This Week Health

Don't forget to subscribe!

April 26: 2020: So many systems and hospitals across the country have adjusted to the COVID crisis, and one of the most phenomenal adaptations has been the Hospital for Special Surgeries in New York. As a dedicated orthopedics and rheumatology healthcare facility, the hospital has nimbly pivoted to cater to COVID patients, canceling all elective surgery. Today’s guest, Vikrant Arora, CISO at HSS, joins us to share some of the security-related challenges the institution has faced. In this episode, Vikrant gives an overview of the four areas where there has been increased threatening activity. From spikes in phishing to uptick in onboarding vendors without all the checks and balances given the supply chain challenges that they have, there are various challenges they face daily. Vikrant shares some of the strategies that they have used to overcome these potential threats. Ultimately, it comes down to the strong foundational systems, principles, and cohesive leadership at the hospital. Along with this, Vikrant also shares some best practices, the importance of cyber hygiene, and what’s inspired him most during this crisis. Be sure to tune in today!

Key Points From This Episode:

  • Learn about HSS, the work they do and how they’ve adapted their services to the pandemic.
  • The four areas where there has been an increase in threatening activities.
  • How HSS’s security is dealing with bringing on new vendors while remaining secure.
  • Why having good foundational systems and strong cyber hygiene practices has helped HSS.
  • Understanding the full spectrum of challenges that come with remote working.
  • Three strategies HSS’s security team has used to increase protection.
  • Find out how having a dedicated COVID-related manager has helped HSS.
Transcript

This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

 Welcome to this week in Health IT News, where we take a look at the news which will impact health it. This is another field report where we talk with leaders from health systems and organizations on the front lines. My name is Bill Russell Healthcare, CIO, coach and creator of this week in Health. It a set up podcasts, videos, and collaboration events dedicated to developing the next generation of health leaders.

Are you ready for this? We're going to do something a little different for our Tuesday Newsday show. Next week we're gonna go live at noon Eastern 9:00 AM Pacific. We will be live on our YouTube channel with myself, Drexel Ford Sus Shade. And David Munch with Starbridge Advisors to discuss the new normal for health.

It, uh, with you supplying the questions with live chat. Also, you can send in your questions ahead of time at hello at this week in health it.com. Uh, I'm so excited to do this and I hope you'll join us. Mark your calendar. Noon Eastern 9:00 AM Pacific on April 28th. If you want to, uh, send the questions, feel free to do that.

Um, and, uh, you can get to the show by going to this week, health.com/live. This episode and every episode since we started the Covid 19 series has been sponsored by Sirius Healthcare. Uh, they reached out to me to see how we might partner during this time, and that is how we've been able to support producing daily shows.

Special thanks to Sirius. For supporting the show's efforts during the crisis. Now onto today's show. Hi everyone, and thanks for joining this week in Health it. I'm Drex de Ford CI Securities Chief Healthcare strategist and president of Drexel Innovation Network, and today we welcome Vic Aurora. Chief Information Security Officer at Hospital for Special Surgery in New York City to this week in health.

It thanks for being with us today, Vic. I know you're crazy busy and I really do appreciate you being here. Thank you very much, uh, for the opportunity. I. Be happy to be here. Yeah. We, um, start, if you would, by telling us a little bit about HSS and you and your team there, and, you know, obviously, I'm sure everybody wants to know how it's going with the Covid outbreak there and what you're seeing at hss.

Sure. So, um, HSS is an orthopedic and rheumatology hospital. Uh, we're rated number one in us, uh, for the past decade or so. We're the oldest orthopedic hospital in the country. We also rank very highly in rheumatology and musculoskeletal health. Mm-Hmm. , uh. So in the past, uh, few weeks ever since, um, this crisis has started, we have literally repurposed our entire hospital operations from starting with initially differing our, uh, scheduled surgeries to canceling elective surgeries altogether.

Then from, uh, that we took on a step to start doing, um, er patients, which we normally don't do as an overflow from New York Presbyterian. And then as a second level of maturity, we even started taking care of covid patients. So we have literally stopped everything we normally do and repurposed ourselves to, um, support the community and do what's needed at the moment.

So it's been a transformation of the organization. Wow. It's incredible too. I mean, in. You know, you, uh, and just kind of watching from afar, right? Um, uh, I'm in Seattle and so, uh, you know, we sort of started with the initial outbreak here, and obviously it's sort of gone across the, across the country. You guys have been super hard hit and it's been, uh, amazing and inspiring to watch, uh, how you guys have transformed in just a couple of weeks into almost a completely different.

Kind of hospital than you are normally. Yeah. And there's no way we have the right level of gratitude and the words to express what the care providers, the nurses, the, uh, support staff, everybody has done. It's, it's beyond unbelievable. I mean, it is, it is incredible. I'm sorry, go ahead. I was just saying it's truly a privilege to support them in any way, shape or fashion, so, yes.

