healthsystemcio.com

healthsystemCIO.com is the sole online-only publication dedicated to exclusively and comprehensively serving the information needs of healthcare CIOs.

Q&A with Steward Health Care CISO Esmond Kane: “Ransomware Actors Are Also Innovating”

Published January 2023 – 

Esmond Kane, CISO, Steward Health Care

Two or three healthcare organizations a day are falling victim to a ransomware attack, according to Esmond Kane, chief information security officer (CISO), of Steward Health Care and former CISO for Harvard. The way to fight that is to use creativity, perseverance and innovation, he says. And keep in mind, the bad guys are also innovating at the same time you are. In this interview with healthsystemCIO Founder and Editor-in-Chief Anthony Guerra, Kane discusses the increasingly challenging role of the CISO and how he uses behavioral questions to find the right candidates for his team. Credentials and HR screening will not always reveal the best choice, but finding out how passionate someone is at their hobbies just might. And when it comes to the board, never tell them you can keep your institution 100% safe, because that’s not reality, Kane says.

LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE

Podcast: Play in new window | Download (Duration: 34:11 — 23.5MB)

Bold Statements

“I want people to understand probability because with the pace of change, sometimes, of the threat actors coming at us, you may never get to 100% certainty.”

“ … there is an analogy sometimes that we have to get cybersecurity right 100% of the time, and the bad guys only have to get it right once. That’s a recipe for self-destruction.”

“It’s far too easy to enter analysis paralysis, it’s far too easy to think that the latest and greatest software solution is going to solve the problem for you. My values, the programs that I build, are based upon doing the right thing, minimizing regret, and making sure that what you’re doing is future proof.”

Guerra: Thanks for joining me.

Kane: No problem. Anthony, thank you for the invitation. I look forward to our conversation.

Guerra: Very good. Esmond. Can you start off by telling me a little bit about your organization and your role?

Kane: So I’m the chief information security officer for a multinational healthcare delivery organization called Steward Health care. We’re in nine states domestically in the US. We’re in four countries internationally. There’s about 40 or so hospitals nationally, and then about 10 hospitals and clinics internationally. It’s big.

Guerra: It’s big. Yes, it definitely sounds big. Can you tell me a little bit about your career path? How you wound up in healthcare security, that type of thing?

Kane: That’s an interesting question. So I started down the IT track, I was a geek for lack of better expression in the west coast of Ireland, which wasn’t necessarily known for some of its technical aptitude. And I certainly found it very limiting. So when I made my way to the big cities for college, I started to really find my feet in a technical aspect and gravitated towards IT professions. I had my own stint as an entrepreneur. And then I fell into working in the States, fell into the path a lot of other IT practitioners do, working their way up from the help desk, desktop, you know, networking, then into a management role.

And then about 10 or 15 years ago, closer to 15, I was very lucky to be headhunted by the then CISO for Harvard University, where I was working. And he was very appreciative of the program I had built in one of the divisions in Harvard, and he said, “Listen, I want you to come do that for me and do it for all the rest of the school.” So I sat down with my wife, I had a young family at the time, and I made the decision to take a pivot and specialize in security.

It was a then a rapidly maturing discipline; it was starting to become much more professional. It didn’t really exist in a lot of industries outside of the financial sector, and certainly as a discipline. It hadn’t really codified, outside of the military circles and intelligence circles. So I made that move, and 15 years later I’ve been working my way up through the ranks from a security perspective. And now I’m leading a program for a healthcare organization, and it’s been really exciting, continues to be a challenging discipline. And if anybody is looking at cybersecurity, reach out to me on LinkedIn and such. I love mentoring and coaching, and I’d love to help shape your career and provide what guidance I can.

Guerra: Did I miss the transition into healthcare specifically? What was your first healthcare role?

Kane: So I’m based in Boston. It is a hotbed of academia and healthcare. And at some point, most IT and security professionals will probably work in those industries in Boston. So I actually started in Beth Israel in the late ’90s, which then became Beth Israel Deaconess and Care Group and now it’s Lahey Health as well. And the last 10 years I’ve been in Mass General Brigham and now Steward Health Care. I find that I gravitate toward industries where I can align my mission. I find it great and very rewarding to have the perception of giving back. In healthcare, it’s even more rewarding. You get to help people on the worst days of their life, and hopefully you’re able to turn that around and make it some of the best days of their life. They get to ring that bell, for instance. It’s something that I find very rewarding, and I encourage anybody who is mission driven to try healthcare. There is no better mission, really, in my opinion.

