit about your organization and your role.
McArdle: I’m the chief products and design officer at Imprivata. Our mission in the product team is to define the ways we can leverage digital identity to enable clinicians to have fast and effective access to all the tools and technologies they need to help their patients. And we do that by working closely with all our partners, both inside Imprivata, as well as our customers, to understand how to use digital identity to improve cybersecurity and clinical workflow efficiency. I’ve been in cybersecurity for about 25 years, and I love the space and I love the worthiness of cybersecurity, but when you’re doing it in healthcare, it takes on a whole new level of worthiness.
Guerra: Tell me a little bit about your experience. I know you came from outside of healthcare. Tell us how that informs your perspective.
McArdle: I’ve always had healthcare customers, but I’ve never had to focus on the clinical side like I do at Imprivata. And what that has highlighted to me is the challenge that CIOs and CISOs face in healthcare that’s different than say, the financial sector. A lot of my customers in the past 20-plus years have been in the financial markets, and because they are professional risk managers, and they are heavily regulated by the SEC, there is a lot of proactive effort underway to drive the overall cybersecurity hygiene to a better and better state. CIOs and CISOs in the financial sector are measured very differently by their users than they are in healthcare. In healthcare, your focus is really on making sure clinicians have access to everything they need. Downtime is bad. Friction in helping them get their work done is bad. So, it’s a very different dynamic when you’re trying to make sure that the infrastructure you are using is always available and always secure, patched and up to date. Change is a risk, and change brings with it the possibility of breaking something in the clinical environment. It’s a more acute challenge for healthcare professionals than we see in other sectors.
Guerra: I understand what you’re saying. In both industries, you have what you would call powerful customers, powerful users. I think in healthcare you have a lot of powerful users who aren’t employees of the hospital, where in the financial industry, the users tend to be employees, which gives you more of a degree of control.
McArdle: I think there are some big differences. That’s one of them. But also, the healthcare environment relies on shared devices much more so than typically in other enterprise environments, where you have your own phone, your own workstation, your own laptop. In the clinical environment, high re-use, high shared use of devices is normal and accelerating, especially with mobile devices becoming more and more prevalent. That makes the security aspects much more difficult to manage than say, locking down your own PC with your own MFA token — you’re not logging in and out of that system dozens of times a shift, or even hundreds of times a shift.
Guerra: There are a couple of issues here. It might be, as you mentioned, an iPad that is shared among different people, so when a shift comes on and a shift goes off, you’re changing users. And that’s totally different than bringing your own device. I don’t know how prevalent that is outside healthcare.
McArdle: You’re typically using enterprise resources that are assigned to you as the individual in most financial and even normal enterprise use cases. And if we look at healthcare on the administrative side, they resemble the more typical enterprise user, where they have their laptop, access to Office 365, and maybe a few more apps. But then if you flip to the clinical side, there are dozens and dozens of applications that the clinicians need access to, all of which have identity and security requirements that go along with them. And that’s a much more complex problem to manage.
Guerra: We know healthcare is complicated and complex, and nowhere more so perhaps than around identity. Add to that the requirements of COVID that called for clinicians to be moved around to different roles, with access privileges given and sometimes not taken away after the person is moved off a system. Did you see this happening with COVID, and has it created a mess out there?
McArdle: Absolutely. Managing digital identity has always been a challenge. But today healthcare CIOs and CISOs are coming out of an extraordinary period of challenge, which exposed the risks of doing provisioning and deprovisioning in a manual, or non-automated, way. COVID changed everyone’s plans. It was all-hands-on-deck to bring on and provision lots of new clinicians and change a lot of clinical workflows. The surge of clinicians was one challenge, but an even bigger challenge was the reallocating or reassigning staff to areas of higher need. For example, in ambulatory nurses were moved to ED or ICU to help with the influx of COVID patients, and existing staff needed different access based on the new roles they had. The mass provisioning was a huge challenge, but as the dust is settling now, CIOs and CISOs are figuring out the best way to bring order to it all. And one aspect of bringing order is deprovisioning or removing access that was supposed to be temporary. Otherwise, you end up with this stacking problem, where clinicians accumulate entitlements and access to systems that they don’t need and shouldn’t have. And that’s really where identity governance comes into play. That’s where it really drives a ton of value, and the real compliance and ROI benefits are what’s driving the attention on identity governance today.
Guerra: Let’s talk about risk. One of the core elements of a CISO’s job is knowing and communicating risk, correct?
