Skip to main content

Search site

Find podcasts, news, articles, webinars, and contributors in one search.

Executive Interview
Executive Interview artwork

Browser-First Security Rethink Health System CISOs Need | Google Friday with Bill Reid

About This Episode

July 10, 2026: Bill Reid, Healthcare and Life Sciences Lead in the Office of the CISO at Google, has spent his career working with health system security leaders, and he keeps running into the same blind spot: healthcare is underestimating the browser as an attack surface. Drex DeFord sits down with Bill to explore why the shift from thick client infrastructure to a secure, browser-first endpoint model is no longer theoretical. It is what resilient health systems are building. From managing transient clinical staff to simplifying a fractured endpoint environment, Bill makes the case for why the browser is the future of healthcare endpoint security.

Key Points:

  • 01:21 Browser Attack Surface

  • 03:39 Resilient Endpoint Posture

  • 05:40 CISO-CIO Conversation

LinkedIn: 229Project

Donate: Alex’s Lemonade Stand: Foundation for Childhood Cancer

Thank You to Our Episode Partner

Google Chrome

Contributors

People featured in this episode — open a profile for more.

Transcript

This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.   📍   📍 Hey, everyone, it's Google Chrome Friday, and today we're talking about cyber resilience in healthcare, and specifically the browser as an attack surface and what health systems need to be thinking about at the endpoint level. This is part of our Google Chrome Friday series for conversations running through the month of July. My guest today is Bill Reid, healthcare and life sciences lead at the Office of the CISO at Google Cloud. Bill, we have known each other forever.  Yeah, it does seem that way.   We both live in the Seattle area. You still live in Seattle, in the Seattle area. I do. I do. Yeah. Yeah. And it seems like we see each other more often than not- when we're on an airplane going someplace, and we both just happen to be headed to the sa- the same city.  Exactly. It's usually RSA or it's on the way down to Black Hat or it's on the way down to... Yeah.   Or AI SAC. Yeah. Exactly. Well, tell folks a little bit about yourself, and then I have some questions.   Sure. So Bill Reed. Uh, I work with healthcare and life science organizations as part of the Office of the CISO. Former CISO myself, in the life sciences space and in the healthcare space. and, I work with, security executives across the industry and, and, particularly as it relates to what they're doing on Cloud.  So let me get to, uh, a couple of questions. where is the browser as an attack surface being underestimated in healthcare right now?  Underestimated. You know, I, I think that, um, much of healthcare for the longest time has really operated on this, construct of the, a thick client coming in through a Citrix connection or some sort of, of kind of, uh, VPN with a kind of remote desktop thick client, and very few applications really truly being browser-enabled. and so for the longest period, where many clinicians, for example, have fired up their Citrix session and logged into an application. And I think that, um, uh, that kind of non-browser based, uh, uh, surface has been, really not only a not great experience for the clinician, and others, but I think also, a, you know, an, an attack surface, Mm that has existed and, you know, a client that requires management and a bit of a heavier touch on the client side of things. And I think that, um, increasingly what we're seeing now is applications becoming more, kind of internet facing, browser-enabled, beginning to have a kind of zero trust type properties to them and, and being able to be encapsulated inside the browser.  It, it's funny too, when I think back to, the pandemic, a lot of things went to the cloud, a lot of things- Yeah ... became browser-based applications. So that's sort of part of the story too.   It is. It is part of this. And, and I think for many that was a time when they realized, like, "Hey, there's, uh, you know... How do we simplify the, you know, kind of the workflow?" Particularly I think in healthcare with the clinical side of things, and so I've, you know, imagine now you're a clinician, you're doing kind of telehealth and you're operating partly in something like a meet, or like what we're talking on. And meanwhile, I've also gotta open up a session and remote into, an electronic health record system. And then, oh, by the way, I also have to remote into a PAC system to be able to look at the images, and potentially a lab system to be able to look at labs and, and do order entry and that sort of thing. And so rather complicated kind of workflow, and I think that people looked at that and said, "Hey, there's... We can do this in a better way."  