Guerra: Yes, it’s interesting. I’ve seen some LinkedIn posts from people in healthcare that are trying to get talent, reaching out to some of those who have been laid off, saying, “You’re not going to make as much money, but you can be connected to a great mission.” So that’s part of what it has to be to get good IT talent, right? You need them to want to be connected to that mission. Are there ways you go about it, especially in the remote world we’re living in? So what are your thoughts on keeping folks connected to the mission?

Kane: I don’t know if it’s my bias or me projecting, but I certainly do look for professionals that think differently, that have diverse backgrounds. I never really rule out a candidate based upon some certificate or things of that nature, I’m always looking for good candidates, and you never know where you’ll find them. And part of that, to your point, Anthony, is there are some soft skills and core requirements that I think are necessary to be successful in security, like curiosity, like perseverance. Those are very hard skills to try and instill or teach. You can certainly mentor, but they take years and decades to acquire versus some of the hard skills associated with your technical requirement or something you could bootcamp. So, aligning with people that have that approach where they will learn continually, that they will knuckle down and commit to the effort, and that they will find value in what it is we do, as a profession and as an industry.

You know, COVID has been brutal on every industry. But unlike most industries, we’ve had to actually work very closely with professionals, clinicians, and doctors and nurses who were putting their own health at risk. And the unfortunate fact of life is not only did the entire global economy take a hit, but there are millions of people that have unfortunately passed away. But the sad fact of life and healthcare is some of those include some professionals that were trying to help. And the caliber of professional you work with, that clinician; I find very rewarding. And they force you to excel, and you want to help them. And I certainly find it very, very rewarding.

When you’re trying to instill some of these controls, unfortunately the bad guys are also trying to attack. The core skill to be successful in healthcare I identify as empathy. But that’s also the very target of some of these unscrupulous threat actors where they’re trying to exploit people who are in healthcare who were trying to find out about COVID, are trying to find out about various issues. And what are the bad guys doing there, they’re sending phishing emails, they’re planting fake COVID trackers. At this point, there’s two to three healthcare organizations falling victim to ransomware on a daily basis. And you do tend to have to exercise some creativity and innovation.

And those are also some of the other soft skills I look for, Anthony, when I’m looking at candidates. I’m certainly not of the mindset that I’m expecting somebody to have 10 years of experience to work on the helpdesk or some of the insane requirements that come out of Silicon Valley. That’s not what I do. I’m looking for people who have those core soft skills, and hopefully I will train them up and hopefully they will find a long-lived career in healthcare cybersecurity.

Guerra: You mentioned a few words for looking for the right talent: curiosity, perseverance, creativity and innovation. Not so focused on certifications, although I’m sure they’re nice to have, they’re not going to get you over the finish line in and of themselves. Do you think the interview is the key point at which you will be looking to pick up on those qualities? And does it come down to a certain enthusiasm they’re bringing to the table, and if you don’t feel it, you’re just not going to really want that individual on your team, no matter how technically skilled they may be?

Kane: It’s a good question. By the time most executives are interviewing a candidate, they’ve already been through a level of HR screening, which I’ve had mixed opinions on. A lot of automated tools are just scraping for keywords and buzzwords, and a lot of HR screenings are just trying to screen out overly mercenary candidates or things of that nature. There is value there, I’m not going to dismiss it. But it doesn’t necessarily put candidates in front of you that certainly I am 100% confident can be successful in the role. So I tend to follow more of a behavioral interviewing role. And I’m asking questions that may seem inadvertent or may seem misdirected, but really, what I’m looking for is to gauge how somebody’s thinking on their feet, exercising some of these core skills that I’m looking for. And some of that isn’t necessarily the professions they’ve been in; some of it’s how they’ve chosen to exercise extracurricular pursuits, sometimes it’s just their hobbies, it’s that enthusiasm that they’re able to bring to the table.

You know, the bad guys are coming against healthcare, so that stamina, that perseverance to learn from your failures and make sure that you can do it better next time – those are things that I certainly look for, and I will ask questions that are trying to drive to the intent of what motivates somebody. What makes them think when they’re presented with a problem that they’ve never seen before, how they’re going to sink or swim.

And the second answer, for the record of that, it’s perfectly acceptable to Google answers. I’m not looking for someone to have an extensive body of knowledge, necessarily. I want someone to know how they can work through a decision tree. I sometimes describe that as I’m a big fan of finding Watsons and to me, you know, I want somebody that does a solid day’s work, that will persevere, that will more frequently find those abnormalities, sometimes, in healthcare, because it’s not as financially incented as in other industries. It can be challenging to work with the Sherlocks of the world who are expecting a vast compensation, which I can’t necessarily do. There aren’t necessarily going to be bonuses or incentives or stock options. I’m looking at other motivating factors for these candidates.