McArdle: That’s right. They are risk managers. You can’t invest in everything to 100 out of 100. You have to identify where your greatest concentrations of risk are. What are the things you can do culturally inside an organization? What are the things you can do with technologies? There are a lot of different lenses and aspects of what you can do with risk. Ultimately, that’s what you have to decide as a professional risk manager.
Guerra: I would imagine that rarely has a risk profile shifted so quickly as it has over the past year with COVID. Was this a unique situation for CISOs to not even know where they stood for a while, and are they now in a regrouping process, trying to get their arms around their new risk profile?
McArdle: What we recognize coming out of COVID — or at least seeing the light at the end of the tunnel — is that the understanding of how to manage healthcare has evolved. The remote work brought into play drove a lot of new infrastructure requirements, but also a lot of risks to be managed. Coming out of COVID, we’re starting to see this hybrid work environment. That’s not going away any time soon. Another common thread through all of this is the new influx of clinicians, either bringing them back from retirement, or graduating from college classes, really emphasized the need to be able to drive identity. It was important to get these clinicians productive from day one, with entitlements to all the systems they need to serve the patients they’re assigned to, and that’s critical. And if you can’t do that for days or weeks, that’s not helpful. That’s inefficient.
And the second part is just making sure that over time, as a clinician moves from one group to another with different entitlements, that those entitlements don’t just accumulate over time. That’s a compliance challenge, and ultimately the way regulatory pressures evolve over time, getting ahead of that is a good idea. Finally, you have to look at the ROI. What does it cost to have a doctor or nurse not fully provisioned for a couple of weeks? We’re starting to see strategic investments to make an organization, as a whole, more efficient, now that COVID is subsiding. But during COVID, we were working with organizations just to make sure they had what they needed in terms of digital identity tools from us, and some of the bigger projects, we understood, had to go on hold.
Guerra: You talk about coming out of COVID, and we’ve touched on this issue before in our interviews, the idea of picking up, or seeing where you left off. Enterprises need to ask what was interrupted and what are the realities of the new world we’re living in. And a reprioritization has to take place. I’ve talked to some CIOs that have said telemedicine is not currently holding the priority that it had during COVID. What are your thoughts on reprioritizing and what’s your advice for keeping identity governance in the mix?
McArdle: Identity governance is not a small tactical project that you can roll through in a couple of days. It is a potentially complex endeavor. The complexity of the roles, the number of disparate technologies, the use of shared devices, all make this a bigger challenge in healthcare than for your typical Office 365 enterprise user. But the first step is to identify the best solutions in the market that understand and focus on the unique requirements of healthcare and leverage existing digital identity investments. There are a lot technologies—from the EMRs through the vast ecosystem of clinical applications—that all have identity requirements. And you have to be able to integrate that vast ecosystem, so when you bring on a new clinician, they are in the groups that they need to be, with all of the entitlements that are necessary for them to be successful in that role. That’s something that requires both curation and driving insights for how your digital identities are being used today. And that’s one of the things that we encourage customers to do is leverage how their credentials are being used today. That can be another lens to drive ROI, where if you know many clinicians are actually using clinical application X, you might have overprovisioned that, so there’s cost savings there. But this is part of the challenge. If you don’t get on top of that, and you don’t use identity governance as a tool to drive ROI to become more efficient, you’re leaving budget that is precious on the table, and it’s getting wasted. So, that’s an important aspect. Make sure you’re able to leverage the digital identity infrastructure you have today, to be the starting point for how to curate going forward.
Guerra: So leveraging what you have, you are talking about picking the right vendor. It’s a big project and it’s a complicated project. If you pick the right vendor, one who knows healthcare, one who knows how to do this, obviously, it’s going to be easier. That’s one of the concepts there. But we have to first pick the project. We have to first decide that we want to do this and then we can make sure we pick the right vendor and all that. It seems like a no brainer. When people aren’t going forward with automating digital identity, what are the reasons you see?
McArdle: It’s a great question. It varies a lot from one organization to another. But a common thread has been budgets are really tight. A governance tool doesn’t sound at the 50,000-foot level like an absolutely critical must-have clinical infrastructure. This is why it’s so important to tie it back to ROI. We get that and we focus on that. That’s why all of my portfolio products focus on the ROI driver. It’s great to manage risk, and there are a lot of things you have to do in cybersecurity to manage risk; CISOs are used to this. But some of those things don’t always change the needle ROI-wise. With some cybersecurity efforts, you’re not getting more efficient because you do it and in many cases, it actually breaks the usability side because it makes it harder for your users. In the identity governance side, this is a real clear-cut case for ROI, because you are making your clinicians more efficient sooner. They are able to fully access all the tools they need. And you are managing risk and efficiency better over the life cycle of those clinicians, by making sure their entitlements are always up to date and accurate and removed where they no longer need them.