Thank you. I mean, I, you know, the, the other thing I would say is, thank you. You know, I'm a big, I'm a big believer in the, in the, what I think is the reality that, uh, people who work in healthcare it, people who work in the, in the CISO's office, um, are partners. For the delivery of great care to patients and families, and you are as much of this as anybody.

So, you know, I would just say on behalf of me, on behalf of the listeners, thank you. Um, you, you guys have done amazing work out there. Uh, what are you seeing with regard to threat activity during the pandemic from a security perspective? Um, so we are seeing activity in primarily four areas that kind of bubble up for me and my team.

Uh, the first is obviously phishing. Mm-Hmm. . We've seen a ramp increase in, um, email frauds related to, uh, protective equipment to the payment protection plan, the stimulus fraud. The CDC who advisories whatever's in the news is making an email, uh, a phishing scheme out there. To give you some numbers, we see on an average north of 50,000 covid related phishing scams that are blocked at the perimeter per day.

No, in a week. In a week. Okay. That's what we see. The second area that we've seen an increased activity is, um, exploitation of anything that is public facing. People are out there looking for ways to get into hospitals, uh, even though some groups have claimed that . They're gonna refrain from sending out ransomware, right?

I don't trust it. And in fact, I've seen some trends where there has been an increase in ransomware activity. So any exploit, any public facing asset, we see a lot of, uh, scanning, looking for vulnerabilities, including the VPN infrastructure. Um, the third thing we've seen is given the immediate needs. On the fly it engineering or bypassing corporate solutions for telehealth or collaboration, people switching from corporate communication tools to like WhatsApp or other insecure uh, collaboration tools.

Mm-hmm, . So that's the third risk. And lastly, I've seen an uptick in, um, onboarding vendors without, uh, all the checks and balances given the supply chain challenges that we have. So.

Yeah, I mean, given the amount of activity that we've seen in the last four weeks, um, and the need to bring on new vendors and buy equipment and do all of these things, I mean, it's one of your, it's one of your four items. How, how are you dealing with that? How are you sort of maintaining that balance between we have to be able to support the mission and we also need to be secure?

No doubt it's challenging, but like I mentioned earlier, given the challenge that the care providers and the, uh, doctors are up against, I think it's very inspiring and uh, that helps us, uh, feel a part of a very, um, uh, unique opportunity as well as, uh, find the inspiration that's needed. Uh, but at a very high level, I think the investments we have made.

Foundational practices prior to covid, such as having governance, change management, uh, formal risk acceptance by business units. They're all yielding dividends. Now. I've, I've always been a big. Believer of, um, uh, cyber hygiene. 'cause the two things that'll do for you is it'll help you come out of an incident sooner and it'll minimize the impact of an incident.

So all those foundational practices have helped us, uh, tremendously. I'll give you an example. Ever since the crisis has started, we still have not missed or postponed a single change management meeting in the organization. . That, that, that's amazing. And I, I'm, I'm totally with you. I think this whole idea of, um, oh, well security is all about security, uh, is, is kind of baloney, right?

Because in a lot of ways, having good cyber hygiene lets you run better, uh, more efficient operations. It sounds like you, you feel the same way. Absolutely. And the second thing that, um, has helped us and Drex is early on in the crisis HSS at an organizational level, uh, since we were going through such an organizational transformation, they put in new principles to deal with the crisis.

And the principals were principals were primarily, uh, protecting our staff, protecting HSS and protecting the community. That really helped restructure how we approached our projects and, uh, prioritize deprioritize efforts and maintain alignment through the organization. So between that and the foundational practices, we've been able to create, uh, the necessary bandwidth.

I can get into some tactical things we are, uh, we are doing too, but, uh, let's see. Uh, I, I love the principles. I mean, I think that, uh, that level of leadership and transparency to the team and the community. Is is, uh, is huge and it certainly has to make you feel good as A-C-I-S-O, that protecting the staff and protecting the, uh, protecting the patients, you know, that that's really what we're all about.

Has to, has to feel, feel good that, uh, leadership has your back. Absolutely. And I think the biggest and the most important asset, if you're strict, strictly speaking in terms of risk management, the most important asset that is at risk is people because of the crisis. Mm-Hmm. . Mm-Hmm. as leaders. Um, I'll tell you, I mean, my wife and I, we've been working from home for the past few weeks.

Uh, both of us work in the city. We have a six year old and a two year old. Mm-Hmm. Our nanny stopped coming three weeks ago. Mm-Hmm. And, uh, we had a few failed starts in terms of managing the kids, the homeschooling and daily routines. And then we found our rhythm. Mm-Hmm, . But I'm trying to be as cognizant as possible for my team at work because they don't care how much, you know, they, uh, only care.

