Field Report: The Cleveland Clinic

With

Bill Russell / Vugar Zeynalov

Cleveland Clinic This Week in Health IT

About this guest...

Share Now...

Share on linkedin
Share on twitter
Share on facebook
Share on email

Show Sponsor(s)

April 16, 2020: Healthcare systems have always been major targets for cybercriminals but the risk of threats has become more serious than ever since the pandemic. In this field report, we speak with Vugar Zeynalov, CISO of Cleveland Clinic to hear more about what he and his teams are doing to support the rapid increase of virtual communications between patients and providers from a privacy and security perspective. Vugar fills us in on how cybercriminals are exploiting the situation by luring people into payment schemes through texts and emails with fake news content. He talks about how the Cleveland Clinic is combatting this by providing a reliable feed of trustworthy and secure information via Twitter. We also hear about the scaling in telehealth and remote work everybody has been talking so much about, but this time from the perspective of security. Vugar describes all the efforts he and his multidisciplinary teams have been making to keep privacy top of mind even in light of the HHS decision to postpone the enforcement of privacy standards that were in place before the crisis. We wrap things up hearing a few best practice recommendations from Vugar about the new roles security technicians are having to play at present, and he weighs in strongly on the value of collaboration and skill swapping. Tune in for another informative field report, this time on the theme of security and privacy in the crisis.

Key Points From This Episode:

  • Notes on the scope, culture, and current situation at Cleveland Clinic.
  • Vugar’s career-changing experience working at such a high-level caregiving institution.
  • How Vugar is supporting the great staff at Cleveland from a security IT perspective.
  • What Vugar is seeing regarding threat activity during the pandemic.
  • How criminals are using COVID-themed messaging leading people into payment funnels.
  • What the schemes are exploiting: curiosity, tired providers, and changing health systems.
  • The trustworthy information Cleveland is curating on Twitter to put a stop to crimes.
  • Debunking myths that cybercriminals are choosing not to attack health providers.
  • The rapid scaling of virtual visits and how cybersecurity is being woven into that.
  • Perspectives on HHS postponing the enforcement of privacy settings.
  • Cleveland Clinic’s use of a multidisciplinary cybersecurity team.
  • Best practices and recommendations for software and tools for remote work and Telehealth.
  • Integrating communication service providers into the heavily regulated healthcare space.
  • Three security measures that communication providers have to implement.
  • New duties security professionals have since the crisis: securing platforms and collaborating.

Field Report — The Cleveland Clinic 

Episode 228: Transcript – April 16, 2020

This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

[0:00:04.8] BR: Welcome to This Week in Health IT News, where we look at the news which will impact health IT. This is another field report, where we talk to the leaders from health systems on the frontlines.

My name is Bill Russell, healthcare, CIO, coach and creator of This Week in Health IT, a set of podcast, videos and collaboration events, dedicated to developing the next generation of health leaders. 

As you know, we stepped up production over the last 30 weeks and Sirius Healthcare has stepped up to sponsor and support This Week in Health IT. I want to thank them for sharing our passion to capture and share the experience, stories and wisdom of the industry during this crisis.

Today, Drex DeFord conducts the field report for This Week in Health IT. Special thanks to Drex for helping us to cover more ground during this time. If your system would like to participate in the field report, please shoot me a note. Easiest way to do that is by e-mail, [email protected].

Now, on to today’s report.

 

[0:00:57.9] DD: Hello, everyone. Thanks for joining us. It’s This Week in Health IT. I’m Drex DeFord, CI Security’s Chief Healthcare Strategist and President of Drexio Innovation Network. Today, we welcome Vugar Zeynalov. How did I do?

 

[0:01:13.8] VZ: Excellent.

 

[0:01:14.4] DD: All right. Excellent.

 

[0:01:15.4] VZ: Excellent.

 

[0:01:16.2] DD: Vugar is the CISO of Cleveland Clinic. Thanks for being with us today, Vugar. I know it’s super busy and you just got a lot of crazy stuff going on. I really appreciate you being in here.

 

[0:01:30.9] VZ: Thank you. Thank you for having me, Drex.

 

[0:01:32.7] DD: Yeah. Can you start by telling me a little bit about Cleveland Clinic and your team there and how you work and how things have generally been going during the past few weeks?

 

[0:01:45.3] VZ: Sure. Cleveland Clinic is one of the most impressive and well-recognized brands in healthcare worldwide. 66,000 employees, we call everybody caregivers. Facilities in Northeastern Ohio, Florida, Canada, Nevada and we have facilities in Middle East and London. It’s a global institution.

 

Frankly, I joined the Cleveland Clinic about three years ago. It’s going three years and a week from now. It’s a very humbling experience, because you get to work with the best of the best in the world. Very humble.

 

[0:02:26.5] DD: Wow. Very cool. I love how you call everyone caregivers. That’s brilliant. Because very often, I think in IT and in the information security areas, sometimes we feel separated. I think the reality is great care cannot be delivered without our teams and the work that we do now.