Guerra: It sounds like a lot of CIOs and CISOs would like to add a governance tool, but they need to get the dollars approved. That’s where things could get stuck. You’re giving them the argument they need, because you’re saying risk reduction might not be the winning one. That might not take the day. But ROI is legit. It’s there and that’s what’s going to get it over the finish line in terms of approval.
McArdle: Absolutely. This is one of those fortunate areas where you can improve the efficiency and stretch your resources to go further, by managing identities better, and that’s been borne out time and time again with all the customers we’ve engaged with. But I do think it is important to understand that in healthcare especially, that ROI is a key driver in making cybersecurity investments. It’s not as highly regulated as, say, financial is—yet. There are certainly rigorous regulations in place around managing patient data. But there is also a need for recognizing that to become safer, we need find ways to fund that. Making the environment safer—either through license management or through managing our healthcare providers more efficiently and productively—goes a long way.
Guerra: A classic issue is how to balance security and usability. Sometimes security measures reduce usability. It’s a trade-off, like everything else. What are your thoughts around this?
McArdle: It’s a great point. Cybersecurity has been notorious at times for forcing a zero-sum game between security and usability. “I’m going to make you more secure, but it’s going to come at the direct expense of how your users experience their resources.” Passwords are a great example. Long complex passwords are definitely more secure, but they’re a nightmare for regular humans to manage. Clinicians are very smart, and they’re devoted to their patient care mission, so things that get in their way are either quickly killed or worked around. We’ve seen some very creative ways that clinicians get around attempts to make things more secure, if those things get in the way of their patients. We have seen how digital identity has been used effectively as the control plane and it’s resulted in improved clinical efficiency that drives real measurable ROI, as well as increased cybersecurity compliance and reduced risk. That’s rare. I’ve been in this industry and cybersecurity a long time, and it’s rare when the tumblers line up that by doing the right thing to lower and manage cybersecurity risk you also become more efficient at the other end. That’s a special combination, and it all ties down to that basic fact that we focus on the clinician’s experience. We want to get technology out of their way and help the technology serve them, so they can get to their patients and spend more time with the patients and less time with the tech. Identity governance helps to make sure that that’s a consistent deliverable. Clinicians’ entitlements and all their accesses are managed throughout their entire life cycle, not just in a shift, but during their entire career.
Guerra: I’ve spoken to your chief medical officer, Dr. Sean Kelly, a number of times, and one of the things that impressed me most that he says is, “As a clinician, don’t interrupt me. When I’m doing something, and I’m deep in thought and trying to figure something out, don’t interrupt me. That’s very damaging.” How does that relate to what we’re talking about today and the technologies of identity governance?
McArdle: It’s a great point, and I love working with Dr. Kelly and his clinical team, because they really are our direct connection to what the clinicians need out of our products. We want to make sure that that digital identity protects the patient data, protects the clinicians, and drives the efficiencies needed. We want every second that a clinician could be spending with a patient, spent with a patient. If there are things we can do to optimize that, that’s where Dr. Kelly and his team have helped guide us. They live right in the center of that. The key message here is: as much as strong passwords are good for cybersecurity, when you’re a clinician who needs to type in a password 40 or 50 times a shift, that becomes a real problem. That’s a real efficiency issue. Walking into or out of a patient’s room, updating a test and doing some vitals, going back to a shared workstation and having to type in that long pass phrase again; that’s a mess. So, our focus is on finding ways to make sure the security is still there, through robust biometrics and through tap-and-go capabilities on robust cryptographically secure smart cards. This is not about getting all the security out of the clinicians’ way, but doing it in a way that makes it transparent to the clinicians and in many ways makes them more efficient while being secure. That’s a great mission for us, and it’s exciting to see how that’s evolved, especially now that we’re looking at governing identities. It’s one thing to talk about a clinician one-on-one. But when you’re dealing with thousands of clinicians—all with maybe different roles, or at least split into many hundreds of different groups, with different types of accesses needed—managing that chaos is incredibly hard if you don’t have the right capabilities deployed.
Guerra: You have a significant base of customers, and I’m sure they’d like to know what’s next from Imprivata. What’s coming down the pipeline?