I mean, if they felt that they're being cared for by the leadership. So being cognizant that they have similar challenges at home, um, can go a long way in, uh, earning their commitment. That's great advice. Hey, one of the things that, uh, I wanted to ask you about, Vic, was to do the follow up on, uh, some of the tactical things you said that, that you were doing from a security perspective and best practices around, uh, you know, protecting the organization, protecting the people, protecting the community.

So any of those that you want to talk about that you'd like to share with listeners? Uh, you know, we're all about trying to, uh, to spread the news of, uh, of great best practices. Absolutely. So, um, I can, uh, mention three things. Uh, the first is, uh, we repurposed the security team to move people from our, uh, and apologize for the background noise.

That's fine. It's fine. Uh, we, we repurposed the security team to move people from our engineering and operations and architecture groups into governance risk and compliance and security monitoring. Our GRC and security monitoring are the two units, uh, that are more actively involved than operations and architecture because a lot of projects have stopped that are not covid related.

Mm-Hmm. . That has helped us create some bandwidth. Uh, the second thing is, uh, we have been always, um. Trying to do a risk based recommendation. So we, we are providing quick feedback to anybody who's looking at a consumer grade technology to meet an immediate need. And we are also trying to lead the digital efforts where possible.

I'll give you an example, two examples there. One is, uh, a group needed to use temporarily, a scheduling app called Doodle. And because the governance, it came to our shop that, hey, can you do a review? And we said, we'll dedicate somebody to set up doodle for you instead of doing a review. Because I mean, it's a consumer grade app.

The admin of the app can do whatever they want. So we'll meet your need, but let us lead the effort. Yeah, security. Yeah, security engineer ended up being a doodle admin, made sure all the settings were turned on and it was only a temporary lead and we got them what they needed and on. And right now we're doing the same with, uh, zoom.

I mean, there has been. And, uh, we've taken a very surgical approach where we have figured out what the telehealth use cases are. They range from, um, identity proofing to, uh, seeing somebody in an isolation room to scheduling appointments, right? So we have security recommendations for each of those use case that can easily minimize.

Some of the risks that are out there in the news and the biggest one there is around Zoom bombing and just the use of private meeting IDs and passwords for your Zoom conferences and education around not making those Zoom invites, uh, uh, sharing them socially on social media. Mm-hmm, can go a long way to minimize Zoom bombing.

So those are some of the things we've done that, that, that's terrific. And, and I, I know you're super busy 'cause I can hear you blowing up over there, uh, electronically. Is there anything else that I didn't ask you about that you'd like to share with listeners before I let you go? I. Yeah, sure. One more thing that has helped us tremendously, uh, to through this entire journey has been, um, early on within it, we set up a point person who would field all covid related activities, and we had daily leadership huddles.

To prioritize deprioritize, covid, non covid activities remaining in line with the, uh, organizational principles. Initially it was me as I'm also responsible for business continuity planning. Mm-Hmm. But as the activities kind of skyrocketed, we felt that there was a need to have a dedicated project manager focusing on all these tasks because there was significant.

Effort needed in between the leadership huddles, uh, with all the teams to coordinate this work. So having like a crisis director or a project manager dedicated to managing covid activities, uh, has helped us significantly, not only from a documentation governance standpoint, but also making sure that all the teams are, uh, have the same priorities at all times because requests are coming from left, right, and center.

Uh, I love it. Air traffic control for, uh, covid in both the IT and the CISO world. That, that makes total sense. And you're the first person I've heard talk about managing it that way. So thanks for sharing that tidbit, man. That's, that's terrific. Yep. Thanks for the opportunity and I hope your listeners find this helpful.

I, you know, I, like I said, I know your time's exceptionally valuable. Really do appreciate you being with us today. Um, thanks Vic. Have a great day and we really, again, appreciate you being here. Thank you, Drex. That's all for this week. Special thanks to our sponsors, VMware Starbridge Advisors, Galen Healthcare Health Lyrics series, healthcare and Pro Talent advisors for choosing to invest in developing the next generation of health leaders.

If you wanna support the fastest growing podcast in the health IT space, the best way to do that is to share it with a peer. Send 'em an email, dmm 'em. Whatever you do, however you do it. Uh, go ahead and do that and, uh, that would benefit us greatly. We appreciate your support. Please check back often as we will continue to drop shows until we get through this pandemic together.

Thanks for listening. That's all for now.

Contributors

Thank You to Our Show Sponsors

Our Shows

Today In Health IT with Bill Russell

Related Content

1 2 3 267
Transform Healthcare - One Connection at a Time

© Copyright 2024 Health Lyrics All rights reserved