Yeah. So what's a truly resilient security posture look like at the endpoint level for health systems? Making it easy, but making it resilient- too.   thinking about how do I have as much as I can encapsulated inside a secure browser. how can I, move that such that I've really got kind of a unified interface, and I'm doing that inside a secure managed browser session. And I think that, organizations beginning to look at that and think, "Well, how much can I move into that space? How can I manage, uh, uh, the exposure? How can I use kind of a unified entry point for all of the compute that we're doing, and get away from kind of rich client applications and doing things where I've got VPNs and VPN management, and I've got a mix of kind of client server-like behaviors, and trying to get that into the browser." And I think that, you know, that's been, of great interest with customers of mine in terms of thinking about, what is it that we can actually put inside that browser. And I think that, you know, they're very curious about the experiences that we have as, Googlers in terms of, "Wait, you do what in the browser?" And I'm like, "I do everything in the browser. there's really no compute that I don't." And, and, and that gives, you know, great, capabilities to me as a user. But as an organization, tremendous control over, what's exposed and the containerization of those risks.   And just the simplification of the environment creates- Exactly a more reliable operating environment and a more secure environment, just that by its very nature, right? Exactly.  bringing that experience together, being able to kind of have that, in a single interface, being able to have that well-managed, I think is really, is really what organizations need to do for- from a resiliency perspective. Like, like having kind of a, a fractured endpoint experience is, is pretty difficult.   Yeah. So I mean, which kind of brings me to the last question. What's the conversation that health system CISOs should be having with their CIOs that they may not be having today?  part of that is just helping them understand, um, you know, how much is actually possible, to, you know, do from a compute perspective in the browser. I think there's a perception, um, that, you know, we need to have kind of a thick client, kind of infrastructure or that, we can't do things in a browser. And, and I think that, Increasingly, that's not the case, right?   Isn't that just kind of getting out of your own way, right? I mean, it's like a lot of these- It is, yeah folks have grown up with, "No, that's the best practice. You have to use a thick client." But not necessarily true today.   Not really necessarily true. And I think that the other is that, you know, from the perspective of how do I deal with a workforce, in healthcare which is increasingly, not, not really your own workforce. Mm-hmm. So if you start thinking about, , what we experienced during the, the pandemic with, agency staff, with traveling nurses, with locums. Um, you know, you've got people who are coming in and out of a relationship, in a clinical relationship, and, and trying to do that, and manage kind of the security posture of those types of transient relationships is really difficult. And so if you think about how can I do that where, you know, people were worried about bringing your own device and what was on the client, and how do I have hygiene and posturing of the device? And, and if I can move that and abstract that into the browser, all of a sudden now I can have, you know, kind of a, a remote desktop that is mine. And I'm managing that, and I know what I'm presenting to the organization from a client, as opposed to worrying about, you know, everything else that's out there and all of these... And I do think that the CIO doesn't want to have the complexity of managing all of those assets. Mm. Right? would prefer to be able to put their resources on something else, than trying to manage a bunch of, of kind of dis- disparate endpoints.  Managing complexity also means, I mean, if you can manage it out and simplify it, it also means a better experience for the end user, right? Exactly. Physicians, nurses, everyone already burned out. Exactly. giving them an easier way to get to the things they need to makes a big difference.   It does. And, you know, and it, it, it opens up, you know, the opportunity to, to really meet the staff where they wanna work. And some may wanna work on a laptop and some may w- wanna work on a tablet, and some may wanna work on, you know, a different kind of a setup. and all of a sudden now they're able to do that and maintain that security context that's really independent of those devices. And so being able to move relatively seamlessly from, you know, I'm in the office, and I might be seeing patients with a tablet, and then moving to a workstation, and then heading home and I'm on my phone. And, and all of those I'm on in that same sort of, browser context and, and being able to be subject to the same sort of, security requirements and controls.   Thanks for your time today. I mean, I feel like- Yeah ... we could go on forever, but thanks for the time today. I look forward- Thank you ... I look forward to seeing you on the road again- Exactly uh, sometime soon. It's,  it's kinda, kind of the nature of being in the Northwest, you know? Uh- It is ... you get on airplanes.   thanks for joining this executive interview with me, Drex DeFord. Here at This Week Health, we believe every healthcare leader needs a community to lean on and learn from. Build your network at thisweekhealth.com/subscribe, and share all of this with a colleague. Thanks for being here. I'll see you around campus

Found this useful? Share it with your network