June 25, 2021: It feels like healthcare is constantly under attack. What is going on in the cyber world today and what can we do about it?? Mitch Parker, CISO for IU Health shares the foundational elements of a security program including staff awareness, funding, governance and evaluation of practices and procedures. What is the most common gap in cyber programs? Where are people generally falling short? How do you determine the right amount of funding? Can smaller health systems keep up with the sophistication of the attacks? What can they do to keep criminals and terrorists at bay? What advancements are there in detection, prevention and threat response?
Finding and Filling Healthcare’s Cyber Security Gaps with Mitch Parker
Episode 418: Transcript – June 25, 2021
This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
[00:00:00] Bill Russell: [00:00:00] Thanks for joining us on This Week in Health IT influence. My name is Bill Russell, former healthcare CIO for 16 hospital system and creator of This Week in Health IT, a channel dedicated to keeping health IT staff current and engaged.
[00:00:17]Today we are joined by Mitch Parker, the Chief information Security Officer for IU Health. Special thanks to our influence show sponsors Sirius Healthcare and Health Lyrics for choosing to invest in our mission to develop the next generation of health [00:00:30] IT leaders. If you want to be a part of our mission, you can become a show sponsor as well. The first step is to send an email to [email protected]
[00:00:37]Your response to Clip Notes has been incredible. And why wouldn’t it be? You helped create it. Clip Notes is an email we send out 24 hours after each episode airs, and it has a summary of what we talked about. It has bullet points of the key moments in the show, and it has four video clips that our team pulls out that we think really captures the essence of the conversation. It’s simple to sign up. You just go to this [00:01:00] weekhealth.com. Click on subscribe, put your information in there and you’ll start receiving Clip notes after our next episode airs, it’s a great way for you to stay current. It’s a great way for your team to stay current and a great foundation for you and your team to have conversations. So go ahead and get signed up.
[00:01:14] Just a quick note, before we get to our show, we launched a new podcast Today in Health IT. We look at one story every weekday morning and we break it down from a health IT perspective. You can subscribe wherever you listen to podcasts. You can also go to todayinhealthit.com. And now [00:01:30] onto today’s show.
[00:01:31] Today we are joined by Mitch Parker, the Chief information Security Officer for IU Health. And I’m looking forward to this conversation. Mitch, welcome to the show.
[00:01:39]Mitch Parker: [00:01:39] Thank you very much for having me on Bill. I’m very happy to be here.
[00:01:42] Bill Russell: [00:01:42] I love following your stuff. You are one of the people that keeps me updated on what’s going on. I follow your social media. Posts and you not only post about what’s going on in healthcare, you’re actually following cyber around a lot of different industries going to see your posts cross the borders a lot.
[00:01:57]Mitch Parker: [00:01:57] You have to these days because every [00:02:00] industry is interrelated and everything has an effect on ultimately how we take care of it.
[00:02:05] Bill Russell: [00:02:05] Yeah. As we’re seeing, I mean, the pipeline is a ransomware attack and yeah it knows no boundaries. It’s wherever they can get money for ransomware, I guess at this point, that’s where they’re going to go. Tell us a little bit about IU health before we get started.
[00:02:18]Mitch Parker: [00:02:18] So IU Health. I’ll give the standard description. We are a 17 hospital system serving the citizens of the state of Indiana with a number of different outpatient facilities [00:02:30] and a, and our lifeline ambulance service, which covers the entire States.
[00:02:36] And we are also have a very strong affiliation with IU School of medicine and all of their campuses. And we do a lot of work to try and advance the health and wellbeing of hoosier’s.
[00:02:50] Bill Russell: [00:02:50] Yes. Which is a term of endearment in Indiana so. Which is great. Are you in Bloomington or where are you located?
[00:02:59] Mitch Parker: [00:02:59] Outside of [00:03:00] Indianapolis.
[00:03:00] Bill Russell: [00:03:00] Indianapolis. Okay. Is that where the headquarters is where are you
[00:03:03] Mitch Parker: [00:03:03] Yes, the headquarters is there and that’s also where the main campus of the medical school.
[00:03:08] Bill Russell: [00:03:08] Got it. Okay. That makes sense. All right. How long have you been there and what was your path to become a CISO?
[00:03:16] Mitch Parker: [00:03:16] So I’ve been at IU Health about four and a half years. And my path to getting on this point started, I’d say about 18 years ago. At this point I was a defense contractor. I originally got brought into DOD to do some [00:03:30] work on Oracle databases and the person that was starting up, the information insurance program there figured out really quickly that I understand security well.