Guerra: Right. And, I mean, as people are working from home, they’re not isolated, but there is some degree of isolation there. You need someone who can work a problem, as you mentioned it, who won’t be knocking on your door every five minutes asking what they should do. People are more off on their own. You need someone who can work a problem and really want to solve it, not just want to check a box that I tried to solve it. Right? There’s a difference there.

Kane: I would agree. I mean, I do think that somebody that can work independently, they can be successful in some of those roles. But by that same measure, there’s also people who work well collaboratively, who will work through a problem. You know, I think solving for the unknown, answering the great of uncertainty, which is a huge element of cybersecurity, is a challenge and it’s not some Hollywood scene where somebody’s looking at a screen full of gibberish going, “That’s it, Eureka!” You know, they’re working through data, and they’re ruling out what isn’t feasible, and then they’re getting to whatever’s left or whatever’s probable. You know, that’s really what I’m looking for.

And there’s also an element of this, which is, I want people to understand probability because with the pace of change, sometimes, of the threat actors coming at us, you may never get to 100% certainty. There’s certainly an appetite to think in absolutes. But the rate of change of the threat actors, the  pace at which we need to operate, makes it so you need to be comfortable sometimes extrapolating and saying it’s more likely this than that. So let’s work from that and then see where it takes us. But by that same measure, you don’t want somebody who’s going to doggedly exhaust every single thing. At some point, you do want to see them acquire some instinct. So I’m contradicting what I said earlier, but those are the kinds of things we look for.

Guerra: Well, I don’t think you’re contradicting yourself. I think it’s the gray area, it’s the balance. It’s that combination of skills, it’s knowing when enough is enough. You’re talking about probability. Probability is risk, right? The CISO’s world is based on risk because nothing’s 100%. So from what I understand from all the conversations I’ve had is one of your most important roles is communicating the level of risk to people who are going to make the decisions about whether or not they want to accept the risk as you have described it. “Here is the risk overall, and here’s what I can do to reduce this risk. If you’re uncomfortable, I need to hire more people, or I need more money, I need to buy more software, or we need to change a process, or this or that.” But tell me your thoughts. Is that the role? People have told me, “We’re the chief risk officer.”

Kane: Yes, I mean, I would wholeheartedly agree. I think there’s so much of what you just mentioned that we could probably spend hours talking about, but you know, just focusing on the core role there of being a trusted adviser, of giving good information, and communicating and interpreting this massive ream of jargon, and then trying to put it in front of a business lead, and then aligning your program to those business needs. I mean, that’s so important. You also talked about the appetite there to quantify, right? Certainly, my expectation is that your goal is not to eliminate risk. That’s not possible.

Growing a business and the Internet, in particular, are fraught with risk. So your goal is to make sure that you can grow the business securely; that you can bake in some of these core decision making skills so that your business leaders have confidence they can absorb risk, and that they can manage it appropriately. That’s, your role. I do see sometimes some of my peers in both healthcare and other industries are on an evolution to become chief trust officers above and beyond those chief risk officers who are looking at clinical, financial, cyber – there’s a huge element of patient safety and patient assurance there. With so many healthcare organizations falling prey to these unscrupulous adversaries, you need to be comfortable stating to your leads what’s practical, pragmatic. These threats will happen, and we will do our best to overcome them. You know, it’s our journey to become a resilient organization.

Andy Ellis has a great analogy I tend to use, which is that cybersecurity leaders are unlikely to be the main character in the story. And the main character in the healthcare space is probably the doctors or the patients. So it’s your job as a cybersecurity lead to be the sidekick. Right? And it is your job to be the best sidekick you can be. It’s an analogy that I take to heart. And, you know, I thank Andy for the analogy.

Guerra: Communicating risk to a business leader. The dynamic makes me think of marriage counseling, where one person says something and the other has to repeat back what they mean. Is it where the CISO says to the CEO, “Now, here’s what I’m telling you about the risk level. Now repeat back to me what I said so I know you understand it.” And obviously, the CISO has to speak the CEO’s language, not the other way around. What are your thoughts on making sure after you leave that meeting, so to speak, or that board meeting, that they understood the level of risk that you were trying to communicate?

