Providence CISO offers tips for a ‘pandemic-ready’ cyber strategy
Seattle-based Providence was forced to learn quickly in the spring of 2020, with Washington state one of the early U.S. hotspots as SARS-CoV-2 spread. The health system quickly stood up an array of new clinical innovations to deal with the public health emergency, pivoted its consumer-facing tools to help manage its response to COVID-19.
The health system was well-positioned to do these things, because it was already well into the process of a sweeping digital transformation.
“Heading into the pandemic, we were already on the journey for cloud adoption, pushing applications out of our data center-driven approach of the past, our on-premise-driven approach in the past, to this cloud-delivered vision of the future,” said Adam Zoller, Providence’s chief information security officer.
As it does so, the health system is “pivoting from an acute care-centric model, where we funnel patients into our acute care facilities, to a model where we’re going to be delivering more services along the lines of telehealth home health visits,” Zoller explained.
“What that means is a lot of our carryovers that were in this acute care-centric model are now going to be required to adopt technologies like telehealth.”
It also meant that, as the COVID-19 crisis forced hospitals clinics around the country to rapidly scale telehealth for patients embrace remote work plans for staff, Providence was, in some crucial ways, a step ahead when it came to its privacy security capabilities.
Even several years ago, the health system was already working toward a more nimble, cloud-based outward-facing security strategy, said Zoller, knowing that “in order to adequately secure our data in our IT systems our people, we were going to have to adopt security strategies that enable us to allow people to use things like telehealth.”
At HIMSS21 in Las Vegas next month, Zoller is scheduled to offer a presentation on Providence’s pandemic-era cybersecurity experience. He’ll discuss how he his team have adjusted their strategies to handle the demands of virtual care work-at-home, defended against ransomware and, hopefully, positioned themselves for a challenging future of expanded attack surfaces relentless attacks.
He’ll also discuss how to craft cybersecurity plans that keep a focus on human factors not just technology. Such an approach, he says, will be essential for risk mitigation in this new era of cloud-first, decentralized care delivery endemic ransomware.
“We had to push the control infrastructure, the ecosystem, out to the endpoint level adopt a cloud-native solution that enabled our caregivers to communicate with the control environment no matter where they were in the world, without having to rely on a VPN,” said Zoller.
“The technologies should travel with our caregivers on their devices, versus having to commute back to a data center in order to be secure to give us the visibility control that we need.
“In the first probably two months into the pandemic, we published an updated telehealth policy an updated remote work policy for our caregivers. So policies standards were being updated, the technology stack was being updated to enable our caregivers to go remote.”
Adam Zoller, Providence
Another big change as the public health emergency gained steam was “quickly ushering through the telehealth policies the remote work policies that were already in motion. Those got greatly accelerated because of the pandemic,” he explained.
“In the first probably two months into the pandemic, we published an updated telehealth policy an updated remote work policy for our caregivers. So policies standards were being updated, the technology stack was being updated to enable our caregivers to go remote.”
Zoller credits the forward-thinking ambitions toward virtual care pre-pandemic for its ability to respond to the crisis with secure telehealth expansion.
“If we weren’t proactively looking for those next modern capabilities – if we weren’t already evaluating deploying them, if we didn’t already have contracts, BAAs that have been signed all this other stuff – it would have been months before we could adopt. That would be in the middle of a pandemic, that would have been really rough.”
That’s why, “from a security standpoint, really from an ecosystem standpoint, it really behooves teams to stay ahead of capability developments just stay current on what’s happening in the industry,” said Zoller.
“Not everyone’s going to be able to go app-to-cloud at the speed that Providence can,” he admitted. But “there’s been better technologies available for a number of years.” And too often, he said, inertia complacency are “getting organizations compromised by ransomware.”
So that’s Zoller’s No. 1 piece of advice: “Don’t be complacent. Try to stay current on developments in the technology side of the house to just understwhat capabilities exist for the strategy that you’re trying to fulfill.”
Oh, by the way, he added: “Have a strategy!”
“A lot of companies don’t have a documented cybersecurity strategy beyond just a technical approach to how they’re solving point-in-time problems – not just in the healthcare industry. I saw this in the financial sector. I saw this in the industrial sector. I saw this in the defense industrial base.
“That technical approach, oftentimes, is, ‘The board’s asking me about ransomware. I’m just going to implement a technology that says it combats ransomware call it a day.’ It really behooves technology security leaders to not only communicate with the board understthe board’s concerns – but to also understthe business’s direction understwhat risks exist in that strategy – to build security capabilities that align with the business strategy to reduce risk.”
It’s key to “always look at it as a risk-reduction function,” he said, “not as a technical problem that I’m going to solve with technology. Take a step back again separate the technical problems you’re trying to solve the technology from the actual strategic problem you’re trying to solve, which is to reduce risk.”
Too often, simple basics are overlooked, he said. “That’s what’s getting people compromised: not having secure remote access solutions, not doing regular patching. Those are the things that are leading to these big ransomware outbreaks. It’s nothing fancy. It’s not securing in your domain administrator account. It’s not securing remote access.
“If you can do that,” said Zoller, “you’ll be successful in a pandemic, an earthquake, it doesn’t matter, because you’ll be prepared for all those things.”
Zoller will explain more during his HIMSS21 presentation, Is Your Cybersecurity Strategy Pandemic-Ready? It’s scheduled for Tuesday, August 10, from 2:30-3:30 p.m. in Venetian, Marcello 4501.
Twitter: @MikeMiliardHITN
Email the writer: [email protected]
Healthcare IT News is a HIMSS publication.