The Pragmatic CISO: How to Get Results in Cyber Risk Management

PODCAST TRANSCRIPT

Brian Selfridge: [00:00:19] Hello and welcome to the CyberPHIx, your audio resource for information security, privacy, risk and compliance, specifically for the health care industry. I'm your host, Brian Selfridge. In each episode, we bring you pertinent information from thought leaders and health care, information, security and privacy. In this episode, we'll be speaking to Mitch Parker, who is the CISO of Indiana University Health. I'll be speaking to Mitch today about being a security pragmatist and how to get results in cyber risk management in health care settings. Now let's get on to another great conversation with yet another amazing guest, Mitch Parker of Indiana University Health.

Brian Selfridge: [00:01:03] Hello and welcome to the CyberPHIx, your leading podcast for cybersecurity, privacy, risk and compliance, specifically for health care. I would like to welcome my guests, Mitch Parker. Mitch is the chief information security officer at Indiana University Health. He's one of the most prominent voices in health care cybersecurity and has over 16 years experience leading security and risk programs for health care entities and academic medical centers. Prior to Indiana University health, Mitch served as the CISO for Temple University Health System in Philadelphia and served in consulting roles with the Defense Logistics Agency and other government and health care entities. Mitch talks the talk and walks the walk with health care cybersecurity risk, and we were very excited to have him as a guest on the CyberPHIx.

Brian Selfridge: [00:01:42] In our session today, The Pragmatic CISO How to Get Results in Cyber Risk Management, we're going to take advantage of Mitch's decades of operational experience and find out what really works when implementing cybersecurity and compliance programs for health care. And we're going to cut through all the noise in the industry to help identify realistic and achievable practices that deliver results and reduce risk for health care organizations. So no pressure match. That sounds like a lot a tall order for us to to tackle. But thank you so much for taking the time to be here with us today.

Mitch Parker: [00:02:10] Thank you very much for having me.

Brian Selfridge: [00:02:12] So what does it mean to be a pragmatic health care CISO and how does that differ from, let's say, an idealistic one? What is that? What does pragmatism mean to you?

Mitch Parker: [00:02:21] Pragmatism means that you've quantitatively assessed what your risks are, the environment, and you're able to effectively communicate them and talk about ways to do so using planning as opposed to this is what we need to do and opining. Everything has to be quantitatively based and you really have to focus on what is achievable given limited constraints that you have.

Brian Selfridge: [00:02:47] So let's talk about some details around what that means maybe in practice. I'll pick on some security domains here just to to throw them at you. So let's say vulnerability management, for example, what what would be example of something that's achievable for a program in health care specifically as we're a very special animal, is, as you and I both know, what's achievable versus what's maybe unrealistic for vulnerability management program, just to make this a little more real for folks.

Mitch Parker: [00:03:13] OK, so achievable is building a program to show overall improvement, getting patches on systems and removing vulnerabilities by remediating them. So what you want to do is you want to go for one hundred percent compliance. No one gets that nothing. The Defense Department, you want to go for an upward trend. And what you want to do is take a look at how many vulnerabilities you have and set a goal of fixing a percentage of them by the end of the year because, again, you're not going to go zero to 60. And a lot of these organizations won't really do that vulnerability management is new to them. And that FDA guidance, even though it's a few years old on medical devices, a lot of clinical engineering departments haven't done it yet. So you need to be able to walk before you can run. So setting so achievable goals of getting people to actually patch and getting them to patch a certain percentage of the open vulnerabilities by the end of the year is the first and most important goal to do.

Brian Selfridge: [00:04:16] Let's dig into medical device security a little bit more. Since you mentioned it, I know a lot of organizations that sort of when they look at medical device security like, OK, we're going to tackle it, they might be a tool or they might sort of start to take baby steps toward that that issue. What do you think is achievable, especially with all the dependency on the medical device manufacturers? What can you actually get done versus maybe what some folks are trying to do? That might be a little bit too ambitious.

Mitch Parker: [00:04:42] The first and most important thing has to do with the medical devices is catalog what assets you actually have in the first place because you can't protect it if you don't know about it. Make sure you have a good process to establish that configuration manager database and keep it up to date because that's how you fix problems is by first understanding what your problem is, understanding what the domain is.