[00:03:39] And so I started getting more and more assignments related to security. And then about 17 and a half years ago, ended up full-time information assurance right around the same time. I was a consultant for temple health. Don’t ask me how I did two full-time consulting jobs at the same time, but I did. And I was doing a lot of security work for them as well.
[00:04:00] [00:03:59] So when my DOD contract that did, I ended up. Going as a full-time information security consultant at temple health. And they had an opening for a chief information security officer in 2008 and I applied and was selected for the position. And I’ve been in this role ever since.
[00:04:17]Bill Russell: [00:04:17] 2008 was CISO pretty common in 2008?
[00:04:20] Mitch Parker: [00:04:20] I would say not so common. At the time there were a lot of people that were directors of information security, or there were people with the information [00:04:30] security role, but very few with that title and position within the organization. When I got that role,
[00:04:38] Bill Russell: [00:04:38] Yeah. Do you find like colleges and universities and even the military and other they’re starting to create education programs around cybersecurity, I would assume. So are we finally starting to fill some of the gaps? There was a lot of I mean, there was a lot of people trying to hire in the security space and I was talking to different placement firms and whatnot.
[00:04:59] They said [00:05:00] it was some of the hardest positions to find people to fill. Is that still the case?
[00:05:05] Mitch Parker: [00:05:05] I think it’s more a question of understanding. So to put a little background in place, DOD had it right. When they issued their 85 71 directive in about the 2006, 2007 timeframe that required certification for staff working on security.
[00:05:22] And even before that, with their information’s security officer positions, they were requiring education [00:05:30] and to become a level three. So in DOD, you actually had to have that graduate school level program, and granted they. Where they also apply on your distance learning for that, because back then, there only a few universities that were even offering that degree and granted a lot of campuses down in crystal city, Virginia, because that’s where all the military eventually got stationed.
[00:05:52] So. That’s how it was. I mean, back then it was Norwich. It was Carnegie Mellon, university of Tulsa, few [00:06:00] others. NSA had their centers of excellence. So DOD had it right about 20 years ago. And the problem is the rest of the industry never really caught up until about five or 10 years ago. And you have a lot of colleges and universities offering cybersecurity programs.
[00:06:14] And even then what I’ve found is we’re still in what I call that initial feedback loops. So. People are putting the programs out there, but they need more input from people like us and people like us teaching these courses now little category here, I’m a little [00:06:30] bit biased because I taught at temple university for two years.
[00:06:32] So I taught in their ITEX program master’s program in cybersecurity. But what I’ve really noticed is that. There’s a lot of real world expectations that have to still have to be set with the curriculum that we teach students more understanding of the career paths and a lot more understanding from human resources.
[00:06:53] We have to collaborate with them to understand what these paths are because I [00:07:00] shouldn’t be the only person explain the human resources that I’ll take a DOD. Form that says this person completed her military service and cybersecurity in lieu of a bachelor science degree, because honestly the person that served in the military has got to know a lot more about cybersecurity and the person with the bachelor’s degree because DOD had the more structured program.
[00:07:27] So I look at this as we still have a [00:07:30] lot of work to do to explain this new, explain. That there are different career paths and security, and more importantly, that we establish a better career path for those that want to be security leaders. Because most of the people in my role, we didn’t start out in security and there needs to be a lot more work done to provide more traditional business education and relating that to security as well.
[00:07:54]Bill Russell: [00:07:54] That makes sense to me. I have a series of questions for you and. I think it all starts with [00:08:00] describe the current environment, you know we find ourselves in a world and I’ve told my daughter’s off in college. And I said we’re currently at war and she goes, what are you talking about?
[00:08:10] I like, there’s a cyber war that’s going on. And I sort of described her we’re, this interview will probably get released in two or three weeks, but as we speak right now Scripps. Scripps is still in diversion. They’re still on paper in a lot of cases. So they’re still down there. They’re entering week.
[00:08:28] Number two [00:08:30] of of, of being down as a result of ransomware, the the pipeline just happened and they actually paid the ransom in order to get the pipeline back running and those kinds of things, but the list goes on and on there’s significant attacks going on within healthcare,outside of healthcare, but I’d love to hear from you.
[00:08:51] What does the environment look like? Is that an accurate description? That we’re, there’s really a significant war and battle going on right now in that space?
[00:08:59] Mitch Parker: [00:08:59] I would [00:09:00] not use those words to describe it. I would say that we’ve experienced attacks like this for, I’d say at least the past 20 years. It’s just escalated since then.
