Published November 2022 –
CIOs have a lot of weight on their shoulders, says Steven Ramirez, vice president and chief information security officer (CISO) at Renown Health. If there is a breach, the CEO will be calling the CIO first, and he or she will have to be able to talk the talk. That’s something the CISO should always keep in mind. And that’s also why a mutual relationship of trust between CIOs and CISOs is the best defense nowadays, he says. “All things that go beep are owned by the CIO,” he says. “So my job is to protect all things that go beep.” In this interview with healthsystemCIO’s Founder and Editor-in-Chief Anthony Guerra, Ramirez shares his views of the challenges health systems face with their big, fluid attack surfaces. Driving home the reality of a possible ransomware attack with the C-suite and tightening down on identity access management are some of the approaches he uses.
LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE.
A lot of people aren’t used to downtime if you have to go to paper. That’s why we’re seeing ransomware and whatnot being so impactful to organizations, just because of people being so dependent on technology and never having to do it the old-fashioned way.
So I’ve really put a focus on 10 to 15 minute detection times with containment, and then being able to have that seamless incident response. Because stopping the spread, stopping the impact, is really how we can have a more seamless and expedited recovery, versus all systems are off, we’re out for multiple weeks.
… that’s why healthcare is such an easier target than some of these other systems, because they’re able to harden their systems, harden their perimeter, but our attack surface is just so much wider and more expansive.
Guerra: Steve, thanks for joining me.
Ramirez: Glad to be here.
Guerra: All right, very good. Do you want to start off telling me a little bit about your organization and your role?
Ramirez: Yes. My name is Steven Ramirez again, and I’m the vice president and chief information security officer of Renown Health. I’ve been at Renown for about 10 months; today, actually. It is a system up in Reno, Nevada. It’s the area’s trauma center, so any of you bad skiers that have been out there, definitely come see us. So it does have a dedicated Children’s Cancer Center and a new affiliation with the University of Nevada, Reno, UNR. So that partnership’s really going to enable us to start getting cutting-edge research, innovation, etc. And they have been the biggest player in the market for quite some time, serving Northern Nevada for quite a while.
Guerra: Very good. Can you tell us a little bit about your career journey? I like to find out how CISOs in healthcare wind up where they are.
Ramirez: Yes, it actually started up in Georgetown, up in Washington, DC. And right as a lot of the digital transformation components were going on I was the “millennial,” so they threw a lot of the IT risk management and some of that at me, since I had the only Facebook account in the office. And really the rest is history. I went from there to CHI. CHI was really in acquisition mode. CHI is now CommonSpirit, so it was part of the merger and acquisition team. So I really saw that footprint grow to 19 states, over 100 hospitals into what it is today with CommonSpirit and that merger with Dignity. Then, I went over to a short stint at Baptist Health in Louisville, Kentucky, and then went to the vendor side. So got to see what the other side of the aisle was doing; really encompassing payer and provider.
I then worked at McKesson on the medical imaging side, so got to do a lot of IT risk management, cybersecurity advisory work, also looking at continuity and redundancy for medical imaging systems. And that’s really when a lot of the medical imaging security was starting to come to the forefront. I then went on to IBM on the Watson Health side, working on Medicare/Medicaid and was an appointed CMS security officer as part of that. So I got to go through that whole fun stuff on NIST 853. And going through the controls that CMS has as well as the ATO (the authority to operate on), onboarding any of their systems. So it really has helped me get a strong background into that. I then went over to UofL Health, right as they were doing an acquisition of Jewish in that system in the Louisville, Kentucky market. So that was about 15,000 employees, nine sites in the Louisville, Kentucky area, and then came to join Chuck. And so, really, I’m through and through on healthcare. Both my parents are providers. So yes, there’s the story of me.
Guerra: For those who may not be aware, Chuck is Chuck Podesta, (chief information officer at Renown), who is a good friend of mine. We’ll get more into you working for Chuck a little later in the interview. But when I looked at your LinkedIn profile, I noticed a number of your positions had a strong emphasis on business continuity planning and disaster recovery. To me, that is one of the most important areas right now for CISOs. What do you think are a couple of the keys to getting that right?
Ramirez: Yes, that was great, because you’re planning for the worst case, or the what ifs with a lot of that. So that enabled me to really work backwards, looking at these critical processes, assets, technologies; people, process, technology, a lot of stuff that we do look at from a CISO perspective associated with that. So I think that is critical. We’ve seen, especially with healthcare, that it almost seems like every other week there’s another health system being impacted by that. And really, that puts the emphasis on how we’re so dependent on IT systems, as a health system, as a healthcare community.
