Cyber Resilience in Healthcare
Ann Johnson: Welcome to "Afternoon Cyber Tea," where we speak with some of the biggest security influencers about what is shaping the cyber landscape and what is top of mind for the C-suite and other key security decision makers. I'm Ann Johnson. And on today's episode of "Afternoon Cyber Tea," I'm going to have a really important conversation about cybersecurity in the health care industry with chief security officer of HCA Healthcare Jason Barnett. Jason has spent more than 20 years in the technology field with a primary focus on security operations, threat detection and response. As the chief security officer of HCA Healthcare, Jason leads a team and programs for cybersecurity, privacy, identity engagement, business risk solutions and physical security. The team protects the company's 186 hospitals and more than 1,200 outpatient and physician clinics. There are 260,000 employees and 31 million patient encounters every year. Prior to joining HCA, Jason built a successful security consultancy focused on the remediation of health care regulatory compliance findings and driving the establishment of cyber resilience across several industries, including health care, financial, logistics, distribution and advertising. Jason has a bachelor's degree in international business from Murray State University and has studied at Baylor, Vanderbilt and Carnegie Mellon universities. Welcome to "Afternoon Cyber Tea," Jason. I'm thrilled to have you on the program today.
Jason Barnett: Likewise, Ann. I'm very happy to be here. Thank you for having me today.
Ann Johnson: So, Jason, I think our conversation is absolutely one that everyone in cybersecurity needs to hear - but especially those that are in health care industry. But before we start talking about the operational resilience or cyber awareness or all of that other fun stuff, I would love to hear briefly about your journey to becoming the chief security officer at HCA. Tell me, how did you get started in information technology and cyber, and why have you stayed in the field for so long?
Jason Barnett: It's a fun story, but I'd like to start by saying any older generation technologists - it was all by accident. I got my start back in the late '90s. Graduated college, wasn't exactly sure what it was I wanted to do. And at that time, the WYSIWYG web development application started to come out. And I took an interest in starting to write code. So I learned what I could. Right after I graduated from school, I had built myself a resume that I was a top notch developer - not knowing at the time what it was I didn't know. Moved to Nashville, Tenn., and here I've stayed ever since. But over time, my interest changed a little bit. And coincidentally, I came, actually, to the health care industry by accident when I was asked to teach a class about migrating from Windows NT to an Active Directory environment. I ended up teaching a class in that space after I had been certified. And lo and behold, HCA hired me to spearhead that logical conversion from the old Windows NT environment to an Active Directory-enabled organization. And so that's how my foray into technology began, albeit I thought I was going to be in sales or business law or something like that. But once I had an opportunity to get my hands on a little bit of technology, understand the power of development, understand a little bit about what the internet could bring to an organization, I was hooked. And then it was just a matter of finding my way.
Jason Barnett: And as I started to drive a conversion from a legacy environment to, at the time, a new front edge for the industry around consolidating identity, the issues associated with effective identity management and access management started to emerge for me. So it was more than just transitioning from an NT environment to an Active Directory environment. It was the cultural shift and the administration and operational shifts that were going along with that conversion that landed all the questions on my plate because I was seen as the guy that was driving this, and I was the expert in it. And much of my time started - that was security-specific - was around building access control models for the organization. We're in a very large distributed environment. And when you've got that much distribution, how do you build a delegated model of access controls inside of your logical infrastructure, as well as the applications that are authenticated off of it? So that was my first touch point into security, much like a network engineer, then, turned into a network security person or an operating system expert turned into a security person. In my case, it was that logical environment and building this conversion and working to secure an environment as a result of the change that was taking place from that NT to Active Directory migration.