Mitch Parker: [00:05:06] And then from there, what you do is you build on what can you effectively patch and service and take a look at how you and service your devices now, because to be very blunt, if you're not repairing or doing due diligence and do care on your devices now, you're not going to do security patches. So you have to make sure you have good processes in place for actually maintaining them and make sure you're on a good fixed schedule. Then what you do afterwards is after you establish that get that good program in place, then you start thinking about security patches and updates, because if you don't have a good program to maintain devices and you have a good program, you do diligence and you try and force having security patches. On top of that, you're going to fail. And it's better to establish a baseline, establish how many good processes and then think about security as a process that you build on top of these existing processes.

Brian Selfridge: [00:06:10] I want to talk about the regulators and the manufacturers a little bit because things are changing, right? They just appointed the FDA, just appointed a new head of medical device cybersecurity. Kevin Fu's a long time leader in this space. And for the longest time, manufacturers dragged their heels right with what they can patch and especially around like legacy devices. What do you think is a reasonable expectation of the external players and medical device that are actually going to deliver value to health care delivery organizations? Is it can we expect them to patch legacy devices? Can we expect them to deliver new devices with actual proper security configured and patching cycles or or is that too is that too unrealistic?

Mitch Parker: [00:06:51] Well, I think it's a multidimensional challenge. And the first thing you have to take a look at is a lot of these legacy devices, they might not even have the ability to put and build patches for these devices. You're talking about systems that were developed called Windows ninety four point was a common operating system. And people don't understand the life cycle of these devices is pretty ancient. And also the talent that worked on developing these systems.

Mitch Parker: [00:07:20] A lot of them are not in a position to even build that software anymore, and we don't take that into consideration. So you're not going to see a lot of patches. Also, you would have significant mergers and acquisitions in this industry. So they might it might not even belong to the same company. So there's a lot that really has to be sorted out. I think a lot of the work that's been done on software and materials is going to help with sorting that out.

Mitch Parker: [00:07:49] And I think that some of the really good medical device security companies out there are also help sort that out with getting people to patch levels of information they need. But ultimately, you have to be in a position where you are actually able to deliver those patches. And that's a big push. And I've actually had good conversations with one of our vendors about this, about how they're building, for patching, for the life cycles. And making sure that they're able to support a device for a given life, for the given life cycle.

Mitch Parker: [00:08:24] And again, people make a huge deal about Microsoft Windows because it has a 10 year life cycle. The Linux Kernel for certain Linux kernel revisions has less. So I'll give an example. I was dealing with negative under a few weeks ago, and they're talking about using the Linux two point six kernel. They make custom circuit boards for Iot devices. Here's the problem. They get firmware and Kernel device drivers that are only good for certain components of that board. For certain revisions of Linux. They couldn't go to a newer version of the Linux kernel if they wanted to.

Mitch Parker: [00:09:07] So we have to take these into consideration. Is just not Microsoft, Microsoft, Microsoft, like a lot of people make it out to be. There's a huge issue with Linux and other embedded operating systems where you might not be even able to get updated device drivers or because of M&A in the various subcomponent industries, you're not able to get security patches the way you would for certain other companies. Right now, for example, people to make Android phones are running into this left and right. Apple can give you five years of patches because Apple makes the chips, Samsung makes chips so they can give you five years of patches. Not everyone is Apple and Samsung. And 80 percent of the world has phones that don't get security patches because of that reason, they don't control the supply chain.

Mitch Parker: [00:09:59] So I think that with SBOM, software bill of materials, I think that it's a significant engineering effort. And based on the companies that I have spoken with, they are expending the resources towards putting the lifecycle development in place and more importantly, also adhering to international standards. And I look about it as international standards because a lot of these companies that sell medical devices, they don't have to follow just American standards. And I think a lot of the efforts that we've had have been very US centric. In a lot of the companies that are not based in the United States have had some significant issues and say inTrying to explain that areas, that kind of leadership, why should we follow an American based standard when 80 percent of our business is outside the US? So working with them to help them align to IEEE? Well, and ISO standards, there's also going to be a significant challenge. And on the back end, if you take a look at everything that NIST has put out, there's a significant reliance on ISO these days.

Mitch Parker: [00:11:11] So you also have to take that into consideration. But it's a significant engineering effort and it's just not as simple as, say, we're going to support something for 10 years. It's a concerted, low level engineering effort requiring commitment from top leadership companies. And thankfully, with the companies I've spoken with, their leadership is putting their money where their mouth is.

Brian Selfridge: [00:11:35] So we talk about practical applications and things that we can do. I want to switch gears a little bit and talk about phishing as one of the primary vectors of entry. We've seen that over and over again. And I get the sense with some CISOs that there's this desire or expectation that they're communicating that what we're going to no one's going to click and we're going to ask everybody, it's going to be perfect. Is is perfection really realistic for phishing protection programs or what is what's the threshold we should be aiming for? Obviously, with any click is a bad click, but is that realistically achievable?