Kane: Therapy is a great analogy for what we do. Your role when you’re advising business leads is to make sure that they’re making good decisions, they’re choosing effective strategies and that you’re making sure that you don’t validate the invalid, which tends to create a toxic scenario. So, I do think therapy is a ripe analogy. Sometimes I think when we think of cybersecurity, it’s in terms of conflict and combat. And you know, sometimes that can create its own ethic where everything’s a battle. When is it not? And there is an analogy sometimes that we have to get cybersecurity right 100% of the time, and the bad guys only have to get it right once. That’s a recipe for self-destruction. Because you’re not going to get it right 100% of the time. And if that’s what you’re communicating to your leads, you’re going to have an uncomfortable conversation when they turn around to you and say, “We spent X on Y, and you didn’t see A, B, and C coming?” – that conversation.

To go back to your conversation about dialogue with boards and putting reports in front of them, I think it’s good to know your board; cyber skills aren’t guaranteed on a lot of boards. So some of what you tend to focus on is executive charisma. You try and provide assurance, and then you try and provide a higher level view which the layperson can absorb. But then, you want to be able to speak to all of the data, so you need to have quite a large and extensive appendix in some of these board decks on occasion. Traffic light protocols tend to be used quite a lot more. When I ask a board member the simple question, “What do you see as our risks?” I can be quite surprised sometimes on what people see as risks. Some of them are very acute when it comes to cybersecurity. And some of them are just taking a different direction, which can be quite fascinating. But you should have that regular cadence, and you should make yourself available for board members and security leads. If the only time they see you is when you’re reporting out on an incident or a bad event, you’re the Department of Oops. That’s not our role.

To use the therapeutic analogy, again, there are disciplines where you’re invited to say, “yes.” There’s entire movies based upon the concept of saying that, so this journey of security is how you can empower and incent, and the compliance efforts, the security efforts, the incidents, the dialogue becomes how do you turn those into speed bumps, not roadblocks, right? How do you not have to all of a sudden reverse course and travel down a different route? And it really depends on the caliber of the board member, the caliber of the senior leader that you’re talking to. Certainly, establish regular cadence and establish metrics, and then almost immediately present them in a layperson analogy.

It can also be helpful to look at what other leaders are having success with within the board. And for instance, in the healthcare space, if there’s a clinical dashboard that the board is accustomed to seeing or hospital management dashboard, well, you’ve just got a template for how you should be presenting security. It’s a framework they can understand.

I will also state that I mentioned how cybersecurity skills aren’t necessarily the status quo in most boards and senior leadership. So I do think there’s value in that cyber risk one-on-one conversation coaching session. Hit them where it hurts, hit their self-interest, what executive protection looks like, how they can sanitize their own media, how they can look after their own family, choose good passwords, password managers. Appeal to their self-interest and then talk about how that extends to your corporation. I sometimes joke with my leaders that I should become the chief door officer, because I use analogies based on doors and locks and basement windows and things of that nature.

Guerra: And how about the analogy you mentioned, which to me as a lay person would be the simplest one, the traffic light, the red, yellow, green in terms of conveying risk, right? If I were an executive, I would think it would be very easy for me to look at a report and say, “Okay, I don’t want to see any red.” Right? If I see red, that’s a problem that needs to be addressed. Show me yellow, show me green. Try and get the yellows to green, the reds have to go. Is there some of that when you’re conveying risks to businesspeople where it’s that simple in terms of the methodology you’re using?

Kane: Absolutely, I mean, you’re talking tertiary analytics or meaningful metrics. You know, you’re going above and beyond, like, here’s how many phishes we stopped, here’s how many phishes got through. Now you’re talking about susceptibility to potential ransomware. You’re getting into maturity from an educational perspective. So yes, absolutely, you can do that. But by that same measure, you need to be able to speak to the facts. You need to be able to stand behind your data. Before you’re going to dumb something down to a red indicator, you better have strong metrics behind it.

Guerra: No, and that’s what you mentioned. So somebody like me might look at that first page and say, “Oh, okay, I like that. It’s green, I’m good.” But you may have other board members who want that second and third level. As someone responding to the board, when you get that board member that’s at that granular level, you have to be able to answer every question. And all the data’s got to be tight. And they can’t be pointing out any discrepancies in your data. Right?

Kane: Well, so the other aspect of both threat and risk is it’s not a stable or a static event, right? So usually, a lot of the cohorts that I talk to, they’re interested in the trend over time; they’re interested in a sparkline, or they’re interested in a maturity curve or using a Harvey ball or something of that nature. And they’re also looking at peer-level benchmarks. So it’s like, “Okay, well, what do we need to do to get to the next step? What do we need to do to level up?” And when we do level up, does it mean that our capabilities are right?” The sad fact of life is that the ransomware actors are also innovating.