[00:09:12] And now that you have a lot of organized crime elements involved because there’s serious money to be made. And with the rise of cryptocurrencies, it’s a lot easier to pay ransom than it was 20 years ago. Because if you take a look at it with ransomware, the reason we’re seeing so much of it [00:09:30] is because it’s easier to get paid.
[00:09:32] It’s just that simple because 20 years ago, if right after nine 11, if I were to try and do a Swift interbank transfer, more than 10 grand to Russian Federation or certain other parts of the world, I would have some serious issues and would have some Homeland security agents at my office with Bitcoin.
[00:09:52] It makes it a lot simpler to pay. And also with the rise of a lot of [00:10:00] technologies out there that allow for anonymization and quite frankly, the rise of some incredibly good software developers and programs. It’s easier to ransom and also. The other big fact is, is that we really haven’t done a lot of work to update our networks since that big XP service pack to push in 2004.
[00:10:25] And that if you remember that year, Microsoft delayed almost all [00:10:30] their products to work on security and truth is is that we reached a plateau in, let’s say about 2003, 2004. We really haven’t hit another plateau since we had a little something that resembled one in 2014, when everyone went SSL and TLS on the browsers.
[00:10:52] However, again, What that did is that had the net effect of allowing people to have escape and hide where they were coming [00:11:00] from even more because all the traffic was encrypted and that pretty much shut off half the network security tools that people had put on their networks. So it’s a gigantic game of cat and mouse.
[00:11:09] It always has been a gigantic keen of cat and mouse, and it always will be the differences is that we need to do what we did back in 2003, 2004. Again, We need to look at what we’re doing, how we’re doing it. Look at security better, and honestly get rid of a bunch of legacy applications that we have that open [00:11:30] up our networks to make it so easy for a lot of these people to succeed.
[00:11:37] Bill Russell: [00:11:37] So you wouldn’t call it a war and a escalating battles. And you’re probably right because what you described to me is more like Chicago gang land. Is what’s happening today. There’s just this rise in cyber criminals that have figured out paid stop this pipeline. And it’s a quick hit to get 5, $10 million [00:12:00] put into your Bitcoin account.
[00:12:02] Anytime you have the, it’s a fertile ground, I guess right now. You can choose a path of defense or you can choose a path of crime . If you’re really smart and you know how to crack these things, you can literally choose those two.
[00:12:15] You can either become an untouchable or you can go to work for a crime family. And that’s what we’re seeing. We’re seeing that battleground more like Chicago but regardless which, which story that you see in the headline right now in the [00:12:30] cyber world has really caught your eye.
[00:12:32] Mitch Parker: [00:12:32] I would say what’s going on in Ireland because it’s multiple attacks on their network. Ireland’s not paying. And it’s a big concern for me because that’s a national health network over there. And that’s significant disruption to patients. I mean, between that, and what’s going on with Scripps and what’s going on with the pipeline, that is pretty significant.
[00:12:56] And I know there’s been a lot of talk lately also about [00:13:00] the new executive order from president Biden. I’m very concerned also that the executive order from Biden is, well, it’s going to take a while to put that in. Everything in Washington, especially in the first year of a new presidential term takes a very long time because they’re still putting together new government and we’re at a very vulnerable position right now.
[00:13:23] So to make that executive order succeed, we have to put people in place in CISA in Homeland [00:13:30] security and health and human services to really ramp up what we’re doing very quickly. And that’s going to be a significant challenge. So you have that with Ireland again. That’s that’s incredible. What they’ve done.
[00:13:45] They’ve managed to cause a disruption to health services of an entire country in the EU, no less. And with script’s health. I, my thoughts are with those caregivers, my thought is with the it team, those are some [00:14:00] great people there over at scripts. And I really, I really feel for them because I’ve talked to other people in San Diego and they tell me that those people are going through a lot right now, and they’re really trying to work through difficult situation. And I will tell you that those computer systems, if you’re down for two weeks, you’re already on paper. It the more important question is, can you survive the first one?
[00:14:27] Bill Russell: [00:14:27] Right. Right. And actually I want to get [00:14:30] into that. By the way, the story that has me sort of reeling is the one in Finland where they got the mental health records, not only the records, like social security numbers and back and stuff, but they got the actual notes from the psychologist, psychiatrist, and others, and their patients.
[00:14:47] And they’re actually not blackmailing the healthcare company. They’re blackmailing the actual patients saying we’re going to release your information and it’s very personal and private information. It’s kind of crazy.