Mitch Parker: [00:12:09] With what we've done with our reliance on mobile devices? No, it's not achievable. And I'll tell you why. There's a few factors at hand. The first factor at hand is we're using mobile devices. Mobile devices don't show email addresses. And if I have to ask someone to squint and read an email address on the mobile clients that they use, then I've already failed.

Mitch Parker: [00:12:30] Second part of that is, is that these mobile devices don't have a lot of the network security protections that we have on regular networks of the instant VPN connections to get email and they get their email from the cloud like everyone else. So asking people to read and do everything they do on a desktop like they used to with some of the phishing tests on a mobile device that's just not going to work. The majority of our users use mobile devices and they're not going back, especially with the pandemic. Everyone uses a mobile device because they don't want to open up a laptop in their house. And when you've got a couple of kids on the couch doing class work on chrome books, you're not whipping out your own laptop. You whip it out your phone because it's convenient. It's there. It takes five seconds. So what it comes down to there is you have to put some really good defensive measures in for email, and I don't think a lot of people have done that. I think there's been overreliance on using allow lists to put emails in inboxes so they can, quote unquote, avoid the junk folder, as opposed to actually telling our vendors, you need to be more compliant.

Mitch Parker: [00:13:42] Because the problem you have there is you're allowing emails to come in that can be spoofed from other domains. And it's very easy to do. And we haven't done anything very well to address that. The fact that having a conversation with senior leadership that says, OK, can you open up this domain, we're told, go to your senior leadership and go, please open up this domain so it does not end up in the junk folder. That's not a conversation we need to be having.

Mitch Parker: [00:14:18] And ultimately that leads us to increased risk. And I just had this conversation with other people and I just put an article out of that, actually, because I don't think a lot of people in my position understand why this is critically important. However, it's not about lowering the click rates, it's about increasing the confidence people have that some Yahoo is not going to spoof the CEO and send an email because these emails look convincing. They look real. And I can't turn people into AI spam detectors. I can do a better job of making it so that the false positives. Don't make it through, and I can make it harder to send spoofed emails and put some products in place to help augment that strategy that can help screen out some of the really nefarious ones better.

Mitch Parker: [00:15:12] But at the same time, I can't expect users on a limited user interface to be able to tell the difference as well as they used to, when you could hover over a link on an outlook. And honestly, if the marketing emails like I set out these days get mistaken for phishing emails, so it's more about preventative measures, let users know what email addresses actually send emails. Make sure you have your good defenses in place. And when someone calls asking about that allow list, you have the conversation back that says you need to make sure that. You're sending that you're sending e-mails that are d mark compliance, and I'm not talking just having a DMARC record in DNS, I'm talking about actually having a good policy of rejecting emails. And if they don't, then that's you've got to make that a deal breaker, because ultimately, if you don't do these things, you put everyone at risk. And failing a fishing test isn't putting people at risk.

Mitch Parker: [00:16:11] And again, I look at hospital culture and "just culture". And a lot of the studies that were done at Ochsner and other places are from some journals I've read and Just Culture emphasizes when you have a problem, you fix the root cause of it. Terminating an employee because they. Click on a phishing link isn't fixing a problem, the problem is the phishing links, so it looks so similar to your existing emails and your communications look so similar. What you're doing doesn't align with the culture of your organization. Now I can understand terminating an employee because they look at someone else's medical records because this is extreme violation of a patient's privacy. A patient has their right to privacy with their care providers and care team. But clicking on a phishing link, no, we can and we need to do better than that.

Brian Selfridge: [00:17:12] So we'll have to scrap that email header analysis training initiative that we had lined up to teach all the workforce how to dig through the headers. First wash hands, second is email header analysis training, so that's that's not going to pan out.

Brian Selfridge: [00:17:31] I want to get out of the tech space for a second, although I know we're both very comfortable there and enjoy speaking about that part of it and leverage your experience around people management and what's what's realistic. So when we look at stakeholder management relationship building, what are some approaches that you think work? Not that we're manipulating people or anything, but what are some approaches to building meaningful relationships that that that can actually help you gain traction, your program that you might want to share with our listeners?

Mitch Parker: [00:18:04] The most important thing is you always follow up with your customers, Your customers are calling you, you follow up very quickly. You make sure and you ensure customer satisfaction. I preach this daily with my team. Is that keeping the customers happy, keeping the customers informed and keeping the customer well communicated to is an incredible offer is just doing the right thing to do and everything starts from there. You don't build good customer engagement. You're not going to build a good team member engagement and you're not going to have a good place to work.