Jason Barnett: I think the thing that has kept me in this space - the security space for so long is that it does move at a fast pace. I like that. It moves at the pace of the adversary, and we're oftentimes working to catch up and stay abreast of that. But I'll tell you, at least from a health care standpoint, there's a passion for what you're doing inside of health care. The security part of it will always stick, but when you're doing it for an organization that is mission-motivated around care and taking care of people, it really lends an additional facet to what motivates me to get up every morning. And while I think that can be found in a lot of different industries because everybody's interests are different, I think being a security professional in a health care organization has a little additional oomph for me - a little additional meaning for me because it's a service that everybody needs and you understand how decisions you make actually affect the companies, the workforce members, as well as the patients you're trying to take care of.
Ann Johnson: Yeah. You know, it's so interesting to hear you talk. People often ask me - and it was a lifetime ago - how I got into tech. And it was - you know, I ended up with my first job in tech because I knew how to write macros in Lotus 1-2-3, and I knew how to use WordPerfect coming out of college, right? And there weren't a lot of us in those days, but now you would laugh at hearing that those were literally the qualifications. And then to think about cyber - you know, I tell people the reason I've stayed in cyber for 23 years is because it's mission-driven work, and I feel like I'm doing something that really adds value. When you add the health care lens on top of that, it's such a purpose-driven work for you, and I commend you for everything that you're doing and have done to keep the health care industry secure.
Jason Barnett: Thank you. Thank you very much.
Ann Johnson: So we know cyber incidents in health care have been in the headlines more frequently over the last couple of years. And we've heard more than a few organizations have had to - been subject to ransomware, and others have had to cancel exams or surgeries or services because of cyberattacks. So starting at the industry level, Jason, I would love to get your point of view on some of the challenges leaders in health care are facing when it comes to cyber. What's unique about the challenges? Have they mostly stayed the same over the past few years, or are they evolving?
Jason Barnett: They're absolutely evolving, and the impact is increasing as well. I mentioned earlier, you know, as the average - as our adversaries mature and evolve, their reach has gotten broader, and as a result, more areas of the business are impacted. So no longer are the days that somebody clicks on something and it affects the local PC that a user is operating on. Today if somebody clicks on the wrong thing, you can have an operational incident across an entire enterprise infecting all of your applications, affecting all lines of business, and you find yourself in a position of having to reassemble that. So I think that's consistent from industry to industry in terms of what the impacts are. Oftentimes, health care is reputed as being behind the technology curve or the immature industries on the technology curve. To whatever degree that's a correct statement, regardless of what side of that argument you fall on, health care is becoming more dependent on technology both in terms of how care is delivered - technology is used in how decisions are made. Technology is used more heavily in processing payments and claims. It's touching every aspect of the health care business.
Jason Barnett: So as I mentioned, as the adversary has evolved, their impact has expanded. It's forced us to expand as a security team but, at the same time, understand each component of our business so that we can have a good conversation with business owners to say this is how you could potentially be impacted, and these are the things that we need you to understand if that does happen or to equip us more effectively so we can work to contain whatever it is that's happening to us. So definitely, Ann, they've evolved, and it's much more challenging each - with each year that passes.
Ann Johnson: Well, and human life is at stake, right? I mean, throughout your entire industry, this isn't - you aren't getting up in the morning and thinking about a manufacturing organization that maybe could afford just a little bit of downtime. It's going to impact them financially. But, you know, human life is literally at stake if you have a cyberattack and you can't do a particular surgery, as one example.
Jason Barnett: Absolutely. You're correct, and that's what we keep in the back of our mind. It's a motivator, as well as helps us maintain a healthy sense of urgency as we do our work on a day-to-day basis.
Ann Johnson: So if you don't mind, I'd love to paint a picture of HCA for our audience. HCA is a leading health network, and as I mentioned, you have 180 hospitals. You have 1,200-plus care sites in 20 states in the U.S., as well as in the U.K. And you have more than 260,000 employees or associates who are all focused on your commitment to delivering health and also to improving human life. This size, this scale, the complexity, is simply astounding. There aren't a lot of organizations that are at this scale. So how do you start, and how do you lead a security program, and how do you focus at such scale?