[00:14:58] Mitch Parker: [00:14:58] And what’s crazy [00:15:00] about that. I read that entire story and that’s a story of corruption at its core because there’s no way that system should have ever gotten into production.
[00:15:08] In this state that it was in, I’m very concerned because you’re talking about people’s mental health notes and the risk of people. When they’re very private discussions with their metal, with the mental health professionals, they consult with get revealed. I’m concerned some of those patients are going to do things to harm themselves. And that’s unconscionable.
[00:15:30] [00:15:30] Bill Russell: [00:15:30] Yeah. I mean, that’s, that’s the worst case scenario. I mean another scenario is they’re just never going to go back and talk. I mean, Would I, I’m trying to think if I would go back and talk to a mental health professional, after that happened to me, I, they would be tough to trust them.
[00:15:44] I mean I’d want, I’d want to do a security audit before. I know. Where are you going to put those notes? It would be my question then. I’d rather have it be paper-based than be in the computer system.
[00:15:57] Mitch Parker: [00:15:57] Absolutely. Absolutely. [00:16:00] Most mental health professionals I know are still on paper. That’s why.
[00:16:03] Bill Russell: [00:16:03] Yeah. You brought up the Biden executive order. The second part of that I thought was interesting from a, from a healthcare standpoint, as a former CIO is thinking this really makes sense. And essentially what they put in place is within the next nine months, anyone who sells software to the to certain government agencies, DOD and others, that will, I’m sure it’s already been in place for the DMV, has to adhere to a certain set of guidelines, [00:16:30] have to, they have to essentially bring their their software, the commercial software that’s out there that they’re going to be using up to a certain level is do you think that’s something that we’ll, we’ll take off in healthcare as well? I mean, I know we have some standards, but I’m not sure when you look, I have to think about the second we had 800 plus applications in our health system.
[00:16:51] There’s no way that all 800 of those were up to that level. Do you think that’s something we can do?
[00:16:58] Mitch Parker: [00:16:58] I really think that we have [00:17:00] to rethink how we have applications in healthcare. And I will tell you I’ve had detailed discussions with the security teams at the two largest EMR vendors. Those security teams get it. So I think they know what they’re doing. I don’t think the problem is with Epic or Cerner. Those teams are incredible. And I can’t say enough about them. I think the problem is all the little different bespoke apps we create [00:17:30] because they do things the EMR can’t. And I think that the 21st century cures act with FHIR APIs is furthering having more of the security issues, because again, here’s that has no teeth when it comes to abscess to our patient’s data, that’s retrieved over FHIR. And also I’m asking health systems who are basically at the point of doing vulnerability scans right now to do detailed eight detailed API security [00:18:00] scans. And do pretty sophisticated software development. Again, that I don’t expect many companies that are below the billion dollar revenue level or with the expertise of Epic or Cerner to be able to do.
[00:18:14] Bill Russell: [00:18:14] Yeah. It’s interesting. So I’m going to be the interviewer here and keep moving us forward. you mentioned that Cerner, Epic, highest levels really get cybersecurity, which is great. Has cybersecurity got everyone’s [00:18:30] attention yet? Do that CEOs and boards at most health systems recognize that we’ve gone beyond losing records. And we’re now at shutting down our health system potentially. Or has that gotten enough attention?
[00:18:42]Mitch Parker: [00:18:42] I think, and again, I’m going to cite Steve Long whose the CEO of Hancock regional Steve Long has made it. Has pretty much made it as mission to tell people you need to be worried about this. He’s gone out. He’s been open, he’s talked about it. He is probably the only [00:19:00] health system CEO. I know who has got out and got on record talking about the ransomware attack that his health system had a few years ago.
[00:19:09] I don’t think a lot of CEOs realize to the level that Steve long does. Of what’s going on. I think there’s a lot of boards that are starting to realize it. I think that we need to make a big change with how we educate our boards very specifically by having more IT [00:19:30] knowledge on them. I’ve written about this and I’ve done a lot of work with John Riggi over at DHA about this, because again, We need to have them understand what the risk is because this isn’t just about cybersecurity.
[00:19:42] It’s about the way we procure products and services and how we manage them. Security to me is an outcome of how we manage, how we procure and how we fund our projects. And good security is a good outcome [00:20:00] of a good process. Or a good processes. And I don’t think a lot of CEOs get it at that level yet. And I’ll be blunt, a lot of board stouts, and we need to improve that.