 

[0:02:49.1] VZ: I agree. Prior to joining the clinic, I was with the government financials, payers and pharma. This experience has been a career changing experience for me. Since I came in, we lived through some challenging times. I took my entire team to every facility we have. We went through a journey of the patient, from admission to discharge. When you experience that, when you see that – I know these days, it’s amplified that that level of heroism. That talk that our caregivers and nurses and our clinicians put into everything they do, that’s a life-changing experience.

Even as a cyber professional, I question every common practice I had in my mind, in lieu of common sense, that you are join that movement and help them, help our caregivers to have that frictionless experience, to have the best of the best technology they can use for the advancement of our care delivery.

 

[0:03:50.0] DD: That’s terrific. I mean, there’s nothing like going to the place where the work is happening to understand how you’re helping, or how you’re hindering the delivery of great care to patients and families. Thanks for sharing that. I think that’s awesome; pulling your whole team around to do that’s pretty impressive. What are you seeing with regard to threat activity during the pandemic? A lot of stuff happening out there?

 

[0:04:15.6] VZ: Right. Well unsurprisingly, cyber criminals, both foreign and domestic are trying to take advantage of the global pandemic situation, as they never let any crisis go to waste. Then we see a lot of fake COVID-themed phishing e-mails, phones and text messages that are being used to lure victims to visit websites with payment scams and malicious software, exploiting that human trait, such as concern and curiosity.

 

Every industry has seen increase in threat activity, but healthcare is the primary target right now. The first actors, they see healthcare professionals that are exhausted, both physically and emotionally. They also see health IT systems that are changing overnight to accommodate these new working styles. Then people who are continuously searching for the latest information. Any threat masquerading as a trusted source, like the World Health Organization or CDC has a huge pool to phishing.

 

Well, to that end, the Cleveland Clinic communication team has done an excellent job by curating news and information. I encourage everybody to check out our Twitter feed and newsrooms as they’re putting out that reliable information about the virus and our response, as well as valuable information about taking care of yourself physically and mentally while at home.

 

[0:05:37.6] DD: Great. Good, trusted information. You’re right, there’s so many channels right now that you can tune into and so many of them are not giving you the truth, or they’re guiding you in the wrong direction. I love that Cleveland’s doing that. Really cool.

 

[0:05:55.2] VZ: Yeah, go ahead.

[0:05:56.1] DD: Now one of the questions I was going to ask you about was I’m seeing a lot of articles being written right now that say that the bad guys and their bad guy consortiums around cybersecurity have agreed to not attack healthcare systems. If they accidentally – something happens to a healthcare system to give them the keys to the ransomware, or whatever for free, given all of the stress that’s going on in the healthcare system right now. I have a skeptical side to this and a hopeful side to this and I’d like to hear what’s really happening. Are you seeing that out there?

 

[0:06:36.6] VZ: I’ve read that. I’ve read that. The reality on the ground doesn’t support it, thankfully. We’ve seen a significant increase in number of COVID-related threats. Perhaps, some of these nefarious actors, they lay down their weapons, but that might be a minority. In reality, we’re seeing it’s completely opposite.

 

[0:07:01.8] DD: Yeah. One of the other things I wanted to ask you about was given the incredible amount of activity that we have going on right now and standing up new units and connecting to field hospitals and everything else that’s going on, there’s always the challenge of how do you have good security and at the same time, respond quickly and effectively to the requirements that you’re given? How do you guys do that at Cleveland Clinic?

 

[0:07:33.6] VZ: You’re right. We’re living through one of the greatest experiments in remote work and virtual health. I mean, the number of virtual visit at Cleveland Clinic increased 26 times. Then the capacity of our remote access infrastructure increased five times in just a matter of few days. The rate on cybersecurity is embedded into a larger, impressively orchestrated response at the Cleveland Clinic and then there’s a coordination and dedication from the caregivers is impressive and humbling to witness.

 

One of the focus areas for us and the part we play is making sure that the caregivers have the same experience in these temporary hospitals and its search sites. We’re standing up this. We’re transforming our health education campus into what people are hope possible. It’s a 1,000 bed hospital. We want to make sure that our caregivers have the same protection, same access and everywhere they go, they can have a frictionless experience, so they can focus on care delivery.

 

[0:08:41.3] DD: Amazing. Very good. In that same context, I’ll ask you another question that’s something that’s come up pretty recently. Have you seen any flex, or trying to think of probably the right way to talk about this; privacy is always a concern. Have you seen any lessening of our adherence to privacy issues during the pandemic? Do we seem as worried about it as we have in the past? Have we led up some?

 

[0:09:22.0] VZ: I think it’s well-known that the Department of Health and Human Services, they came out and then they talked about that they’re going to postpone the enforcement of some of the privacy settings. That said, I think from our standpoint, we’re trying to even in this time of urgency, trying to make sure that we conduct whatever we need to conduct on behalf of our patients and caregivers with at most to the last – to that end, we’re actually an agile shop.

 

Any type of cybersecurity engagement, it used to be sequential. Now we’re doing it as a multidisciplinary team. We’re bringing almost a tiger team together and we’re doing everything in a rapid succession. We can deliver the outcomes faster, but we get to maintain the quality.

