HSS Security Vikrant Arora This Week in Health IT
April 26, 2020

 – Episode #

Guest Information

Share this clip:

Share on linkedin
Share on twitter
Share on facebook
Share on email

April 26: 2020: So many systems and hospitals across the country have adjusted to the COVID crisis, and one of the most phenomenal adaptations has been the Hospital for Special Surgeries in New York. As a dedicated orthopedics and rheumatology healthcare facility, the hospital has nimbly pivoted to cater to COVID patients, canceling all elective surgery. Today’s guest, Vikrant Arora, CISO at HSS, joins us to share some of the security-related challenges the institution has faced. In this episode, Vikrant gives an overview of the four areas where there has been increased threatening activity. From spikes in phishing to uptick in onboarding vendors without all the checks and balances given the supply chain challenges that they have, there are various challenges they face daily. Vikrant shares some of the strategies that they have used to overcome these potential threats. Ultimately, it comes down to the strong foundational systems, principles, and cohesive leadership at the hospital. Along with this, Vikrant also shares some best practices, the importance of cyber hygiene, and what’s inspired him most during this crisis. Be sure to tune in today!

Key Points From This Episode:

  • Learn about HSS, the work they do and how they’ve adapted their services to the pandemic.
  • The four areas where there has been an increase in threatening activities.
  • How HSS’s security is dealing with bringing on new vendors while remaining secure.
  • Why having good foundational systems and strong cyber hygiene practices has helped HSS.
  • Understanding the full spectrum of challenges that come with remote working.
  • Three strategies HSS’s security team has used to increase protection.
  • Find out how having a dedicated COVID-related manager has helped HSS.

Field Report: HSS with CISO Vikrant Arora

Want to tune in on your favorite listening platform? Don't forget to subscribe!

Thank You to Our Show Sponsors

Related Content

Amplify great thinking to propel healthcare forward and raise up the next generation of health leaders.

© Copyright 2021 Health Lyrics All rights reserved

Field Report: HSS with CISO Vikrant Arora

Episode 233: Transcript – April 26: 2020

This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

[0:00:04.5] DD: Welcome to This Week in Health IT news where we look at the news which will impact health IT. This is another field report where we talk to leaders in health systems and organizations on the front lines. My name is Bill Russell, healthcare CIO coach and creator of This Week in Health IT, a set of podcasts, videos and collaboration events dedicated to developing the next generation of health leaders.


Are you ready for this? We’re going to do something a little different for our Tuesday news day show next week, we’re going to go live at noon Eastern, 9AM pacific, we will be live on our YouTube channel with myself, Drex DeFord, Sue Schade and David Muntz with StarBridge Advisors to discuss the new normal for health IT. With you supplying the questions with live chat. Also, you can send in your questions ahead of time at [email protected] I’m so excited to do this and I hope you will join us. 


Mark your calendar. Noon eastern, 9AM pacific on April 28th. If you want to send the questions, feel free to do that and you can get to the show by going to thisweekhealth.com/live. This episode and every episode since we started the COVID-19 series have been sponsored by Sirius Healthcare.


They reached out to me to see how we might partner during this time and that is how we’ve been able to support producing daily shows. Special thanks to Sirius for supporting the show’s efforts during the crisis. Now, on to today’s show. 




[0:01:24.7] DD: Hi everyone and thanks for joining this week in health IT. I’m Drex DeFord, CI Security Chief Healthcare Strategist and president at drexio innovation network and today, we welcome Vik Arora, Chief Information Security Officer at Hospital for Special Surgery in New York City to this week in health IT. 


Thanks for being with us today, Vik. I know you’re crazy busy and I really do appreciate you being here.


[0:01:51.1] KA: Thank you very much for the opportunity. Happy to be here.


[0:01:53.6] DD: Yeah, start if you would by telling us a little bit about HSS and you and your team there. And you know, obviously I’m sure everybody wants to know how it’s going with the COVID outbreak there and what you’re seeing at HSS.


[0:02:10.7] KA: Sure. HSS is an orthopedic and rheumatology hospital. We’re rated number one in the US for the past decade or so. We’re the oldest orthopedic hospital in the country. We also rank very highly in rheumatology and musculoskeletal health. 


In the past, few weeks, ever since this crisis has started, we have literally repurposed our entire hospital operations from starting with initially deferring our schedules surgeries to cancelling elective surgeries all together and then from that we took on a step to start doing ER patients which we normally don’t do as an overflow from New York Presbyterian and then as a second level of maturity, we even started taking care of COVID patients.


We have literally stopped everything we normally do and repurposed ourselves to support the community and do what’s needed at the moment so it’s been a transformation of the organization.