[00:20:10]Bill Russell: [00:20:10] Yeah, well boards are interesting to me cause I’ve I’ve sat on boards. I’ve had to present to boards on cybersecurity. And typically what most boards do is they have that one person, right? The one person who’s in technology who can ask a series of questions and then everybody else in there sort of breathed a sigh of relief because [00:20:30] that’s the one person who they feel like is putting them through the paces.
[00:20:33] And in some cases it’s a very knowledgeable person in another case. It may not be as knowledgeable. They just might be a successful business person who happened to drive a technology company to a successful completion or even an exit and cybersecurity. Just in and of itself is a discipline that, that has to be studied and learned just like any other discipline. I [00:21:00] don’t think it’s something, if you understand that on a general level, that’s great. But I just, I felt like every time. I sat down with someone like yourself or someone from one of the major consulting organizations or audit firms or whatever. They just educated me to death because it was just every time it was like, this is how they got into these systems.
[00:21:22] This is how they get into this system, this and I didn’t realize how many different, how sophisticated their attacks were [00:21:30] to get in. And I thought, well, originally we thought if we build a big enough wall, they’re not going to get in. Then we realized, all right, they’re going to get in. And our biggest vulnerabilities are people, but once they’re in now, we have to rethink our architect.
[00:21:43] I mean, this goes to the deepest level of everything we do in it. And it’s architecture, it’s process, it’s projects, it’s governance around which applications we let in that are not. And there’s just so much to know and learn. So let’s get constructive. Where do you start? [00:22:00] If I just hired you for my health system, you came in, it’s following a breach. We let go of the team for whatever reason, maybe it was an egregious breach of some kind. We bring you in. Where are you going to start with us?
[00:22:13] Mitch Parker: [00:22:13] First thing you always do at ground one at ground zero is you always assess the risk that you have in an organization. No matter what you do. You start off, you interview people, you do a quantitative risk assessment because you have to understand where the real issues [00:22:30] are and you don’t do it like in a bad way. You sit down, you talk with people, you understand what the environment is. You collect your information and you do a detailed risk assessment because one of the big challenges you find in security is that the issues aren’t where you think they are.
[00:22:48] You have to do deep analysis and deep research. And that’s why I always start with doing that and doing a lot of it because ultimately I have to be able to [00:23:00] go to senior leadership and go, this is the analysis I did. This is the process we followed. These are the results. This is how we’ve ranked it. And this is what we need to address first, because ultimately what you’re doing is you are, you’re starting from ground zero.
[00:23:15] You are basically telling your leadership this is the path we need to take forward. I’m going to need cooperation from your entire organization. These are the goals we have to meet as defined by the assessment. And these are the changes we’re going to have to make. And they’re not just by a [00:23:30] firewall anymore.
[00:23:31] It’s now talking about process, working with teams, understanding what they do and having them alter those processes. And you have to be a lot more collaborative as well. A big issue. I find in this industry and I’m going to be very blunt and calling us out consultants who are very judgemental about these situations is is that they don’t understand the business. They don’t take the time to understand the business. They don’t take the time to understand needs of the customer or the needs of the business. [00:24:00] You have to do that first as part of your risk assessment before you do anything else. Because if you try putting anything in with security that doesn’t meet the customer’s needs or doesn’t meet the business’s needs, it will get thrown away.
[00:24:11]Bill Russell: [00:24:11] Yeah. They just won’t do it. That’s interesting. Well, and that was part of what I was going to ask you is, is that something that you would do yourself with your internal team or is that something. That you can rely on an outside for that analysis. I think, cause that on one side [00:24:30] you would say, hey, we want an honest analysis so we need to bring in somebody from the outside and that in some organizations that just happens to you, right. You’ve had a breach, your internal auditor is going to come through and do a, an exhaustive evaluation. And they’re just going to throw a report in front of you. But would you still do that yourself?
[00:24:48] Mitch Parker: [00:24:48] Yes. Yes, I would. And I would hire people internally that wear the badge that isn’t the contractor batch. The reason why you do something like this it’s because people [00:25:00] aren’t going to say things to outside consultants. The movie office space is the perfect metaphor. Why they don’t want to talk to the bobs because if they say something bad to the bobs, They’re going to not have a job.
[00:25:14] So, I mean, that’s call it for what it is. If you’ve got the badge, you’re an employee, you’re a team member. You show, you have skin in the game and you’re willing to work with them. Instead of being someone who gets parachuted in this [00:25:30] to tell CEO, you did a bad job. You’re going to be more apt to work with me and tell me how we can constructively improve.