Jason Barnett: It's a big question. No - I believe that no security program can be successful if it's enclosed unto itself. No security group by itself can effectively secure an organization. Rather, what they accomplish is because of the partnerships that they've effectively built across the company. Our organization has several hundred people in it, but even on their best days, they can't accomplish what they're able to accomplish without the partnerships that they've built across the company. My security program - our security organization here is not a part of the IT organization, but we have an amazing working partnership with that organization. And I can give you an easy example of how that partnership has paid off. In the early years, most of our threat and vulnerability management work was all due to poor hygiene of systems - systems maintenance, systems management, poor change management. As we've worked with our IT organization, as they have had goals to grow and improve uptimes and manage availability, we've also been able to influence how they patch, how they maintain systems, how they operate systems, how they follow change control, how they tend to asset management and how all of those things that, at one point, were a lower priority improve the overall security posture of the company.
Jason Barnett: And with that ongoing relationship, we're able to work in concert to address hygiene issues, for example. And in - with them doing so, we can start to refocus our energy, redirect our focus on more effective detection and response capabilities. We can focus more on how do we ingest more telemetry and use that for our program. How do we collect more intelligence and understand what's going on outside the walls of our organization to prepare us for what we might need to do inside the organization? So many security organizations are tied to IT, but they also have responsibilities of monitoring or communicating operational hygiene numbers, vulnerability management numbers, patch urgency.
Jason Barnett: In my example, through that relationship, we've been able to ease the burden of all of those things on our security team so we can focus elsewhere. At the same time, we've got several other programs with - underneath our security umbrella. And physical security - it's just the same way. We need to build partnerships with our branch locations, with all of our facility leadership to understand what they need, to learn how they use the resources that we provide, create feedback loops where we can hear what it is they need and get to a place where we're providing effective physical security resources as well. And the same applies to risk management. The same applies to our privacy functions across the board.
Jason Barnett: So I think in order to operate at scale, you have to build those partnerships all across the business and not necessarily rely on yourself or just your team to overcome those barriers. If you're relying solely on your own team, you'll never be able to mature and evolve at the pace the things that you're trying to defend against are maturing and evolving.
Ann Johnson: I think that makes sense. And I think that, you know, Bret Arsenault, our CISO, talks a lot about creating the culture of security so that everyone feels that security. It's - and we'll talk about that a little bit, about how security is a team sport. I don't think I realized - you have physical security in your remit also.
Jason Barnett: Yes, our program is outside of IT and within my scope of responsibility is information security, physical security, privacy. We've got risk management and communications team information lifecycle management. So that's more around physical records management. We've got an identity - a leader around identity engagement that's primarily business-focused as well. So it's a multifaceted group.
Jason Barnett: But my predecessor had a real vision around consolidating all security functions underneath a single leader. And he and I both agreed that, you know, the physical world, for example, is starting to touch in the cyber world. The technologies that are used in the physical world are starting to generate more and more telemetry that our intel and cyber teams can recycle, some of the same practices that they use to service a physical security team. So we're starting to align those two teams and create a bit of a Venn diagram and highlight where our overlapping services can benefit one another and starting to get some good traction there. So we've been operating in this model, evolving in this model, since about 2014, I believe. Information security came out from underneath the CIO and then other functions had been added to it over the course of the years.
Ann Johnson: Oh, interesting. It brings us to a topic that we're going to talk about next anyway, which is resilience - right? - both operational resilience and cyber resilience. And the physical and cyber worlds absolutely converge when you think about resilience. And it's only been in recent years that the cyber industry has thought about cyber resilience. It was when we had some of the bigger attacks, like NotPetya and WannaCry, and operations for organizations were shut down for weeks. So when you think about resilience, this really broad topic, can you tell me a little bit about how you would advise a colleague or a chief security officer colleague struggling to get their arms around resiliency in general?
Jason Barnett: Sure. In general, I'll unpack it two different ways. I think from a cyber resilience standpoint, it's our own organizations to be - it's our own organization being equipped and capable of identifying that something's going on to minimize that dwell time, that something's going on and effectively respond and then recover from that incident. And the recovery is where the ripples in the water start to stretch out. So if we can't identify a problem, respond to it and contain it quickly, the broader the impact is and the more important resilience becomes.
