Leveraging Resources When Chock Full of Challenges.

Leveraging Resources When Chock Full of Challenges. Elizabeth Wharton interviews Guest Mitch Parker, Exec. Dir./CISO at Indiana University Health.

Healthcare security is present on all of our minds these days.  The security and medical communities are working together towards the same goal: protecting the people.  You may be wondering, what does that look like in today’s world?  In the midst of a global pandemic, the ever-changing security space is having to face new challenges that none of us were ready for.  Elizabeth Wharton, our very own Chief of Staff sat down with Mitch Parker, Exec. Dir./ CISO at Indiana University Health to discuss new ways to respond to major attacks, the victories he has experienced in the healthcare security space, and the pandemic-level lessons learned.   


Question:

What is the proper response to a major attack?  

Answer:

It is best to execute a root cause analysis of the attack, even if it was not directed at your own systems.  Understanding and looking into attacks on similar companies allows us to understand why and how the attack took place.  Most attacks are not as sophisticated as one might think.  With that being said, understanding the most basic attacks is equally as important.  Preparation is key, even at the smallest level. 

_____________________________________________________________________

Question:

How do you adjust your response time to match the attacks during a Global Pandemic?  What did you get right? 

Answer:

Growing the staff of our analyst team before the pandemic was the first right move that we made.  This allowed us to handle the full volume of the attacks and helped us to produce 125% allocation while only utilizing 85% of our workforce.


_____________________________________________________________________

Question:  

What were the biggest lessons learned?

Answer:

We should have adapted our third-party risk model to address the changes being brought in for COVID.  We had to bring in new medical devices and create a new model quickly.  We understood the possibility that we may not be able to secure everything to one hundred percent within the time frame, but we did everything we could to reach a level of reasonable security.


____________________________________________________________________________

Question:

How do you mitigate the risks?


Answer:

It is first important to understand that the use case is intended to be used on that specific case alone.  If it has a network port on it, someone will be asking for an IP address within six weeks of it coming in.  It is equally as important to anticipate the questions that will arise, and not assume that it will just work all the time.  I don’t think that healthcare as a whole has done a great deal of operational planning or project management.  In healthcare, people see the larger health systems putting their product into motion and then try to use that product within their own organization.  This fails because they underestimate the manpower, training, and equipment it takes to make it happen behind the scenes. If your reason for implementing something is, “because so and so did it” you are setting yourself up for failure.   


____________________________________________________________________________

Question:

How do you level-set in a gentle way without offending the customer, in order to salvage the relationship?


Answer:

Honesty and communication go hand in hand as the keys to a successful relationship.  I had a difficult situation arise involving credit card processing devices.  The individual I was dealing with at the time made the comment that “so and so in Minnesota” runs this software in their gift shop.  I communicated truthfully the CISO, explaining what we are capable of achieving with our company’s level of manpower.  That direct and honest communication allowed for this situation to be handled successfully, and with little conflict. 


______________________________________________________________________

Question:

Is it productive for an organization to discourage networking with outsiders?


Answer:

It is not productive because there is so much to be learned from interacting with your peers in the security space.  Having distrust in outsiders limits the learning process.  When we find out what is really going on outside of our own bubble, we can improve the way we deal with our own networks.  


______________________________________________________________________

Question:

If there are third party vendors with difficulties, and companies are willing to communicate early on, could that help to mitigate the issue?


Answer:

Yes.  If companies were willing to communicate early on, they would each be better equipped to handle the third-party vendors.  


______________________________________________________________________

Question:

Should you as a healthcare security leader answer the call of other competitors when they reach out to you in need?


Answer:

It is not productive to see other healthcare security teams as competition, but rather allies and friends working together in the business of keeping people safe and healthy.  It is always beneficial to both parties to work together, and I make it my business to answer the phone every time I am called upon.  

______________________________________________________________________

Question:

What is Benchmarking in Healthcare?


Answer:

Benchmarking is a way of improving the quality of care and efficiency in the healthcare system.  Many senior executives will not talk with you unless you have done benchmarking against similar sized institutions.  We have leveraged a great deal of resources against at least three similar sized companies.  I personally research other systems that are of similar size, and larger than ours so that I can make the most educated choices based on what I’ve learned. 

______________________________________________________________________


We hope you enjoyed this Q&A! If you’d like to follow along while you listen to this episode, feel free to check it out on YouTube, our Website, or wherever you enjoy listening to your favorite podcast!