[00:25:38] I prefer to do things internally and not hire consultants for that reason because I get more accurate answers because people aren’t afraid of me.
[00:25:47]Bill Russell: [00:25:47] What’s the most common gap that you find in most healthcare systems cyber programs?
[00:25:53] Mitch Parker: [00:25:53] Due diligence. I think that we make a lot of effort about protection from the [00:26:00] outside world.
[00:26:00] We make a lot of emphasis on. Selecting third parties. And I think the unintended consequences of solar winds has been that a significant amount of people offering third-party vendors programs, took their marketing materials, added the word solar winds to them and are making a lot of money off of CIO’s that don’t know any better.
[00:26:23] I’m calling again. I have to call it for what it is. I think that there’s a lot of work that has to be done [00:26:30] to inculturate security into the due diligence process and into operational management. I think we’ve run security as part of a separate track, too much. As part of it, I think that’s led to the detriments of systems, not being as secure because each side assumes they’re doing the right thing.
[00:26:51] And yet they’re not working together to ensure that they are, we’re not at a point where we can operate separate tracks anymore. Security has to be more [00:27:00] pervasive. Than it ever was, and it needs a different type of professional than it did 15 to 20 years ago to make this work. And in nowhere, is this more relevant than healthcare?
[00:27:11]Bill Russell: [00:27:11] I came in following a breach as the CIO and one of the first things we did is we created a chief security officer who was my peer, and now I still had a security team within it because they did the operational stuff. Right. They stood up new technologies and that kind of stuff.
[00:27:28] But that chief security officer [00:27:30] had a, sort of an internal audit function. They were an enabler. They identified, they did the risk assessment. They addressed the board and they really were more oversight for my operational team. They were absolutely oversight for my operational team, much more so than I was as the CIO.
[00:27:48]They were the ones who were sort of dictating here are the priorities and here’s where they’re going. Do you think we need to get closer to that model? I’m not a proponent of either. I’m just sort of throwing it out there [00:28:00] where the security is now it’s almost a peer to the, to the CIO because security needs to be that pervasive.
[00:28:07] Mitch Parker: [00:28:07] I had this discussion with my old boss at Temple five years ago. And it was true then it’s true. Now security is evolving as a function to be more throughout the organization than just within it. I will tell you, half, half my day is spent talking to legal and privacy. And my customers, it is [00:28:30] not spent talking that it as much as it used to, and a lot of the work you have to do with security now, it does not really involve it as much as it used to when we do our risk assessments, two thirds of the work is outside of it.
[00:28:44] So I look at security. I wouldn’t, I mean, depending on your organization’s structure and what, and how it is structured, every organization is different. However, security needs to be in quasi independent function within whatever organization it’s [00:29:00] in. And I’m not going to comment on organizational structure because every word is, every org is different. And I think a lot of people in security are too worried about where to position sits.
[00:29:15] Bill Russell: [00:29:15] Yeah. So how do you determine this is the age old question and I’m not sure I have an answer either. So how do you determine the right amount of funding for a cyber program? Is it based on the size of your health system? The number of employees, the [00:29:30] number of applications, the number of I don’t know, endpoints, what’s it based on?
[00:29:35] Mitch Parker: [00:29:35] So I look at it is, again, you go back to your quantitative risk assessment. You take a look at your risk management plan and you also take a look at your strategic plan. I actually think it’s more a function of your long range, strategic plan in IT more than it is any other factor.
[00:29:55] And the reason why I say this is because I look at security as [00:30:00] something that you now make part of every project. And your internal processes. So the amount of funding security gets needs to be commensurate with the ability to protect the assets, people, processes, and technologies that you’re utilizing to facilitate the long range plan for you.
[00:30:17]Bill Russell: [00:30:17] I want a more concrete answer. You’re killing me cause you know, I went in, I saw I’m a $7 billion health system and we’re going to move some applications to the cloud we’ve got about 25,000 employees. [00:30:30] We’ve got 16 actual hospitals. We’re starting to do care in the home.
[00:30:35] We’re starting to do IoT and that kind of stuff with the remote patient monitoring and even some monitoring within the four walls of the hospital. I mean, is there something concrete that you can latch onto to say, look, you’re 7 billion. You should have 10% of your budget of your it budget should go towards cybersecurity or 5% or whatever the long term plan. Is there anything. Tangible like [00:31:00] that, that we could grab onto.