Jason Barnett: So an easy one is the IT operational impact. There are a lot of things that can impact an IT operation - failed hardware, you know, a weather event near an important data center location or near your office or a place of business that creates an operational impact. Oftentimes from a resilient standpoint, this is where a lot of minds go. But when you think about, say, a ransomware event, compromising a large IT footprint, resilience has another - well, several other facets to it at that point. Business owners need to know how they're going to be impacted by a financial system not being available, a clinical system of some type not being available, any other back office solution not being available. And it's going to be up to IT to understand the priority that these things need to recover.
Jason Barnett: But at the same time, are they equipped to recover? What does client endpoint computing look like in a recovery setting at scale? And only once I can recover my endpoints can I try to attach to my backups or my server infrastructure and start that recovery process. If I'm recovering applications and if it's a multi-tier application, in what order do I start to recover those? What about my network? Is my network still impacted?
Jason Barnett: What about the business resiliency side of this? If you got an access control system that opens and closes your door that's attached to a computer that's been hit with ransomware, are you going to be able to open and close the door? Will your elevators work? You know, simple things that a lot of people don't think about as having a major dependency on technology is oftentimes overlooked. So we're actually in the middle of our own resilience exercise now, and we're completely refactoring the whole notion of disaster recovery or resiliency management, looking at it through the lens of systems aren't available. How do we start bringing those up in a particular order? And are we equipped to do that at the speed and the scale that we need to in order to resume minimally viable business function?
Jason Barnett: One thing that we've learned through studying a lot of the ransomware attacks in this particular industry and the health care industry is recoverability at the endpoint is a first step. And it's oftentimes overlooked because, unfortunately, a client endpoint has been commoditized. But as a result, how do you recover that at scale? Do you have the technologies to do it? Do you have the processes to do it? If you're in a distributed model like we are, do the people on the ground know how to recover? So I think it's multifaceted. And instead of just considering disaster recovery, a matter of recovering data and recovering applications, we're now actually looking at it from a scenario-based perspective, not only to recover technology but the business that was impacted by extension. If...
Ann Johnson: Yeah.
Jason Barnett: ...We have - a hospital goes down, how do we start to recover revenue after - you know, after things start to recover? How do we get patient charts back up to date if we've had a reliance on paper for a while? So these are very common challenges across the industry that everybody is solving for. And we've been wise enough to study the challenges that our colleagues and other systems have had and are trying to put together our own program to be able to recover that technology, to recover the business, and once the business is operational, how do they recover from that operational impact as well?
Ann Johnson: I think there's a lot to be said about the CISO role and chief security officer role having a really big seat at the table when it comes to any type of disaster preparedness or disaster recovery because at the end of the day - even if it's a physical event, there's still cyber and tech elements to a physical event that happens. And if it's a cyber event, it certainly needs to be recovered. And I don't think people realize how online the world is today. Just from the simplest example of - I was talking to a friend who has one of those robotic vacuums, and they couldn't vacuum for a day because, you know, something went down - right? - in the system. And just the simplest example of that, to then you have medical equipment that's highly sophisticated, robotic and being run by computers. And if those computers go down, that equipment doesn't run. And I think that education and awareness and then building those cyber-resilience plans and those operational resilience plans can't be separated. I love the way you talked about it.
Ann Johnson: I'm going to flip a little bit and talk about culture. So cybersecurity is a team sport. I don't think anyone disagrees with that. And we need engagement for you, right? You need engagement all the way from the board and executive leadership level but also to the 280,000 associates that you have and scaling that information out to folks whose primary job is delivering patient care, right? They don't really care how the tech works. They just need it to work. And in a lot of cases, they need it to work instantly because they may be in a lifesaving condition in the emergency room for example. So can you talk a little bit about how you drive a culture of security all the way through how you communicate with the board till how you drive a culture of security to the person that checks in a patient in the emergency room? How do you think about it?
