When Anahi Santiago took the helm as CISO at ChristianaCare back in 2015, her first priority was to schedule meetings with executive leaders and pose a few simple but critical questions: What’s important to you? What keeps you up at night? And what are your priorities?

Doing so helped her “understand how to align my cybersecurity program with the organization,” she said. It also helped further establish a culture of cybersecurity, which continues to be one of ChristianaCare’s core values more than decade later. “If you put the patient first, you can overcome many of the challenges we’re experiencing.”

Recently, Santiago spoke with Bill Russell about those challenges – which continue to mount for IT and cybersecurity leaders – and the strategies her team is leveraging to manage them.

Healthcare’s “Open Nature”

Anahi Santiago

As is often the case with CISOs, Santiago didn’t start her career in healthcare. And while the experience she gained as a technology architect and project manager certainly helped build her skillset, it didn’t necessarily prepare her for the very “open nature” of healthcare. “You have patients walking on the floors, you have mobile carts with computers in the hallways, and you have nursing stations with 12 people working in the same space,” she said. “It’s very difficult to coral that and implement sound security when the dynamics are so fluid.”

Further compounding the situation is the presence of biomedical devices, particularly when certification cycles for government agencies don’t line up with those of the operating systems. “Because they’re FDA-certified, it’s not like a regular Windows device where if it gets infected, we either throw it out and install a new one or wipe it clean and restore for backup,” she explained. For that reason, close collaboration between biomedical and IT departments has become critical to effectively manage risk throughout the device lifecycle and ensure adherence to regulations and guidelines.

On the Table

Part of that risk management entails conducting tabletop exercises, which should be done in conjunction with the device vendor to “coordinate all of the recovery processes,” Santiago noted – especially for a system as large and complex as ChristianaCare. “Of the 90,000 IP addresses that are connected to our network, 70,000 are medical devices,” she said. If a breach occurred, “the recovery time to get our hospital back up and running would feel untenable. But in reality, that’s how challenging it is in the face of a massive cyber attack.”

This isn’t news for cybersecurity and IT teams, which tend to understand the criticality of tabletop exercises and other drills. Other departments, on the other hand, aren’t always as prepared. “We have good downtown procedures for a few hours, maybe a day, but not for four to six weeks,” she said. And so, for a recent tabletop exercise, “we brought in people from home health, emergency areas, lab, radiology, and operational people that needed to exercise how they were going to work without technology.”

And they didn’t stop there. Earlier this year, CISA led a tabletop for ChristianaCare in which representatives from 13 state, local, and federal agencies – including the National Guard and Departments of Health – shared information about how to divert and transfer patients, and stand up makeshift hospitals.

“The participation of those agencies in helping us to understand how we could leverage them was immensely valuable,” Santiago said. “I would encourage everyone to include your local agencies in your tabletop exercises. In the 20 years that I’ve been doing this, I learned more from that than I had from any other exercise.”

Making It Official

Another key step for her team is the creation of an operational resiliency steering committee to ensure operations continue in the event of an attack. Importantly, it’s composed of executive leaders from across the organization, including finance, compliance, materials management, and public safety, among others.

Although it’s a “huge lift” that requires an enterprise-wide commitment, it’s one she’s happy to lead. “It’s a really critical need because it’s not ‘if,’ but ‘when,’ and when it does happen, it’s going to be weeks, not days.”

And it’s going to affect patient care, whether it’s canceled surgeries, increased medical errors, malfunctioning devices, or delayed authorization for life-saving treatments. “If we don’t do our jobs well – or even if we do our jobs really well, but the threat actors happen to just get it right that one time – we could impact care,” Santiago said.

On the other hand, CISOs and other leaders have an opportunity to “truly align cybersecurity to patient safety” by collaborating with stakeholders across the organization. “We’re experiencing huge challenges right now when it comes to margins and when it comes to uncertainty,” she noted. “But if we have the right culture and we have difficult conversations that allow us to overcome them, then I think we can get over the mountains that are in front of us.”