Gajus - Fotolia
Published: 03 Apr 2018
Premise Health manages more than 500 employer-sponsored health and wellness centers, including many at Fortune 1000 companies. As the concept of on-site clinics, pharmacies, wellness seminars and employee health flourishes, the healthcare provider based in Brentwood, Tenn., has grown to 4,500 employees. In the CISO position at Premise Health since 2010, Joey Johnson has witnessed a sea change in security, especially in the last five years. "Cybersecurity has now become more front and center," he says. The security veteran has weathered the business transformation: He was named 2017 CISO of the Year by the Nashville Technology Council.
Johnson held the CISO position for CHS Health Services, which merged with Take Care Employer Solutions to form Premise Health. Before becoming a healthcare CISO, he served as the CSO for the United States Department of Commerce, Office of Computer Services. An outspoken security evangelist, Johnson is on the technical advisory board of Landmark Ventures and the editorial board of the Journal of Law and Cyber Warfare. In this Q&A, the healthcare CISO speaks about the growing challenges of information security and privacy in the healthcare industry.
What is your infrastructure like, and how does it reflect your company's approach to healthcare delivery?
Joey Johnson: As a healthcare company, we are a little unique because we provide on-site wellness to large, self-insured companies, typically global financial and technology institutions. Most are Fortune 100 or Fortune 500. For those organizations, we are the gateway to broader use of the healthcare ecosystem. We handle eligibility files, birthdates and Social Security numbers on an entire workforce. So, obviously, between those kinds of demographics and actual patient data, that is a lot of sensitive information that our clients care about, and that has resulted in intense scrutiny on us. We are constantly being audited. We have a security operations team and [an] in-house ISAC [Information Sharing and Analysis Center] that run all kinds of things. They are always looking for problematic things and making sure we have contextual awareness.
We have a dedicated penetration testing team. They pick at applications and try to make sure we are proactive. There is a governance, risk and compliance team for policies and procedures, risk mitigation and conducting incident response. Like most organizations, we also have identity access management functions that sprawl across all parts of the environment. And we have a large third-party risk management function. They are the liaison to the rest of the business. They engage with legal, privacy, compliance, HR, finance and all the business units. All of these roll up to me. In the CISO position, I have a broader, more strategic role as I engage with the rest of the C-suite.
Joey JohnsonCISO, Premise Health
You can't protect everything. As a former national security adviser said, 'If we guard our toothbrushes and diamonds with equal zeal, we will lose fewer toothbrushes and more diamonds,' [attributed to McGeorge Bundy, national security adviser to President Johnson and special assistant to President Kennedy]. You must understand what normal activities are and what your crown jewels are -- and that takes a lot of time, effort and tuning.
What is the biggest cybersecurity challenge for a healthcare CISO?
Johnson: I think the biggest challenges I face aren't necessarily unique to healthcare. One is the skills shortage. Another I face is the strategic decisions you make on which technology to bring in and support. Obviously, 'there's gold in them hills' as far as security products. But there's a lot of noise, too, and we have to investigate. I will often see other organizations with overlapping solutions -- products that were brought in and didn't get optimized and then new tools were brought in that overlap. So they are just throwing money at a problem. The biggest challenge at most organizations is that it is still security functionality 101. You need to let the data in your organization tell you what is going on and then build an appropriate security model around that. It is like going to the gym. It is not easy. It takes patience and determination. Then, if you do it right, product selection becomes clearer.
If you are hearing you need threat intelligence feeds, maybe you do. But if you don't have a good grasp on log file correlation and you have SIEM and it is working well, maybe you aren't at that place where you can really understand your own traffic. In that case, all that threat intelligence feeds will tell you is there is a tornado coming. But if you don't know the problems you have today, you are not going to be able to digest that extra information. Many organizations are struggling with this [issue]. Orchestration solutions are coming. That's great if you are ready to use them but not if you haven't optimized the solutions you have.
Furthermore, once you begin something, you have to have the resources to stand it up and manage it. Do your hygiene and patching, and that will take you a long way. It isn't a sexy answer, but those are the critical things an organization needs to focus on. While the threat landscape changes, your assets don't change that often.
Are you able to sufficiently encourage safe cyber practices across a geographically and professionally diverse workforce?
Johnson: How do you convince a doctor that protecting data is as important as preventing an infection or making a correct diagnosis? Absolutely, it is a battle. It is a battle in any organization. Doctors, who took the Hippocratic Oath, want to protect patient safety and well-being, but part of that is protecting their privacy. I think they understand that. The frustration comes in understanding how the security controls are aligned to their world. Our workforce knows the companies we serve are concerned about this. But with that said, things like phishing are still a threat. With 600 sites, the best you can do is to try to get close to the workforce and have a consistent message that resonates.
As a healthcare CISO, are you using or preparing for things like 'telemedicine,' where doctors consult remotely?
Johnson: Telemedicine is one direction. I think pretty consistently we are always preparing a plan for where we are going. Technology is a big part of our organization. It is sort of expected when you are delivering healthcare services to software companies, computer hardware companies and manufacturing companies in general. The bar is very high on what they will accept from a technology perspective. They are pushing the envelope. They want it to be innovative and high functioning. Part of the challenge from a business perspective is that we are balancing where our clients want us to go versus where we think we want to go. On the back end, we need to make sure as we go and explore new frontiers that we are also taking security into consideration. We are often going down paths where best practices haven't been established yet.
As your company expands, does the CISO position have input into how? In other words, is the voice of cybersecurity also heard?
Johnson: I think, particularly as a healthcare CISO, I am of the perspective, and I know my organization is, that security is not what it was even five years ago. I have been doing this for 20 years, and cybersecurity has now become more front and center. However, to be effective, you need to understand the business on the terms of the business. Ironically, while you are serving as security lead, you must take off your blinders and understand business -- where the puck is headed -- and be able to implement the things that feel like a win for the business.
If you are fighting to make everything as secure as possible, you can lose your audience. On the flip side, business needs to understand how to interact with the security function. With the solutions out there -- whether that is Dropbox or collaborative platforms -- if you don't make it easy for the workforce, they will find a way around it. It isn't like 20 years ago when you were the only source of access to computer power. Data moves. If you don't make it easy to do it securely, they will find a way around, and you will end up swimming upstream.