Jason Barnett: Well, you started to touch on it. It's a big component of culture, and it takes everybody in the organization to be involved. Here, everybody in the company is a health care hero, and in order to be that health care hero, security is a component of that. Security issues are a business problem, and for any business leader that's reading any paper, online or physical, anymore is seeing the headlines that it is an issue for business. And company leaders are starting to realize it. And while for years we had been effective within IT and our down-level IT partners to address systems hygiene and systems management to try to get controls implemented, we've started to get more and more questions coming out of the business on, what do they need to be aware of, and how do they need to protect themselves or defend against something bad that's happening?
Jason Barnett: And over the last five years, we've been very successful at creating opportunities for security to be presented to our business leaders. And we're at a place now where we have a regular meeting cadence with our executives - CEO, our audit-compliance committee, our board - and they all hear the messages. They all get the data that we compile on a biweekly basis and communicate that up the organization. If they have questions, we create opportunities to get those answered, but we make them aware. So our awareness campaign just doesn't go down into the workforce. It goes up into our executive leadership inboxes as well. So everyone gets to read about the challenges that we're facing. They all get to read about the campaigns that we're on to try to improve security in a particular portion of our business.
Jason Barnett: And as time has passed, we've been able to explain more about how cyber issues can impact a business and, by extension, what areas of the business can we bolster security and gotten a lot of support that way. So we're fortunate here at our organization that security starts with a frontline worker and the caregivers, all the way up to our executives and our boardroom members, as well, that we present to on a regular basis.
Ann Johnson: Yeah. And I - you know, and Bret talks all day long about that culture of security and also how he talks to the board but also just making sure that every single employee in the company - I love the health care hero, by the way. I just love that framing and people really being passionate about that. I do believe if you work in health care or education or - there's a few other fields - where you maybe don't have the highest compensation out there, you're doing it because you genuinely care. So thank you. Thank you for making a difference in the world.
Jason Barnett: You're certainly welcome. It's a pleasure to be working in this space for sure.
Ann Johnson: So, Jason, I'm going to put you on the spot.
Jason Barnett: OK.
Ann Johnson: For your fellow health care CISOs and even for CISOs who aren't in health care, what advice do you have for them for managing through the changes and the challenges the industry's facing - this pace of attacks, the lack of staffing, et cetera? For someone maybe who's newly minted in the role, what frameworks or priorities do you think should be top of mind?
Jason Barnett: Where I would start with that question for a newly minted CISO - if they're a newly minted CISO, probably - I would hope that anything that I've got to say here probably isn't foreign to them. But I started off our conversation talking about the importance of relationships across your organization. You need to understand the business that you're working in. And I know a lot of CISOs move from industry to industry, and it happens quite frequently, and their tenure where they're at isn't particularly long. I challenge that model to say, how effective can you be if you don't understand that business? It takes more than just two or three years to understand a business to the extent necessary to be able to effectively secure it. So I'd challenge anybody coming into this space, regardless of the role that you play in our program - if you're in risk management, if you're in communications, if you're an intelligence person, if you're a data scientist in our space, if you're a SOC analyst - understand your business so that you understand how what it is you're looking at is going to affect somebody or something downstream.
Jason Barnett: As a leader, you need to invest in your people. Your people are what makes it happen. But at the same time, all of those partnerships that I just mentioned earlier, they don't have the capacity to deliver on your agenda as fast as you need to. So lobby and support your own needs along - the needs that you have for them to accomplish along with them. So our IT partners, for example, if we are - if we need a particular type of technology to be deployed, if we need certain kinds of information collected on a regular basis, if our security program is driving an increase in operational overhead, I'll work with those leaders to try to get the headcount they need. It's a part of investing not only in your teams and your people but the people that you depend on in order to deliver on your mission. That's a big one.