McArdle: I spend a lot of time talking with CIOs and CISOs in healthcare. The ones that have come into healthcare from highly regulated markets like financial or the military, are accustomed to working collaboratively. They have built a really good ecosystem where they share knowledge and leverage each other’s experiences. This comes in handy with vetting vendors, sharing vendor insights, or answering due diligence questionnaires. They realize they don’t do this alone. In financial, when the SEC started bringing handcuffs into play for not doing the right things from a cybersecurity perspective, that drove a lot of attention. If we look down the road, financial has a bit of the leading edge because they have big budgets and they are professional risk managers. But if we appreciate where things are headed, healthcare CIOs and CISOs should be looking to think about how cybersecurity risk is being more prescribed from a regulatory perspective. Healthcare won’t be the same as financial, but some of the same risks have to be managed. We’ve seen what’s happening today with ransomware. This is horrifying what’s going on with some hospitals being taken down for days and sometimes weeks. These are the types of things that are going to force a lot more focus, and hopefully support for CISOs, when they are making the pitch to the exec team and the board to get investments for things that will make the organization both safer and more efficient.
Guerra: You speak to a lot of CISOs and CIOs. Let’s look at CISOs first. What common traits do you see in the ones who impress you?
McArdle: I think if you’re a CISO who is long-tenured, you’re doing really well. It’s a tough job. It is not an easy job. We have a saying, “The bad guys only have to be right once, and you have to be right every single time.” It’s asymmetric warfare; the tools are evolving. The weapons that they are deploying online now are evolving faster than the defenses in some areas. It’s always been that way. It’s always been cat-and-mouse. The successful CISOs are the ones who look at others and learn. They steal the best practices. They are constantly paranoid about not thinking about things the right way and building real threat models that are not an academic experiment but based on the reality of the complex environment they’re responsible for. It’s a tough job and I have huge respect for those who are doing it and want to support them in any way they need. But the CISOs are primarily risk managers, and they have to have a good appreciation of the attack surfaces that they are responsible for.
Guerra: Take CIOs now. Different profile for success?
McArdle: The CIOs I think are still judged primarily on availability. What’s working and let’s keep it working. They live at that intersection of the tension between cybersecurity best practice and not annoying or frustrating their clinician users. That’s a tough place to live, and I’ve seen and experienced challenges in the past where a multi-million dollar MRI machine is running an old version of Windows. And you’re not able to patch it, because that would potentially break its FDA certification. So you’re left with an MRI machine that could be potentially hacked unless I put other secondary measures in place, or I update it and it’s no longer legal for me to use as an MRI machine. You don’t find that in a lot of other industries. It’s a particular challenge. Healthcare CIOs have a very tough job. And that’s why we’re so motivated to try and find ways to help lighten the load. We understand those challenges.
Guerra: Do you see a shift from those individuals managing the work to those managing vendors doing the work—as things go to managed services and into the cloud? The job almost becomes different.
McArdle: It does. And in other industries we’ve seen this. A new practice has come up called vendor risk management, where you’re not just the CIO or CISO for the things that you directly manage, but you’re responsible for that ecosystem that you bring in, whether they’re cloud vendors or an outside email list vendor. The expectation is that your responsibility is going to grow as you use more cloud technologies, but your direct control over those is different than it had been traditionally, where you could walk down to your data center, talk to your own IT people, and get the issue resolved. That’s the way it’s moving. The compelling economics of the cloud is getting hospitals out of managing data centers and replacing those data centers with more beds. That makes sense both commercially and academically, but it is a different kind of role and it requires careful planning because healthcare is not the same as a lot of other industries. There’s complexity there that ultimately manifests itself in how well the clinicians view the change.
Guerra: We only have a few minutes left. The way I see this, manual identity management is not an option, you need to move forward with some kind of system and you’ve given our listeners some good arguments to prove this is a worthwhile spend. Wes Wright, your CTO, has spoken about the identity mess, or spaghetti, left over from COVID. Any final words of wisdom or advice?
McArdle: I think it’s important not to kick this can down the street. It is important to become as efficient as you can with the resources you’ve got. Identity governance is an important tool in that arsenal. You need to focus on the ROI side of it and not think of it as just a management tool that will print up some compliance reports. It’s much bigger than that if done properly. So, when you look for identity governance, look for things that really understand healthcare. Healthcare is messy in terms of tech and there are lot of integrations and third-party pieces that have to come together. If you’re focusing on identity governance, that complexity has to be part of what the solution absorbs. If it doesn’t, the “spaghetti” will be left on your plate. Make sure you’re doing your homework and recognizing that the solutions out there aren’t all the same. The ones that demonstrate ROI consistently in healthcare are the ones to put at the top of your list.
Guerra: Spaghetti equals risk, right?
McArdle: Spaghetti is risk. Absolutely.
Guerra: Thanks, Mark, for your time.
McArdle: Thanks a lot, Anthony. It was a lot of fun.