With all the ransomware and other attacks hitting healthcare this year (as predicted by the FBI), I keep finding myself having this recurring daydream in which I’m a CISO for a hospital and I get called before the board to assure members that we are on track.
The showdown goes something like this:
Board member: (Bluntly and straight to the point) Why should we not be concerned about becoming the next headline about a security failure?
Me: Pretty much all of the bad things that could and would happen to us can be attributed to two things: users and the Internet. So we scrub the Internet, including encrypted traffic, as clean as a surgeon going into the OR, and we remove healthcare data from the user’s direct touch.
Board member: How do you scrub the Internet?
Me: Simple, we have the EXACT same security stack as the largest organizations in the world. And not just within healthcare, but in manufacturing, research, finance, just about any you can think of. This lets us provide the same protections to all users, regardless of their location, even when their devices are sitting at Starbucks. Nothing bad gets into our network, and nothing good leaks out. Our cloud security platform is ISO 27001 certified and beyond compliant with all of the other industry benchmarks.
Board member: I appreciate the importance of ISO certification, especially when it comes to security, so are you saying we are ISO 27001 compliant and certified throughout the organization?
Me: Not our entire organization. Not yet, anyway. But, since the Internet and the users are where our risks really come from, we nailed that down straight away. I can't even begin to imagine what it would take us to build such credibility for the entire Internet security stack ourselves, let alone maintaining it and extending it to all of our locations—which is why we are very happy to simply and effectively consume the security stack as a service. Having that covered affords us the opportunity to use our resources much more effectively inside the data center, really setting an example for all of healthcare to follow. Also, compliance is a great measuring stick, but as those of us on the front lines are fond of saying, compliance does not equal security. Since we really go beyond when it comes to security, compliance is just a happy byproduct of that effort.
Board member: How does this (does the air quotes with the fingers gesture) "afford us the opportunity? Please elaborate.
CFO: (Jumps in to take this one, with me smiling) Please, allow me…I spoke with several of my peers and validated the Internet security platform that Kevin is referring to and eagerly gave my approval for our move to the cloud security platform in this case. The numbers were all incredibly good, almost unbelievable. It’s just an amazing find. Specifically, where we used to spend perhaps double digits each for each user per month when it came to Internet security, we are now down to single digits. We haven’t yet tallied the entire ROI, but we expect it to come in as millions of dollars saved each year. This cloud platform has also allowed us to solve some very large problems I didn’t even know we had, such as inspecting encrypted SSL traffic and having the security follow me wherever I go. I never really appreciated just how crazy it was to spend all of this money on security that only protected a few locations, especially as most of it was bypassed when the users were off the hospital network, even while at many of our remote clinics.
The bottom line is, we spend a fraction of what other healthcare systems spend, while enjoying security on par with that of the most advanced security teams out there (the ones who don’t make all the news headlines). And a bit of a personal note here: I love not getting a request to buy a new security appliance, software package, or upsize what we already have in place seemingly every few months.
CIO: (With me still smiling like a kid with an ice cream cone) I would also like to add that I had a conversation with Dr. Jones, who I believe you all know, and he said to me how much he appreciated how fast the network now is, how few complaints he hears from colleagues when it comes to the performance and availability of systems, and especially that the newer mobile program that we are now able to direct our attention to has them all feeling like first-class citizens of the hospital, rather than external partners. It was an amazing feeling.
Board member: Okay, thank you all. That is really what we all needed to hear. Amazing work! Thank you!!!
Me: (I acknowledge in kind and leave)
Board members: (Now behind closed doors) Hey CIO and CFO, please make sure the IT team gets a big bonus this year. Not all of what was saved (good-natured laughter from the group), but enough to properly recognize the vision, execution, and clear contribution this team has made to our ability to provide the best care possible. We don’t want to lose them.
A bit about me, Kevin Peterson, and my specific healthcare experience:
2 years with Covenant Health, systems analyst
6 years with McKesson, product manager for healthcare security solutions
2 years back with McKesson, IT Risk Leader for one of their major business units, with company-wide efforts around cloud security from A to Z (Azure to Zscaler)
Advisory Board Member with Gwinnett Technical College in metro Atlanta for their great Feet on the Ground healthcare IT program
Married to a Registered Nurse (RN), who started out with the National Health Service in the UK (which just so happens to now be Zscaler’s largest customer in terms of number of users (1.6 million users!)
So that's my daydream (a very realistic one, thanks to Zscaler). If you have a better one, I would love to hear it.