Mitch Parker: [00:18:44] You have to make sure you constantly communicate with your customers, you constantly follow up and that you make sure that they're satisfied with the quality of service. We're not in the line of business where people. The good news a lot. It's just as critical for us to be. Incredible, but how we deliver as it is for us to have a good high quality of service because of that, because the expectation for us isn't very high and we have to exceed it. And that's I mean, that's the problem I had when I came to IU health. There was not high expectations for my team. And I worked very, very hard to set high expectations.

Mitch Parker: [00:19:32] So when I could have those conversations with our senior leadership team, it is about the high quality of service they are receiving and that we are working to align ourselves with the mission values of the organization.

Brian Selfridge: [00:19:48] Are there any traps or pitfalls that you've seen, other organizations that you work with and talk to that maybe set their sights to too high and too ambitious in their program objectives that maybe could have been better served to be tempered a bit? Have you seen any war stories that you've seen? Not not yourself, of course, because you've always done things perfectly, I'm sure. As have I. Just kidding. But yeah, anything that you could share there.

Mitch Parker: [00:20:17] I prefer to use the word alignment. And the most important thing you can think of is you have to be in alignment with several things in eyes of your organization and your customers needs because you never want to be in the position where someone asks you. Did you talk to the customer about this?

Mitch Parker: [00:20:38] You ask the customer what their needs were because you can build these incredibly ridiculous, complex solutions, but they don't meet the customer's needs. Then what's the point of having them? There's no point is what it comes down to. And so whatever you build out your solution, you build out your projects, you need to always keep your customer in line, keep their needs in mind, keep them informed, and keep everything aligned with the values of your organization. Because if you don't do that, I can pretty much guarantee failure.

Brian Selfridge: [00:21:19] So we could we could talk about this stuff all day, and I know we both we both have to go feed our kids soon as it's getting that time of day for both of us. Anything else, Mitch, that you would you would share with our listeners about this idea of practical success versus versus idealism? Any other nuggets or thoughts or closing thoughts that you'd have for us?

Mitch Parker: [00:21:40] Oh, absolutely. And I think the biggest thing you can do is just make sure you keep aligned with your business, Make sure you still have good customer relationships and that you're always make sure you're meeting your customers needs. Because, again, security, there's a lot of people that think that security is more important than the business. Security is there because of the business, is there to support the business. And more importantly, it's there to support the businesses, customers. And we always have to keep our customers in mind. So the more that we do that, the better off we are and the more success will have in being able to meet their needs while also addressing security needs.

Brian Selfridge: [00:22:29] Well said, certainly. And I know my customers, our patients are also critical part of that. And maybe we need to help them in ways that they can't help themselves, which is sort of how I always sort of think about this stuff, too.

Mitch Parker: [00:22:45] Absolutely. And again, patients there reason in health care why we're here and we need to make sure we meet their needs most of all. And however, I mean, big thing I always keep in mind is we have to keep in mind the people that also serve the patients, not just doctors and nurses, but also the people that work in the call centers and environmental services and everyone else. We're all part of a team here. No one is and no one is better than anyone else. And the second that we don't second that we think that we're better than someone else is the second that we've lost.

Brian Selfridge: [00:23:24] Important words for the pandemic, for sure. Well, Mitch, I would like to thank you so much for joining us. My guest is Mitch Parker, who's the CISO of Indiana University Health. Mitch, you've given us a lot to think about and hopefully to go apply to our own organizations or your own organizations of our listeners now and going forward, as I think a lot of the principles you pointed out here are time tested and will last the test of time going forward. So thank you so much for a great discussion. This has been great.

Mitch Parker: [00:23:51] Thank you very much. And have a great one, Brian.

Brian Selfridge: [00:31:47] Again, I would like to thank my guest, Mike Parker, for sharing his insights on practical ways to deliver effective risk management programs for health care entities. I love his commentary about running the security program with a customer centric approach and his advice for managing technical security implementation, for patching medical devices and other assets. A lot of good ideas here that have been proven in the field by Mitch over the years. Really great stuff. As always, we'd like to have your feedback and hear from you. Our listeners feel free to drop us a note about what topic you'd like to hear about or a thought leader you'd like to hear from. Our email address is CyberPHIx@meditologyservices.com. Thanks again for joining us for this episode of CyberPHIx. We look forward to having you join us for a next session coming up soon.