[00:31:01] Mitch Parker: [00:31:01] Oh, absolutely. And again, I can break it down. I’d say at least five to 10% of your budget needs to be focused on security and security measures. And more importantly, it needs to be built in. And I look at this more as a function of each project and I look at it as you need to build it into your ROI of every major project you do that doesn’t involve that doesn’t involve actual.
[00:31:30] [00:31:29] Building construction and even then you build it into that, but it’s, it has to be built in your financial models. And the biggest concern I have is not with security and fight in funding. It, it isn’t with the amount of funding. Security, five to 10%. You can actually do a lot with that.
[00:31:46] The concern that I have is that people build these huge long-term projects and they I’ve seen where ROI gets. Cut to make a project look better, to get a more higher [00:32:00] percentage return on investment. So they’ll go, ah, it already does security and they’ll cut out the security. Portional cut out the it portion to me, the biggest, dangerous security these days is people cutting out the it or security parts of ROI, to juice the ROI. So we need to have leadership that says you’re going to have security it’s part as part of your project costs, you’re going to have the proper operational staff as part of project [00:32:30] costs. Because again, I was, I was telling someone else the second you have a data breach, your ROI is going negative.
[00:32:37] Bill Russell: [00:32:37] Yes, they do. Especially a ransomware attack. You go on diversion for even a day and yeah, it goes negative very quickly. My, I get this question, small rural health systems. Can they keep pace with the sophistication of these attacks?
[00:32:56]Mitch Parker: [00:32:56] I actually think it’s possible. I mean, the issue is is that you [00:33:00] have to leverage a, leverage, a bunch of the programs out there that are available now that they’ve actually loosened up the stark act a little bit. These organizations can receive donations from larger health systems of cybersecurity services. However, if you use some of the really good managed security services providers out there, I don’t see any reason why a small to medium provider can have some of the big features that the larger ones have because ultimately, you’re going to have to [00:33:30] move to that model. And with the move of, most of our EMR is, and most of our other critical services to the cloud, that actually makes it a lot easier as well, because you’re not having to put in for a funding request to get some gigantic IBM server to run your ERP system on.
[00:33:47] Now it’s a fixed cost. It’s a lot more predictable. So you have to still do your clever financial management, but with the rise of MSSP, I think small to medium-sized providers have a lot more options [00:34:00] than they did a few years ago.
[00:34:02] Bill Russell: [00:34:02] What are the key staff I’m trying, I’m trying to think of how to ask this question. What are the key roles that you have on a security team today within healthcare? What do you normally have on staff. Now I understand you just talked about MSS. You talked about service providers, you talk about others. And so every health system is going to be a little different based on budget, but let’s assume a decent size health system. What’s the makeup of the security staff?
[00:34:28] Mitch Parker: [00:34:28] So you’ve got to start with [00:34:30] your third party risk, because like you said, you talked about over a hundred applications. Think about how many vendors you have overall providing goods and services. You have to have a good team working on third party risk.
[00:34:42] You have to have a team dedicated to risk assessments and not just HIPAA, but also PCI. Because again, you take credit cards. I don’t care if you’re a small community hospital in the middle of Nebraska or your, one of the larger health systems, you’re going to take credit cards [00:35:00] and you have to make sure you maintain some degree of PCI compliance, or if not outsource it to someone that will, and you really have to do that. You have to have a team with those risk assessments. You have to T have to deem that those vulnerability scanning, you have to have a good operational team that keeps your servers and services patched. And you have to have someone that checks up on your vendors to make sure that they’re doing what they’re supposed to be doing as well.
[00:35:30] [00:35:29] And you have to have a good incident response team, a really good service desk and good security operations to help configure and maintain the equipment that you have.
[00:35:39] Bill Russell: [00:35:39] Yeah. It’s interesting when you talk about PCI, we always kept PCI with a separate under that was PCI compliant and all the things that, that entailed.
[00:35:47] But then we saw target get killed by that. I mean, you get hacked at the vendor. And so you made the point of saying, we’ve got to keep our vendors accountable. So we [00:36:00] have to know how to at least hire or have the people do the right follow up, audit on our vendors that are doing TCI. Worked for us doing the credit card transactions and be able to do a PCI audit on, on those people.
[00:36:16] But gosh, the number of BAS and whatnot, that teams that team’s gotta be running around with their head cut off. So there’s a lot of work to do in that space.