We do have to have that cyber resilience state of mind that if our systems go down, how are we able to get them back up as quickly as possible but also maintain operations, just because there’s an impact to IT? We can’t say, “Sorry, guys, we’re closing,” being a healthcare provider. So really, we’re having to ensure that we are providing quality, safe care through the full lifecycle of a patient being at our facility, so again, that really is critical. And I think it is still a shortfall in healthcare, in general, making sure that people do that, especially with a lot of our new nursing students, travel nurses, etc., coming in. A lot of people aren’t used to downtime if you have to go to paper. That’s why we’re seeing ransomware and whatnot being so impactful to organizations, just because of people being so dependent on technology and never having to do it the old-fashioned way.
Guerra: It seems to me as a CISO, you have to think at a high level about the well-being and the operations of the organization. You can’t just get to the end of your defined job and stop, because then you’re never going to help the clinical side figure out what they have to do. And it’s tricky, because it’s not really your job to tell the clinicians to make sure they know how to go to paper. Who should be driving that discussion?
Ramirez: You do hit on a good point. With a lot of BC/DR (Business Continuity and Disaster Recovery) — just because of the technology aspect — everybody thinks IT owns it. But IT can really only do so much. And that’s really where the CISO job has also evolved into a lot of the points you said, needing to really be embedded into the business and clinical side of the house, because that’s where you really would see the biggest impact if there was a system interruption. But it’s internal relationship-building and partnership. CISOs need to have a close relationship with their chief compliance officer, because that gets into compliance-related issues, and they need to help drive that aspect, also your CMIO, big stakeholders and really ensuring the success of that. So that’s been a focal point that we’ve put into our GRC, which is Governance, Risk and Compliance Committee, that then filters through our Audit and Compliance Committee that then goes up through the board. So we’re trying to get that level of visibility, to really tell that story that a lot of these organizations that have been hit by ransomware, they may have invested a lot into technology, people, and their overall cyber program, but it’s just a matter of time until somebody clicks the wrong link, etc., that you’re going be in that situation.
We have a focus in IT of being able to recover, but then how can we partner with the business to really ensure operational continuity. So that’s where that buzzword cyber-resilience is really coming into play. We get it when it comes to tornadoes, the old-fashioned emergency management, but really using that same mindset of like a hurricane Katrina, and the impact operationally on a hospital, to embed that cyber state of mind. So that’s really doing tabletops, getting with those clinical stakeholders, but then really making sure that it is built into the culture of the organization.
We need to make sure that we can continue patient care, and that’s training awareness, and then working with the clinical teams to see what potential single points of failure there are and practicing tests and repeating it – like they do in the ED if there’s a chemical spill or a mass casualty incident. So bringing that same mindset of emergency management into cyber preparedness.
Guerra: So if you were giving a message to your CISO colleagues, and saying, “Hey, you have to be initiating these conversations with (for example) your CMIO.” You have to be discussing with them, and say, “Hey, let me take you through a scenario, I just want to talk about it. We have a ransomware event; we have to shut down these applications. This is something that could happen. You need to know what to do when I call you and say, these systems are coming offline in 30 minutes. I can’t figure that out for you, but I want to initiate this conversation so you understand how this will go down from our end, so you can figure out what to do on your end.” Would you say you have to be doing that as a CISO?
Ramirez: Yes, you’re almost serving as the traffic cop/moderator to bring those discussions to those stakeholders, as you said, to really make it clear that we can’t do everything for them. For example, clinical or medical imaging, that if there’s a downtime to the PACS, you can still walk up to the modalities, the physical devices themselves. But maybe if a provider doesn’t know that based on where they’re located, if it’s a remote read, etc., like small things like that, on having a plan, executing and making sure people are able to communicate in situations like that, that’s not necessarily IT’s job. But that’s really on partnering with your CMIO, your radiology chiefs, and others, to really ensure that that department looks at everything from a workstream in those interconnections starting at the emergency department to the critical care units. They need to see who those key stakeholders are that really put that ecosystem together.
That enables you to work with those teams to see how those handoffs are. Because things can be done. We’ve seen hospitals operate on downtime. They work on planned downtime all the time. So it’s really about just making sure you look for those gaps, wash and repeat on training. And again, having those discussions with those key stakeholders in the system.
Guerra: It’s a great plan, it’s a great idea. But I wonder what a CISO should do if they’re not getting the engagement they need in these conversations. That would be concerning. I would imagine that’s a case where you want to just make sure things are documented. Because after the fact, you want to be able to say, “I tried.”
