Skip to main content

Search site

Find podcasts, news, articles, webinars, and contributors in one search.

All articles

Feature

"The Browser Is the Endpoint": Bill Reid on Rethinking Endpoint Security

TOPICS: Cybersecurity & Privacy · Cloud Computing & Infrastructure RELEVANT TO: CISOs, CIOs, and security leaders rethinking endpoint strategy and workforce access models.

The browser has quietly become the primary endpoint in healthcare, and according to Bill Reid, Healthcare and Life Sciences Lead at the Office of the CISO at Google, most health systems have not caught up to what that shift really changes.

The Thick Client Habit

For years, the default model in healthcare ran through a thick client: a Citrix session, a VPN, a remote desktop standing between a clinician and the applications they needed. Reid, who previously served as a CISO in both the life sciences and healthcare sectors, described the old normal directly. Healthcare, he said, built its infrastructure around "the thick client coming in through a Citrix connection or some sort of VPN," with very few applications actually browser-enabled. For a clinician, that meant separate logins across an EHR, a PACS system, and a lab platform. For the security team behind it, it meant a heavier surface to manage and patch.

The pandemic forced the first real break from that model. Telehealth pushed clinical workflows into browser-based tools almost overnight, and organizations that had never questioned the thick client suddenly had a reason to. What started as a pandemic workaround has since become the default architecture for a growing share of clinical applications.

One Control Point Instead of Many

Reid's case for the managed browser is not about convenience. It is about what an organization can actually see and control. Instead of a sprawl of VPN connections, remote sessions, and client-server dependencies, the browser becomes a single point of entry the security team controls directly.

He is direct about how far he takes this in his own work. "I do everything in the browser," he said. "There's really no compute that I don't." That same architecture, he argued, solves a problem many CISOs have not fully connected to endpoint strategy: healthcare's growing reliance on a transient workforce. Agency staff, traveling nurses, and locum physicians move in and out of clinical relationships constantly, and managing device hygiene under that turnover is close to impossible using traditional BYOD assumptions. Abstract the compute into the browser, Reid said, and "all of a sudden now I can have kind of a remote desktop that is mine," fully managed on the organization's terms regardless of whose device it is running on.

The Conversation CISOs Aren't Having

Reid pointed to one specific gap: most security leaders still assume healthcare requires a thick client to function safely. "Increasingly, that's not the case," he said. On the CIO side, he sees the incentive already lining up, since most CIOs "would prefer to be able to put their resources on something else, than trying to manage a bunch of disparate endpoints."

What Peers Should Take From This

Reid's broader point is that the endpoint conversation and the workforce conversation are becoming the same conversation. A health system that consolidates its clinical access into a managed browser, he argued, is simplifying the environment it has to defend while building the one thing a mobile, contingent clinical workforce actually needs: a security model that travels with the session instead of the device.

Thank You to Our Article Partner

Google Chrome

Found this useful? Share it with your network

Explore more on this topic

Related articles, news, and podcast episodes