Providence CISO offers tips for a 'pandemic-ready' cyber strategy

Seattle-based Providence was forced to learn quickly in spring of 2020, with Washington State one of the early U.S. hotspots as SARS-CoV-2 spread. The health system quickly stood up an array of new clinical innovations to deal with the public health emergency, and pivoted its consumer-facing tools to help manage its response to COVID-19.

The health system was well-positioned to do these things, because it was already well into the process of a sweeping digital transformation.

“Heading into the pandemic, we were already on the journey for cloud adoption, pushing applications out of our data center-driven approach of the past, our on premise-driven approach in the past, to this cloud-delivered vision of the future,” said Adam Zoller, Providence’s chief information security officer.

As it does, the health system is “pivoting from an acute care-centric model, where we funnel patients into our acute care facilities, to a model where we’re going to be delivering more services along the lines of telehealth and home health visits,” Zoller explained.

“What that means is a lot of our carryovers that were in this acute care-centric model are now going to be required to adopt technologies like telehealth.”

It also meant that, as the COVID-19 crisis forced hospitals and clinics around the country to rapidly scale telehealth for patients and embrace remote work plans for staff, Providence was, in some crucial ways, a step ahead when it came to its privacy and security capabilities.

Even several years ago, the health system was already working toward a more nimble, cloud-based and outward-facing security strategy, said Zoller, knowing that “in order to adequately secure our data and in our IT systems and our people, we were going to have to adopt security strategies that enable us to allow people to use things like telehealth.”

At HIMSS21 in Las Vegas next month, Zoller is scheduled to offer a presentation on Providence’s pandemic-era cybersecurity experience. He’ll discuss how he and his team have adjusted their strategies to handle the demands of virtual care and work-at-home, defended against ransomware and, hopefully, positioned themselves for a challenging future of expanded attack surfaces and relentless attacks.

He’ll also discuss how to craft cybersecurity plans that keep a focus on human factors and not just technology – such an approach, he says, will be essential for risk mitigation in this new era of cloud-first, decentralized care delivery and endemic ransomware.

“We had to push the control infrastructure, the ecosystem, out to the endpoint level and adopt a cloud-native solution that enabled our caregivers to communicate with the control environment no matter where they were in the world, without having to rely on a VPN,” said Zoller.

“The technologies should travel with our caregivers on their devices, versus having to commute back to a data center in order to be secure and to give us the visibility and control that we need.

“In the first probably two months into the pandemic, we published an updated telehealth policy and an updated remote work policy for our caregivers. So policies and standards were being updated, and the technology stack was being updated to enable our caregivers to go remote.”

Adam Zoller, Providence

Another big change as the public health emergency gained steam was “quickly ushering through the telehealth policies and the remote work policies that were already in motion – those got greatly accelerated because of the pandemic,” he explained.

“In the first probably two months into the pandemic, we published an updated telehealth policy and an updated remote work policy for our caregivers. So policies and standards were being updated, and the technology stack was being updated to enable our caregivers to go remote.”

Zoller credits the forward-thinking ambitions toward virtual care pre-pandemic for its ability to respond to the crisis with secure telehealth expansion.

“If we weren’t proactively looking for those next modern capabilities – if we weren’t already evaluating and deploying them, if we didn’t already have contracts, BAAs that have been signed and all this other stuff, it would have been months before we could adopt. That would be in the middle of a pandemic, and that would have been really rough.”

That’s why, “from a security standpoint, and really from an ecosystem standpoint, it really behooves teams to stay ahead of capability developments and just stay current on what’s happening in the industry,” said Zoller.

“Not everyone’s going to be able to go app-to-cloud at the speed that Providence can,” he admitted. But “there’s been better technologies available for a number of years.” And too often, he said, inertia and complacency are “getting organizations compromised by ransomware.”

So that’s Zoller’s No. 1 piece of advice: “Don’t be complacent. Try to stay current on developments in the technology side of the house to just understand what capabilities exist for the strategy that you’re trying to fulfill.”

Oh, and by the way: “Have a strategy!” he said.

“A lot of companies don’t have a documented cybersecurity strategy beyond just a technical approach to how they’re solving point-in-time problems – and not just in the healthcare industry. I saw this in the financial sector. I saw this in the industrial sector. I saw this in the defense industrial base.

“That technical approach, oftentimes, is, ‘The board’s asking me about ransomware. I’m just going to implement a technology that says it combats ransomware and call it a day.’ It really behooves technology and security leaders to not only communicate with the board and understand the board’s concerns – but to also understand the business’ direction, and understand what risks exist in that strategy. And to build security capabilities that align with the business strategy to reduce risk.”

It’s key to “always look at it as a risk-reduction function,” he said, “not as a technical problem that I’m going to solve with technology. Take a step back and again separate the technical problems you’re trying to solve and the technology, from the actual strategic problem you’re trying to solve, which is to reduce risk.”

Too often, simple basics are overlooked, he said. “That’s what’s getting people compromised: not having secure remote access solutions, not doing regular patching. Those are the things that are leading to these big ransomware outbreaks. It’s nothing fancy. It’s not securing in your domain administrator account. It’s not securing remote access.

“If you can do that,” said Zoller, “you’ll be successful in a pandemic, an earthquake, it doesn’t matter, because you’ll be prepared for all those things.”

Zoller will explain more during his HIMSS21 presentation, Is Your Cybersecurity Strategy Pandemic-Ready? It’s scheduled for Tuesday, August 10, from 2:30-3:30 p.m. in Venetian, Marcello 4501.

Twitter: @MikeMiliardHITN
Email the writer: [email protected]

Healthcare IT News is a HIMSS publication.

Source: Read Full Article