Ramirez: One hundred percent. Yes, and that’s the best way; that’s where audit and compliance are your best friends. Because, again, I always use that as a targeted way to bring something up to board visibility. I can say all day that this is a risk, etc., tying it to cybersecurity, but then if it becomes a regulatory, a compliance, an accreditation or the potential that we could be sued because we’re negligent and not having aspects of this together, our cyber insurance group isn’t going to cover us, etc., I can get more traction.
But there’s a lot of ways that you can drive those discussions to expand it so they’re not hearing it from just the CISO alone, but also hearing it from another key leader, like your compliance officer. It really helps build that and drive the issue within the organization.
Guerra: It’s interesting, you mentioned your parents are providers. Are they physicians, nurses?
Ramirez: My mom’s a respiratory therapist and my dad was a primary care emergency department provider. So he’s actually the doctor and the boots on the ground from a clinical side.
Guerra: I’m sure it gives you an understanding of clinical care. You’ve sort of got a leg up on them with understanding. My wife’s a nurse practitioner. And just through her stories, I understand a little bit more about the clinical environment, certainly than I would have. It helps you understand how complicated it is and how busy they are. I mean, there aren’t hours or half hours of open time where they can attend a committee meeting. Right? So when you want to get that engagement, when you want their time, you understand how much you’re asking of them? So what’s the best way to engage with physicians? He probably gives you great advice.
Ramirez: Yes. And I’ve seen that really growing up in the office, seeing my dad run around, or even if I’m in town to see him and I’m trying to take him a sandwich for lunch, if he’s running in between badging in and out, using those kinds of different technologies. He’s always been a great resource. Because again, I’ve seen it firsthand, talked about his woes, and he still invites me to dinner now that I’m on the IT side (laughing). So yes, he has always been a great resource to be like, “Dad, what do you think of this? Or is this really something that’s impactful? To really have that?” And I always tell my CMIO that. I think it’s a good icebreaker to say, “I can’t do what you do. But I understand a lot of it having grown up seeing components of that,” to really make it real when I’m talking to her, in our case in our current organization or CMIOs in my past or other clinical leaders.
Guerra: He basically says, “Leave them alone.” (laughing)
Ramirez: Yes. (laughing) “Make it work. Make it work.”
Guerra: Leave them alone and don’t disrupt their workflow, right?
Ramirez: Yes, we know clicks are precious gold on the clinical side.
Guerra: Right, very good. High level question; what are a couple of the big trends you’re looking at that you think other CISOs should be aware of and maybe preparing their organizations to deal with?
Ramirez: I think identity access management is still huge, it’s still a big gap in the industry. And it’s just because healthcare is so complex. We have community connect providers; we have community providers, we just have such a big end-user base that people who need to access our systems, especially being trauma hospitals or research affiliated, there’s just a wealth of data and a need for people to be able to access, especially with the legislation on information blocking. People understand that patients need to be able to have their information when they want it, when they need it.
But that’s going to also open up a workstream of scammers in a sense that they’re going to spoof being Steven Herrera who wants to have access to his record to see XYZ and there’s some potential for holding someone else’s data. You know, I’ve seen some articles on that, that they’ll say, “Okay, we’re holding Steven’s data hostage, we have all that information, and maybe it will leak,” if it’s based on your role or who you are.
So as always with any new technology, new legislation, a lot of times people don’t think of the downstream security impact. I know that’s a subset of identity access management, but that’s also getting into that Zero Trust model for not only people that are accessing our systems, but information we’re sharing out, like, how do we authenticate? How do we ensure that we’re actually giving it to people who are who they say they are, and that then potentially provides an administrative burden.
It’s tough to get a lot of our patients to do two-factor authentication just for My Chart, as you can imagine, if they’re coming in and requesting a record. But again, as we’ve seen, ransomware is always related to access. A lot of that is, this admin account wasn’t two factored or this has a domain admin account, and it shouldn’t have been, or this person left the organization 30 days ago, or it was a managed service provider. So there are a lot of things that we should be doing as part of Security 101 before we’re getting these new buzzwords like Zero Trust. I think focusing on those fundamentals, there’s still organizations that don’t two factor; we should be doing some of those as a baseline.