[0:03:11.0] DD: Wow, it’s incredible too. I mean, you know, just kind of watching from afar, right? I’m in Seattle – And so you know, we sort of started with the initial outbreak here and obviously it’s sort of gone across the country. You guys have been super hard hit and it’s been amazing and inspiring to watch how you guys have transformed in just a couple of weeks into a completely different kind of hospital than you are normally.


[0:03:44.5] KA: Yea, there’s no way we have the right level of gratitude and the words to express what the care providers, the nurses, the support staff, everybody has done. It’s beyond unbelievable.


[0:04:00.1] DD: It is incredible. Go ahead.


[0:04:03.6] KA: I was just saying, it’s truly a privilege to support them in any way shape or fashion. Yes.


[0:04:07.5] DD: Thank you. The other thing I would say is thank you. You know, I’m a big believer in the – What I think is the reality that people who work in healthcare IT, people who work in the CISO’s office are partners for the delivery of great care to patients and families. And you’re as much of this as anybody so I would just say on behalf of me, on behalf of the listeners, thank you. You guys have done amazing work out there.


What are you seeing with regards to threat activity during the pandemic from a security perspective?


[0:04:50.9] KA: We are seeing activity in primarily four areas that kind of bubble up for me and my team. The first is obviously phishing. We’ve seen a rapid increase in email fraud related to protective equipment to the payment protection plan, the stimulus fraud, the CDC, WHO advisories, whatever’s in the news is making an email of phishing scheme out there. To give you some numbers, we see on an average north of 50,000 COVID-related phishing scams that are blocked at the perimeter.


[0:05:25.9] DD: 50,000 per day?


[0:05:29.2] KA: No, in a week.


[0:05:30.5] DD: In a week, okay. 


[0:05:31.4] KA: That’s what we see. The second area that we’ve seen an increased activity is exploitation of anything that is public facing, people are out there looking for ways to get into hospitals. Even though some groups have claimed that they’re going to refrain from sending out ransomware. I don’t trust it and in fact, I’ve seen some trends where there is an increase in ransomware activities. So, any public-facing asset, we see a lot of scanning, looking for vulnerabilities including the VPN infrastructure.


The third thing we’ve seen is given the immediate needs, on the fly IT engineering or bypassing corporate solutions for telehealth or collaboration, people switching from corporate communication tools to WhatsApp or other insecure collaboration tools. That’s the third place.


Lastly, I’ve seen an uptick on onboarding vendors without all the checks and balances given the supply chain challenges that we got. These are the four areas that we are focusing on in the past few weeks.


[0:06:35.3] DD: I mean, given the amount of activity that we’ve seen in the last four weeks and the need to bring on new vendors and buy equipment and do all of these things, I mean, it’s one of your four items. How are you dealing with that? How are you sort of maintaining that balance between we have to be able to support the mission and we also need to be secure?


[0:07:02.2] KA: No doubt it’s challenging, but like I mentioned earlier, given the challenge that the care providers and the doctors are up against, I think it’s very inspiring and that helps us feel a part of a very unique opportunity as well as find the inspiration that’s needed. 


But at a very high-level I think the investments we have made in foundational practices prior to COVID such as having governance, change management, formal risk acceptance by business units, they’re all yielding dividends now. I’ve always been a big believer of cyber hygiene. Two things that will do for you is it will help you come out of an incident sooner and it will minimize the impact of an incident. All those foundational practices have helped us tremendously, I’ll give you an example. Ever since the crisis has started, we still have not missed or postponed a single change management meeting that happens in the organization on a weekly basis. 


[0:08:05.5] DD: Wow, fantastic. That is amazing and I am totally with you. I think this whole idea of, “Oh well, security is all about security,” is kind of baloney, right? Because in a lot of ways having good cyber hygiene lets you run better, more efficient operations. I mean it sounds like you feel the same way. 


[0:08:30.1] VA: Absolutely. And the second thing that has helped us, Drex, that is earlier on in the crisis, HSS, at an organizational level since we are going through such an organizational transformation, they put in new principles to deal with the crisis. And the principles were primarily protecting our staff, protecting HSS and protecting the community that really helped restructure how we approached our projects and prioritized, de-prioritized efforts and maintain the alignment to the organization. 


So, agreeing that and the foundational practices we’ve been able to create the necessary bandwidth. I can get into some tactical things that we are doing too but that’s it. 


[0:09:12.4] DD: I love the principles. I mean I think that that level of leadership and transparency to the team and the community is huge. And it is certainly has to make you feel good as the CISO that protecting the staff and protecting the patients, you know that is really what we are all about. It has to feel good that leadership has your back.


