As part of our webinar on Cal-Secure, Dylan Pletcher, Chief Information Security Officer for the California Department of State Hospitals had a Q&A session with Carlos Ramos, Principal Consultant at Maestro Public Sector and former State of California CIO. Their conversation focused on the perspective of an IT leader that is in the line of fire dealing with cyber threats, and how to implement the recommendations in the Cal-Secure roadmap as well as leverage some of the resources and capabilities that are offered.

Carlos Ramos - You're on the leading edge - keeping your environment, your agency, and its mission secure from cyber threats. The Department of State Hospitals provides 24-hour care. You run hospitals up and down the state, leveraging a lot of technology on behalf of the vulnerable population that you serve. These technology systems include providing direct patient care, case management, pharmacy systems, and patient records. You have facilities management and control systems. You have to run warehouses and procurement and supply chain systems, along with all of the typical operational systems that agencies rely on such as administrative systems and office automation. How do you keep up with cybersecurity threats with such a vast array of solutions to safeguard?

Dylan Pletcher - The California Department of State Hospitals is like a small city. We have our own police force, fire department, cabinet shops, electricians, plumbers, food service, schools, laundry, postal services, and of course, a lot of in house medical services. We have primary care pharmacy, physical therapy, radiology, mental health services and so on. As you can imagine, we have a whole host of electronic systems and devices ranging in security capabilities from medical IoT devices and blood testing gear the size of an Amazon Echo, to a large x-ray machine and complex automated pharmacy dispensing systems. Some have wired or Wi Fi access, some have access or connect to Bluetooth like portable ECG devices. But one thing they have in common is that they all want to talk to the internet. Trying to keep them secure and permit only necessary traffic is definitely a challenge. Segmentation is important, and we're starting a project leveraging Zscaler Private Service Edge. For example, we have additional network access control to profile unmanaged devices into quarantine, on authorized devices, as well as on the people side of things.

One of my key responsibilities is maintaining an open dialogue with all of our business units. Engagement early and often on any initiative is critical to ensure a partnership that fosters security, in addition to the usability of that system. That communication can't be limited to just executive staff - stakeholders need to be involved as well. We have a staff of 13,000 employees, and every one of them has a direct line to me and my staff for any security concerns. We have to be more than just the enforcers of information security policy, we have to be advocates as well. Education is at the forefront of our program. We have annual training, we have phishing exercises, we email out tips and tricks regularly. Occasionally I'll do presentations to larger groups such as our accounting staff or our legal staff. I've noticed a drastic change in attitudes since I shifted away from simply stating policy, and instead turned to helping our employees stay safe in their personal lives. Some of my messaging now has the flavor of doing this to keep your personal account safe. And oh, by the way, do this at work, too. This has really helped us instill a culture of security that sticks with them 24 hours a day.

Carlos - Are people becoming more aware and more focused on cybersecurity?

Dylan - Absolutely. A good example is I was walking back from lunch one day, and one of our executives passed by and said, “Hey, Dylan, I just want to let you know, I caught that fish”. I'm really encouraged by instances numerous times during the day, when people will see me and comment, “Hey, that tip that you said about turning on multi factor authentication, that was really important to me." That really has been a focus - turning away from just saying, here's the policy into this is why you should do it. If you can make it relatable to them, I think you really do engage with them so much better.

Carlos - I'm sure that during your time in information security, you've seen a lot of change. How do you deal with the evolving nature of cyber threats?

Dylan - We're moving away from a device centric view, where this PC can communicate with that server, and moving more towards the need to let only permitted executables communicate with other applications. With our shift to remote work and cloud services, it became even more important to limit access when the device or application isn't acting the way it's expected to. A threat that's often overlooked is insider threat for deliberate or careless action, and Cal-Secure does have insider threat as a Phase Five item. I did see that overlap with other capabilities, such as continuous monitoring, data loss prevention, privilege, and access management. Depending on your environment it may make sense to implement different things sooner. The threat from users that are susceptible to phishing is truly frightening. Multi-factor authentication is in Cal-Secure phase one, and that's for good reason. Credentials are pitifully easy for an attacker to obtain. One of the easiest ways to make yourself a less appealing target is to implement MFA and when you pair that with strong anti phishing and anti malware tools, you really have a good foundation to build upon.

Carlos - The pandemic changed the workforce, changed the way that we operate, and really what we had to rely on in the way of systems to be able to do our job. Did it change the way that you approach cybersecurity or keeping your system safe with the impact of work from home?

Dylan - We have clinical staff and with patients in hospitals, there's no way to be entirely working from home. Still, most of the employees on the administrative side have had to do extensive remote work. Some business units went home in March 2020, and are still nearly 100% remote to this day. Supply chain issues were very significant and getting PPE was tough. Food that was served in group settings before had to shift to individual servings and in separate environments. Getting our hands on electronic gear was tough due to shortages of computers and video conferencing tools. We knew even before the pandemic that we did not want users to have network level access. So the traditional VPN was out before it even started. But we did have to buy a lot of licenses and expand our virtual environment to get access to virtual applications. We also had some virtual desktops where applications didn't work well in that kind of virtual environment. So they could actually connect to their desktop that was on prem and run applications that way. We suffered the same issues that everybody else had with laptops, headsets, and cameras not being able to do that. We were able to get laptops to most of the people that were already working remotely, or those that had a mobile mentality, even before the pandemic started. We did have to get a few Chromebooks to handle some of the folks just so we have managed devices that would be connecting to our environment. And we did have even a couple of people that had to take desktops home.

Our technology stack allowed us to keep a secure environment even as we moved remotely, we had the plumbing already in place to do remote to do virtualized applications. Zscaler’s ZPA (Zscaler Private Access) really was a game changer for us. It allowed us to eliminate a lot of the public facing virtual applications and tie them down to the user, putting restrictions even on where they could connect from. Some people were taking advantage of working from home and they were traveling - so they'd be in Hawaii or on the East Coast, and still be able to work. From our standpoint, it didn't make a difference where they were, but we still wanted to be able to control where they came from.

Carlos - As a practitioner, what advice would you have for your fellow practitioners in terms of leveraging the Cal-Secure roadmap?

Dylan - I've leveraged Cal-Secure in three different ways. The first is that it gives me leverage to say, “Yes, this tool is expensive, but it's critical”. And you don't just have to trust me. Cal-Secure is something that I can point to that has the weight of the State CISO and the Governor's endorsement. So that's a powerful tool for justifying spending. The second is it helps us strategize and plan our next steps. If your department needs some guidance, it gives you some guidance. Phase One through Phase Five, maybe those aren't necessarily the ways that you would want to implement it; maybe you want to shift things around a little bit. And that's fine, too. It depends on what your environment is. Third, I would say it helps to tell a story to those that are less IT savvy, that our strategy and our roadmap are in line with industry best practices. It's always good to have that validation that what we're trying to do internally with our department is something that's valid.

Next Steps