[00:36:27] Mitch Parker: [00:36:27] Absolutely. And a lot of the BAAs out [00:36:30] there are very nonspecific in terms of security requirements because I learned one lesson back in my DOD days from a former Marine wishes no vendor, no application, no system will be a hundred percent compliant and anyone that tries to be will be bankrupt. What you want to do is you have to do best effort to make sure that they are as compliant as humanly possible, which is difficult. And you have to work with them and it’s a lot more work [00:37:00] to do so because a lot of these vendors they’re in a period of understanding as well. They need to understand what to do because there are a lot like other health systems they’ve been thrown into this.
[00:37:11] They don’t want to see patient safety events. They don’t want to see issues. They want to make sure things get done. Their product is secure and their name stays out of depressed except for good things too.
[00:37:23] Bill Russell: [00:37:23] Yeah, absolutely. Last two questions here at any advancement you’re keeping an eye on in terms of [00:37:30] detection, prevention, threat response, any technology or any area that you’re you have your eye on and say, man, that would be a significant move for us.
[00:37:38]Mitch Parker: [00:37:38] Well, realistically, I wanted to see some advancement in medical device security. So I did something that was a little bit different. I do a lot of work with I Tripoli when I’m not working for ICU health and I’ve been working with a group that’s a joint I Tripoli underwriter laboratory group. Which is P 29 33, which is [00:38:00] trust, integrity, privacy protection, safety, and security for the internet of things.
[00:38:04] And we’re actually working to help create that standard for the internet of medical things so that we can have more secure devices out there, more secure data interchange and a better architecture. I thought it was more important instead of having some product out there to collaborate with the vendors too.
[00:38:22] Get that architecture in place that we could use. And more importantly, have something that could be used internationally because a good chunk of the [00:38:30] medical device vendors we use, they’re not American corporations. They’re based in Europe, they’re based all over the world. And we want to make sure that we have the right architecture in place that they can use, that we can build off of because the biggest challenge I found is I didn’t see a lot of good architectures in place for building secure systems. We have a lot of effort going on out there. We have some great work. However, at the arc, if you can [00:39:00] solve it at the architecture level, you can solve at the engineering level. I believe you get a lot more traction than you would using other means.
[00:39:07]Bill Russell: [00:39:07] I started closing these interviews with a very, very open-ended question, which is, is there any question I didn’t ask or any area I didn’t cover that you’re like, Hey this is probably something we should talk about. The community would really benefit from a conversation around that topic.
[00:39:25] Mitch Parker: [00:39:25] So I’m really trying to think, cause we’ve covered a lot of ground today and I think
[00:39:28] Bill Russell: [00:39:28] We did, we absolutely [00:39:30] did.
[00:39:30]Mitch Parker: [00:39:30] I think that the biggest thing that we need to continue talking about more is not security as a discipline in itself. However security as it works with the rest of the delivery organization, to ensure that and also integrating it more with privacy because ultimately security is an incredibly good function.
[00:39:52] We do we align with the mission and values. We’d love doing what we do. However, we need to have that [00:40:00] quote unquote force multiplier to be able to be more effective. And that is working with our customers and more of a cross disciplinary matter. And that’s something I’ve seen a lot of in healthcare with outside of IRIS.
[00:40:13] And I’d like to see a lot more of it within IRIS. And again, I look at people like ed marks as my model. For how I do this because ed did a lot of great work with this at Cleveland clinic. And I look at what he’s done as the model for security and how security needs to [00:40:30] evolve over the next few years.
[00:40:31]Bill Russell: [00:40:31] Awesome. Hey Mitch, thanks for your time. We really did cover a lot of ground in these 35, 40 minutes. So I really appreciate you sharing your wisdom and expertise with the community.
[00:40:43] Mitch Parker: [00:40:43] Awesome. Thank you very much for the time Bill. And again, always great speaking with you.
[00:40:47]Bill Russell: [00:40:47] What a great discussion. If you know someone that might benefit from our channel, from these kinds of discussions, please forward them a note, perhaps your team, your staff. I know if I were a CIO today, I would have every one of my team [00:41:00] members listening to this show. It’s conference level value every week. They can subscribe on our website thisweekhealth.com or they can go wherever you listen to podcasts, Apple, Google, Overcast, which is what I use, Spotify, Stitcher. You name it. We’re out there. They can find us. Go ahead. Subscribe today. Send a note to someone and have them subscribe as well. We want to thank our channel sponsors who are investing in our mission to develop the next generation of health IT leaders. Those are VMware, Hill-Rom, StarBridge Advisers, Aruba and [00:41:30] McAfee. Thanks for listening. That’s all for now.