But also, early detection is key. As I said earlier, it’s inevitable that a lot of organizations are going to experience a security event at some point in their tenure. You know, it’s something that keeps us CISOs up at night, but we don’t generally sleep anyway (laughing). But really, I’m focusing on that. The earlier we can detect something — just like your doctor – the earlier we can stop the spread. So using that hygiene methodology from medicine and bringing it into cybersecurity is a way you can help not only educate your clinical staff, but also really preach that message internally. So I’ve really put a focus on 10 to 15 minute detection times with containment, and then being able to have that seamless incident response. Because stopping the spread, stopping the impact, is really how we can have a more seamless and expedited recovery, versus all systems are off, we’re out for multiple weeks.So that’s been the key: access and early detection, those have really been my biggest focal points.
Guerra: Very good. Very good. So, let’s talk a little bit about more about identity and access management (IAM) software. It’s not easy, right? Tell me what’s the hard part about it.
Ramirez: It’s just so complex in healthcare because you’ve got all of the internal users; the nurses that are charting, your pharmacist doing the medication, or radiologist. They all need very different system access. And then, with interoperability, making sure these systems talk, and they’re doing 100 things at once, as we know, with COVID. And even before that, there were staffing shortages. So that’s what we’re seeing — that’s why phishing still is so prevalent and effective. If an account like that is compromised, look at the wealth of information and/or system access they can have. But then, you take that a step further, getting into IoT medical devices. That’s where people have generally privileged access to be able to go on-board, off-board systems, and of course, the IT administrators who also have that privileged access to keep the lights on.
And then you have external access for vendors that might be monitoring hosted systems or doing maintenance on their systems or community partners. So as you can imagine, just these five or six different use cases and/or users that we’re looking at gets really complex on level of access, system level access, data level access. That makes it very complex in tracking a lot of that. And it just also makes that attack surface so big as a healthcare organization, on what they’re able to do when we’ve been compromised—just basic user accounts.
Before that, people are trying to run scripts to inject you with malware, ransomware, etc., on like a Citrix hosted server. So it’s a lot, it’s already a monumental and Herculean effort to manage all of those assets and access internally, but then you throw in the external needs of a research perspective, a community provider wanting to refer you and/or you’re referring, you can imagine, that whole dynamic is very, very fast-moving and fluid.
So, again, if one thing goes wrong, an account is compromised, somebody uses the same password, etc. — especially with remote work — if something’s compromised in that manner, it just really, really is complex. So it’s getting into that granular level of monitoring, then layering in two-factor authentication, privileged access management, and really just making sure you’re minimizing the impact of that. And then again, partnering with the privacy team to really make sure that people are looking at what they’re supposed to, in more of a proactive manner.
So there are a lot of pieces that go into it. That user anomalous activity is something that I’ve always put in as part of that second precursor to make sure that if people are doing activity from somewhere that they typically don’t, building some of these rules out to shut off access. You never want to do that in a healthcare setting. But if it’s something that looks like Dr. Ramirez typically never goes to this system, and he’s an ED doc, why would he be logging in from Russia or Florida out of the blue? So some baseline stuff on access that can really help drive stopping a lot of that information. But it is very, very complex.
Another area is how you onboard people into your organization based off of what they’re doing. And then there’s third-party risk management. So vendor access; what are they accessing within our system? What do they need to do? Do they need an unlimited kind of access? How are we granting that access? And then off-boarding. So there’s a lot of good complementary technologies to not only automate that, but if you’re automating that, that’s trusting the machine and/or AI to do a lot of this for you. So there’s a potential for giving wrong access, etc. So that really drives security assurance, making sure that if you automate, you’re putting a process, procedure, you’re putting a policy together, that you really are aligning that assurance practice to make sure that you’re practicing what you preach and not putting your organization at risk.
Guerra: Wow, there’s so much there in what you just said, it’s unbelievable. So all these things work together. And I suppose they all fall under the Zero Trust umbrella.
Ramirez: Correct. And yes, it’s about inconveniencing a threat actor and/or limiting the damage. I love to use the use case, especially around the holiday season of Kevin McAllister and Home Alone. When the bandits or the threat actors are trying to get in, he puts different traps and things into place to really keep them out. Do they still get in? Yes, they do. But as you saw, in a kind of a humorous way, that he put out a lot of traps (externally being your perimeter) to try to keep them out. And then once they’re actually in your house being inside your systems and in that manner, that there’s also other traps to better protect and/or inconvenience them while you’re hoping that the police will show up – and those would be your incident responders – to be able to mitigate and get things back to normal. So just another way to kind of normalize it with a real life example, to kind of make it fun in a sense.
Guerra: We talked about how IAM is hard. And it’s the same thing with network segmentation, right? It’s intensive, correct?