So there’s a couple of core things you include in every slide deck you show to the board. It’s like, “Here’s where we are. Here’s where the industry is. Here are some of the headline-grabbing incidents that everyone’s aware of.” It’s good to include data on the regulatory exposure, as well. There are lots of things happening, and the federal space tends to be slow, but things are starting to heat up. Things like the Patch Act and medical devices are really starting to garner some attention in Washington, which is exciting. The White House executive orders are really exciting. And that’s even before you get to things like GDPR or some of the Canadian privacy laws and others.

So you also need to add to those metrics what threat actors need to do to get to us. Heat maps, I have a love/hate relationship with them, because there’s a perception that if you spend more money, sometimes you’re eliminating the risk, which in my experience isn’t necessarily the case. There’s a story there that you need to tell. But as with all stories, you want to make sure it resonates with the audience. You don’t want to just bore them to death. You know, especially on a virtual or Zoom call with a board, you’re going to hear somebody snoozing pretty quickly, or worse, again, God forbid you get a toilet flush, then you have failed when you’re reporting out to the board.

Guerra: What about if they just cut you off and say, “thank you”? (laughing)

Kane: Yes, yes, there’s a tactic you tend to do in most board meetings where you say, “Okay, well, that’s interesting. Let’s noodle on that one. And then you turn around and say you’ve got a large deck to get through, it’s like, let’s come back to that. I’ll schedule some time.” There are a couple of core mechanisms you can use that board members are very much aware of. Most boards are interested in asking good questions and being confident that there’s reasons, analysis and that there’s a plan to answer some of those questions. I tend to find that different boards, they operate differently, but a lot of them are doing the same thing. They want to know if they can they trust you. They want to know if there’s exposure. They want to know if the business can continue in its current route or needs to change.

Guerra: All right, we have time for about one more question. I would be remiss if I didn’t ask this open-ended question to get your thoughts. What would you say is the most important trend that healthcare CISOs should be following and preparing their organizations to deal with? What’s the number one thing you’re looking at?

Kane: Okay, let me think about that. The number one most important trend, I mean, existentially, it’s ransomware.

I also worry a lot about this exodus from Silicon Valley creating a talent pool for the threat actors to tie into, now that you’ve gone beyond the industrial age into the hyper-speed, light-saber age for some of these threat actors.

There’s increasing regulation. There’s, definitely an appetite at the federal level to encourage healthcare to do more. I mean, thinking about those two things, if there’s one thing I’m tracking right now, it is that you are communicating effectively, that you’re not misstating the threat landscape. Certainly if you look at Joe Sullivan or Mudge, probably the number one thing I’m looking at here is to make sure that I’m sticking to my values and that I’m communicating effectively, that I’m being pragmatic on the risks and, as a CISO, understanding that the profession is changing. And I want to make sure that I’m creating an environment for my team to be successful, that I’m creating programs that are based in reality, not delusions of control.

Guerra: I love that.

Kane: That’s probably the number one thing I’m tracking right now. And I’m continually looking at myself in the mirror and going, “Are you providing value?” And to go back to your therapy analogy, it’s that like self-check, radical acceptance, where you’re saying, “I could have done this better, or we need to start thinking about this.” It’s that feedback loop. If there’s anything I’m tracking right now, it’s more internal than necessarily external.

Guerra: So fascinating that you mentioned the folks being laid off from Silicon Valley could be poached by the bad guys, that never crossed my mind. So that’s really interesting. One more quick follow up, and I’ll let you go. You mentioned sticking to your values. Tell me a little bit more about what you mean by that.

Kane: I think one of the hard things to do in security is you’re going to get continually distracted by the threats. It’s far too easy to enter analysis paralysis, it’s far too easy to think that the latest and greatest software solution is going to solve the problem for you. My values, the programs that I build, are based upon doing the right thing, minimizing regret, and making sure that what you’re doing is future proof.

But it’s also based on being an authentic leader. It’s cut the BS. It’s having those honest conversations with your staff and with your leadership, really, that to me are core values that I learned at my mom and dad’s knees. And the other thing I’ll mention very quickly, Anthony is, my dad immigrated to the US when he was 60. So I have a massive amount of respect and honor for the US to recognize that someone of that age could continue to contribute. He did and he worked his ass off and you know, I followed in his steps. And I continue to do what he taught me, which was to work damn hard. And you know, as Dan Geer says, “abide by your handshake.”

Guerra: Well, that’s excellent. You mentioned minimizing regret. I’ve based my whole life on that (laughing), good or bad; I try and live my life to minimize regret. It’s been a great talk and I think our readers and listeners are going to appreciate it. So thank you very much.

Share