[0:09:38.8] VA: Absolutely. And I think the biggest and the most important asset, strictly speaking in terms of risk management, the most important asset that is at risk is people because of the crisis. Talking with leaders, I will tell I mean my wife and I we’ve been working from home for the past few weeks. Both of us work in the city, we have a six-year-old and a two-year-old, our nanny stopped coming three weeks ago and we had a few failed starts in terms of managing the kids. 


The home schooling and daily routines and then we found that rhythm. But I am trying to be as cognizant as possible for my team at work because they don’t care how much you know they only care – I don’t know if they have felt that they are being cared for by the leadership. So being cognizant that they have similar challenges at home can go a long way in earning their commitment.


[0:10:33.3] DD: That’s a very good advice. One of the things that I wanted to ask you about, Vik, was to do the follow up on some of the tactical things you said that you were doing from a security perspective and best practices around protecting the organization, protecting the people, protecting the community. 


So, any of those that you want to talk about that you’d like to share with listeners? We are all about trying to spread the news of great best practices. 


[0:11:02.3] VA: Absolutely. So, I can mention three things. The first is we repurposed the security team to move forward and I apologize for the background noise. We would repurpose the security team to move people from our engineering and operations and architecture groups into governance risk and compliance and security monitoring. Our GRC and security monitoring are the two units that are more actively involved than operations and architecture because a lot of projects have stopped that are not related. That has helped us get some bandwidth. 


The second thing is we have been always trying to do a risk-based recommendation. So, we are providing quick feedback to anybody who is looking at consumer grade technology to meet an immediate need and we’re also trying to lead the digital efforts where possible. I will give you an example, two examples there. One is a group needed to use temporarily a scheduling app called Doodle. And the governance it came to our shock that it can do a review. And we said, “We will dedicate somebody to set up Doodle for you instead of doing a review because I mean it is a consumer grade app. The admin of that app can do whatever they want so it will meet your need but let us lead the effort.”


The security engineer ended up being a Doodle admin, to make sure all of the settings were turned on and it was a temporary need and we got them what they needed and we moved on. 


And right now, we are doing the same with Zoom. I mean there has been a ton of news about Zoom and we have taken away surgical approach where we have figured out what the telehealth use cases are. They range from identity proofing to seeing somebody in an isolation room for scheduling appointments. We have security recommendations for each of those use case that can easily minimize some of the risk that are out there and then it was in the biggest one out there is just around Zoom bombing and just the use of private meeting ID’s and password for your Zoom conferences.


And education around not making those Zoom invites – Sharing them on socially on social media can go a long way to minimize Zoom bombing. So those are some of it that we have done.


[0:13:18.3] DD: That is terrific. And I know your super busy because I can hear you blowing up over there electronically, is there anything else that I didn’t ask you about that you’d like to share with listeners before I let you go? 


[0:13:31.0] VA: Yeah, sure one more thing that has helped us tremendously through this entire journey has been early on within IT, we set up a point person who would field all COVID-related activities and we had daily leadership huddles to prioritize the prioritized COVID, non-COVID activities to the main line with the organizational principles. Initially it was me as I am also responsible for business continuity planning. But as the activities skyrocketed, we felt like there was a need to have a dedicated project manager focusing on all of these tasks. 


Because there is a significant effort needed in between the leadership huddles with all of the teams to coordinate this work. So, having like a crisis director or a project manager dedicated to managing COVID activities has helped us significantly not only from a documentation, governance standpoint but also making sure that all of the teams have the same priorities at all times because those requests are coming from left, right and center. 


[0:14:34.2] DD: I love it, air traffic control for COVID in both the IT and the CISO world. That makes total sense. And you are the first person I’ve heard talk about managing it that way so thanks for sharing that tidbit, man, that is terrific. 


[0:14:51.8] VA: Yep, thanks for the opportunity and I hope your listeners find this helpful. 


[0:14:56.2] DD: You know like I said, I know your time is exceptionally valuable. We really do appreciate you being with us today. Thanks, Vik. Have a great day and we really again appreciate you being here. 


[0:15:08.4] VA: Thank you, Drex. 




[0:15:09.8] BR: That is all for this show. Special thanks to our sponsors, VMware, StarBridge Advisors, Galen Healthcare, Health Lyrics and ProTalent Advisors for choosing to invest in developing the next generation of health leaders. If you want to support the fastest growing podcast in the health IT space, the best way to do that is to share with a peer. Send an email, DM whatever you do. You could also follow us on social media, subscribe to our YouTube channel. 


There is a lot of different ways you can support us but sharing it with a peer is the best. Please check back often as we would be dropping many more shows until we’ve flattened the curve across the country. Thanks for listening. That is all for now.



Play Video