Ramirez: Correct. It’s expensive, it takes a lot of man hours, it takes a lot of architecture design. And there are also limitations. So if I were building a new hospital tomorrow, this would be different, as you’re being able to build everything net new. But as you can imagine, you can’t just stop all operations in a hospital. As is, we have legacy devices, there’s hardware refreshes, we’ve got hosted systems. So again, that’s why healthcare is such an easier target than some of these other systems, because they’re able to harden their systems, harden their perimeter, but our attack surface is just so much wider and more expansive. We have medical devices; we have IoT; we have people coming in a children’s hospital where we have X-Boxes because you want kids to be able to do stuff while they’re getting treatment. So as you can imagine those intricacies and complexities also drive additional risks that we have to look at from the lenses of access, segmentation, early detection, etc. Is this a friend or a foe? So that’s almost a 24/7 job making sure that you’re able to normalize that. And then a new risk can be introduced, a new technology or a log4j zero day, and then it’s something else popping in.
Guerra: The regulatory dynamic that health system CIOs and CISOs have to operate under is challenging. You’re being told that you must protect everything. And yet, you must allow all data to be fluid.
Ramirez: Correct. That is a robbing Peter to pay Paul sometimes on that. So yes, challenging.
Guerra: As we mentioned before, you’re now working with my good friend Chuck Podesta over at Renown. I assume you report to him. So tell me a little bit about what you think are the keys to CISO-CIO relationships. What does the CISO need from a CIO to be successful?
Ramirez: Really, to understand the broader digital strategy and different workstreams. There’s always been the debate about where the CISO reports. I have a dotted line to our chief compliance officer as well. But that discussion has been going on. I think if a CISO isn’t part of IT, they don’t get as much truth and have a pulse on all the technology risk. I think that’s still part of strong partnerships and relationships. Chuck is a good CIO, very security conscious. I’ve been lucky to have two great CIOs that I’ve worked for between UofL Health and Chuck. Yes, just having that level of trust that they know you’re here to protect them as well. Because the CEO is going to call them first if a system’s not working. They’re also the key leader of all things technology within the hospital.
We always say, “All things that go beep are owned by the CIO.” So my job is to protect all things that go beep. So that’s really having that partnership on what your vision is, what their roadmap looks like, and then aligning that because security is part of everybody’s job in the organization, not just from a technology standpoint. So it’s really being that supplemental service to align to what the CIO’s direction is: pushing innovation, looking at research, looking at all those integral discussions that they’re embedding in with the business. Then we see how we can protect that with access detection, those datasets ensuring data movement, all of those components that enable quality safe care. So it’s building that level of trust; building that great relationship, and I think that all CIOs this day and age really understand the importance of the CISO and their role to support them and protect the assets. And I think that that relationship has gotten closer over the past three to four years when we’ve seen the onset of ransomware.
If you have to educate your CIO on security today, that’s pretty crazy. But again, there is so much to that whole ecosystem, I spoke about the CIO owning that. I think that they understand the importance of being proactive instead of reactive on a lot of that and just intertwining that and then them supporting you on that too. This day and age, most people are going to come to the table and not push back too much on that, but supporting that, and then having the rest of the chiefs as well, saying that if he’s saying this is a risk, we need to push back, we need to, as a leadership team, understand and support that.
Guerra: Yes. And what I’m thinking is those discussions we talked about earlier, as the CISO goes out and tries to shore up the disaster recovery and business continuity from a high-level, organization-wide patient safety perspective, the CIO is probably going to have to support their CISO, because that may be necessary to get some of those conversations going. Does that make sense?
Ramirez: Yes. And I agree, 100 percent.
Guerra: Very good. Well, we’re about out of time. Steve, final question. Let me frame this up. You’re speaking to a CISO at a comparable-sized organization, what’s your best piece of advice for them as they go about trying to protect their health system?
Ramirez: Don’t always say no to the business because you never know, on an act of goodwill, when that can come back to be needed down the road. So a lot of times, the security guys are like, “No, never answer any questions, never collaborate.” So again, building that relationship with the business and instead of saying no, it may be better to understand where you can compromise on a lot of that. Our job shouldn’t always be “no,” because we’re here to support the business. So always remember that, especially in healthcare, we need to look at process and workflow and then see how we can compromise, have a mitigating control and/or minimizing access, etc. That’s always been my thing. I learned growing up with two clinicians in the house – but also seeing where other CISOs are successful – that partnership and collaborating with key stakeholders are the keys.
Guerra: That’s perfect, Steve. Thanks so much for joining me today. I think people are going to really enjoy this.
Ramirez: Appreciate it.