 

[0:10:16.3] DD: Who’s in the tiger team? How does that work? That’s very interesting to me, that you actually get the buy-in on the front-end of everything that you’re doing.

 

[0:10:29.0] VZ: Right. From that multi-disciplinary team, there are cyber professionals from GRC, like third-party risk assessments, to cybersecurity architects that help not only to do the due diligence, but talk about integration into our platforms, as well as our vulnerability management. Then we have a multidisciplinary team from cyber, and we engage folks on application development, infrastructure and everybody comes together. Then the vendors chiming as well in rapid succession. Things that used to take weeks now taking quickly days.

 

[0:11:05.6] DD: Wow. Very cool. There’s so many things that have been pressed into service recently to like, well, I mean, Zoom. There’s been a lot written about Zoom recently. Personal devices, all of those kinds of as we’ve rushed into this telemedicine work from home world. Do you have some best practices you’d recommend to folks who are listening, or watching?

 

[0:11:31.0] VZ: Sure. We welcome any tool or service provider that can help us better serve our community of caregivers. The challenge is that many of these technologies, they’re not designed for heavily regulated industries, such as healthcare and have some security concerns. Now, I believe that the right approach is to work with the solution providers and bring them into the healthcare space and explain the operational challenges to the healthcare environment.

 

How it worked, what worked, what we solved before. I mean, if you’re asking about some basic framework, I’ll talk about three things, especially for technologies like virtual health. First is establishing that connection and authentication is critical. Just like caregivers confirm a patient when they walk into a room, we need to make sure we confirm the patient and the caregiver and clinician and make sure they are who they say there are when they’re joining meetings remotely.

 

Then maintaining that connection, we call the end-to-end encryption to ensure patient privacy. Then finally, when that connection is dissolved, to make sure that there’s no PHR left on the vendor systems. Now given the opportunity, all these providers, they welcome this type of help, because for them it’s an opportunity to get into a space with a high barrier. Then for us, it’s ultimately improved experience and safety.

 

[0:12:52.1] DD: Yeah. I think that’s exactly right. Coaching as much as you can and using the analogies that you’re using too, like the patient care experience to help them understand the end-to-end connectivity and the introduction piece is a very, very smart way to approach this. Thanks for sharing that.

 

I probably have another million questions, but I know you’re super busy. Is there anything that I haven’t asked you about that I should have asked you about that you want to talk to the listeners and the viewers about?

 

[0:13:25.1] VZ: Well, it’s interesting. Until recently, cyber risks were pre-eminent, like existential threat to healthcare organizations. Know the day would pass where you see headlines about ransomware and exploits and mega breaches. We have received enormous support from our clinicians as we implement sweeping changes to combat these risks. Now this is a global health crisis that stressed, has every aspect of our healthcare systems.

 

Obviously, cyber risks don’t go away, but I believe cyber leaders, they have a new role to play, because as professionals, we need to work on the background diligently to make sure that we provide the safe telehealth and video conferencing platform for our patients, so they can communicate with the providers and stay connected with their loved ones.

 

Then for our clinicians, deliver that frictionless experience, that trusted and resilient digital platform, so they can focus on care and research. Then most importantly, collaborate within an industry. That’s why I welcome this opportunity so much. Share fed intelligence, share best practices so we can lobby each other’s strengths to better protect our communities.

 

[0:14:41.1] DD: Yeah, thanks. I couldn’t agree with you more. I mean, part of the reason we’re doing these reports from the field, Bill and I, are to facilitate that crosstalk and conversation of we figured something out over here, so you don’t have to. We’re approaching this issue and this way, maybe that gives you some background to start with. That crosstalk and collaboration, we’ve always been great at in healthcare and we’re just trying to help make that that continue.

 

[0:15:10.7] VZ: Thank you. Thank you for the work you do. We really appreciate it.

 

[0:15:13.4] DD: Oh, sure. Thank you so much. Thanks for taking time to see us. I really do appreciate it, Vugar. It’s been a great conversation. I hope we can cross paths live and in person sometime very soon.

 

[0:15:29.2] VZ: Absolutely. Looking forward to meeting you in person.

 

[0:15:32.0] DD: Thanks.

 

[0:15:32.6] VZ: Stay safe, stay well.

 

[0:15:34.6] DD: You too.

 

[END OF INTERVIEW]

 

[0:15:35.9] BR: That’s all for this show. Special thanks to our channel sponsors VMware, Starbridge Advisors, Galen Healthcare, Health Lyrics and Pro Talent Advisors for choosing to invest in developing the next generation of health leaders.

 

If you want to support the fastest-growing podcast in the health IT space, the best way to do that is to share it with a peer. Send an e-mail, DM, whatever you do. You could also follow us on social media, subscribe to our YouTube channel. There’s lot of different ways you can support us, but sharing it with peers is the best.

 

Please get back often as we will be dropping many more shows until we flatten the curve across the country. Thanks for listening. That’s all for now.

 

[END]