alphaspirit - Fotolia
Marcus Ranum: Let's start with the beginning! How did you get into security?
Anahi Santiago: I had the benefit of working in project management for a systems and technology company, and I led a lot of large international infrastructure projects. That gave me access to all kinds of technology: systems, databases, web technology, programming, servers, you name it. Every single one of them had a security component. I started to gravitate toward the security part of it and got to pick security as the thing that I wanted to do.
It's rare for someone to gravitate toward security, which is why I think the security aspects of many projects get neglected. Does that match your experience?
Santiago: I think the company I was working for was pretty good about that. This was over a decade ago, but they took security seriously and baked it into all the projects that they did. They had a very in-depth security approach and a good team that taught me the trade.
So you got exposed to security being done right. A lot of people came at it the other way -- finding flaws and fixing screw-ups. They're 90% of the way into a project, and someone says, 'Oh we forgot about that stuff.'
Santiago: Every project plan I did had a security component; [each] architecture had security in it. There were standards, policies and procedures established from the beginning, so it was really easy for me to consume all of this information and understand it to the level that I was able to adopt it. And I took that approach when I went to healthcare as a field.
I know there's a tremendous amount of focus on healthcare information security right now. Back in the '80s when I worked at a large hospital in Baltimore, information security in healthcare really wasn't on anyone's radar at all. Is that changing?
Santiago: It is! I started in healthcare information security and got my first information security officer job -- with a different healthcare network -- in 2005. At that time, I was the only security person. I was hired in January, the security role came into effect in April, and HIPAA is the reason that I was hired.
I was able to build a program with a lot of support from the organization, which was great. I worked there for 10 1/2 years and was able to see the industry progress and adopt security as a whole. For probably a year before I left, I would get a call from recruiters at least once a week: Big, reputable healthcare organizations were looking for their first CISO. That was very eye-opening.
It's still happening, but less so. There are still a lot of organizations that are building programs and lack a senior leader in security.
Would you say that HIPAA has been largely beneficial? I think that it was controversial at first.
Santiago: The HIPAA security rule of 2005 was mildly effective in my opinion. HITECH was passed in 2009, and the subsequent omnibus rules and breach notification rules -- where HIPAA was given more teeth -- that was when organizations started to pay attention. When the Office for Civil Rights started to levy significant fines, that's when people started to really get serious about security.
A few years ago, I would have said that healthcare information security was the worst for a long time, but now government has probably surpassed medical as the worst.
Santiago: Education is still pretty behind. One would have thought [government] was on the leading edge with FISMA [the Federal Information Security Management Act], but we're now learning that they're not as good as they seemed.
Many security people are both intuitive and organized -- or someone organizes for them -- and that often produces unorthodox characters. What strengths or weaknesses have supported your career?
Santiago: I have a degree in electrical [and] computer engineering. That's where all the analytical and methodical skills come from: all those ones and zeros. My concentration in college was robotics, and I really wanted to design robots -- I thought that the math was fascinating. But then I discovered that I'm a people person, and the idea of sitting behind a keyboard, in a trance, wasn't for me. So I moved away from engineering and into IT so I'd have the people aspects but still be able to tap into the fascination with technology that I have. The combination of people skills and technical skills has enabled me to transition into what [a CISO is] now -- a forward-thinking, business-enabling technologist.
I used to read this magazine, Circuit Cellar, written by a guy named Steve Ciarcia [an embedded controls systems engineer]. He had a tagline that read, 'My favorite programming language is solder.' I was talking with someone about that at a conference, and Dan Geer wandered by, overheard me, ducked in, and said, 'My favorite programming language is people.' I think that's a pretty good summary of the CISO's job.
Were you interested in robotics as a child?
Santiago: I wanted to go into aerospace engineering. I decided that was what I wanted to do when I was 13 years old. Both of my parents are scientists -- Ph.D.'s who taught for all of their lives. I just grew up loving math and the sciences. … But right as I started college, the aerospace industry fell apart. My parents told me, 'Go to school for electrical engineering. There is a lot of electrical engineering in aerospace and you can get a job in other disciplines. If you just focus on aerospace, you may have trouble getting into other disciplines.'
Anahi SantiagoCISO, Christiana Care Health System
Once I started my degree in electrical engineering, I also got interested in computers, so I got a dual degree. I loved signals and controls, imaginary and complex numbers, things that are intangible but become useful when you apply them. Combine them all and you get robotics. I do remember having a lot of respect for one of my professors who taught robotics, and I'm sure that was an influence as well.
Project management is what got you interested in security, but how did you wind up interested in project management? There's a very specific set of skills that are necessary for that. How did you develop them?
Santiago: Organically. I was hired into a contractor/consulting company's engineering and testing lab, and my initial role was to take off-the-shelf applications and make them fit the company's security model. I was a project team member and became better versed in the technology and have always had pretty good leadership skills, so I started taking action on projects that weren't progressing -- and naturally moved into project management.
What can a modern CISO do to make the state of medical informatics better? We've got devices that have to be certified, so they can't be upgraded easily, but they have to be in patient-accessible areas. There are some basic conflicts there, and computing is just going to keep getting more important.
Santiago: There are two parts to that question: 1) What can a CISO do internally within their own organization? 2) And What can a CISO do to effect change in the industry? Our role is to do both!
Internally, it really starts with education. People are the most important asset in any information security program -- it starts with educating people about the risks and helping them [to] understand how that ties to patient safety. At the end of the day, they live and breathe patient care, and they will do anything to have good outcomes and make patients' lives better. If you can connect information security to patient safety, you can now connect to your clinicians in language they understand.
When I talk to them about clinical devices that are on old, unsupported operating systems that are measuring some critical data about a patient, [I] have to bring integrity into the picture: Do you really have the right information?
I talk to them about ransomware and how 'if we don't apply good data hygiene and we are infected, you could potentially not have access to your clinical information when you need it. It puts patient lives potentially at risk.' And they understand that. Then they start to listen to why security is integral to the continuum of care.
On the second piece, as healthcare leaders, we need to collaborate and share information as well as be active with the regulators. We need to build bridges and communities: Healthcare is under attack. We are the single most attacked industry in the U.S. right now -- there are a vast number of reasons for that -- so we have to build economies of scale by talking to each other about our needs. Hackers are very collaborative, and as leaders in healthcare information security, we need to start doing the same. We have a great healthcare information security community here in the Philadelphia area. We need that at a national level.
About the author:
Marcus J. Ranum, the chief of security at Tenable Network Security Inc., is a world-renowned expert on security system design and implementation. He is the inventor of the first commercial bastion host firewall.
A three-layered approach to healthcare data protection
Avoid some common mistakes of healthcare breach response
Guide to securing healthcare IoT operations