Jason Barnett: You mentioned frameworks. You know, I think that's going to vary potentially from industry to industry, the degree to which you've got to comply with legal and regulatory constraints. You know, we use the CSF here. We look at the MITRE ATT&CK framework here. I'm less focused on the exact frameworks or the doctrine that an organization follows to say that they're meeting the objectives that they want. But it's more about whatever it is you choose, understand it. Work with all the stakeholders to come to a common interpretation of what that framework is saying you need to do in order to be compliant with it. And then the steps that you need to take in order to be compliant with it need to be parted out into something that's stepwise and achievable. You can't boil the ocean here. It's OK to set that expectation with your leadership if you decide to embark on setting a baseline with a particular framework. We can't do it all at once. It's going to take a series of projects over a series of time, and this is how we want to chunk it up. And if we can get your support and all of our other stakeholders' support in making this happen, we believe we can get it done in XYZ amount of time. So an organization can't be secured overnight.
Jason Barnett: So to summarize that, it's build relationships. It's understand your business. It's invest in your people and those people around you that you depend on to deliver your mission, and make sure that everybody's in agreement on what a framework or a tool or a guideline is trying to explain to you. Be able to rationalize that, implement those changes, reconcile it back to that interpretation that you had as a team. So if you are audited or if a regulator comes in or if you - you know, if you have a third-party tester come in that's starting to ask questions or even an underwriter, you can completely rationalize why you made the decisions that you made and why you implemented what you implemented and why you invested in the controls that you did in certain parts of the company but not other parts of the company. So, Ann, I think, just kind of off the hip, that's a high-level set of remarks that I would make to a newly minted CISO.
Ann Johnson: I think that's great guidance, by the way. And I think newly minted CISOs are overwhelmed, right? There's regulatory requirements. There's board requirements. There's internal audit. There's the bad actors. There's politics. There's all of those things coming into play, and there's a lot of tech. So I love how you made it pretty concise and - to think about what they should focus on. All right, we are wrapping up here, and we always like to send our listeners off with one or two key takeaways and some inspiration. We want to be positive. So why are you optimistic about the future of cyber?
Jason Barnett: Cybersecurity is the great equalizer for every company, regardless of what the industry that you're working in. We're all fighting the same fight. We're all battling the same battle. And as a result, it creates opportunities for all of the private and public sector to be able to pull together, share information, trade ideas, take lessons from one another, implement those in your own organization. And I think it's that kind of connection and that kind of relationship across companies within an industry and across industries that will put us in a position that we can all consistently fight the adversaries that we're dealing with. And that's very positive to me because you know that there's always somebody out there that can empathize with the situation you're in. And more times than not, people are very willing to share. So I would guide people to invest in building their own personal network of security leaders so that they can share ideas and get feedback when they're challenged - faced with problems.
Jason Barnett: I think more closer to home, as I'd mentioned earlier, you know, security issues have moved from the back room to the boardroom. You've got a whole new audience to be able to cast your vision to and help them understand how what it is you're trying to accomplish is going to protect the business, which is going to enable them to improve the business and achieve their own vision. So with this kind of new audience that a lot of industries are starting to get - being able to take advantage of, that's certainly a good reason to be optimistic that they'll have support from new channels that they haven't had in the past.
Ann Johnson: Thank you so much, Jason. I know you're super busy. It's wonderful to have you on. These have been really great insights, and I just really appreciate you making the time to share your knowledge with the community. I think the best thing we can do is, you know, impart our wisdom, and it makes everybody better. Thank you.
Jason Barnett: You're welcome, Ann. I appreciate the opportunity to be here.
Ann Johnson: And thank you so much to our audience for listening. Join us next time on "Afternoon Cyber Tea."
Ann Johnson: I invited Jason Barnett to join me on "Afternoon Cyber Tea" because he's such an industry expert. He runs a very large cyber program. He has really great feedback on resiliency, on organizational culture, on making security everyone's opportunity, how to run a health care organization with regulation at scale. He's just this incredible wealth of wisdom. And it was a phenomenal episode that I know everyone will enjoy.