
Why the Browser Is Your Health System's Biggest Security Gap | Google Fridays with Andrew Rollo

Paused
Why the Browser Is Your Health System's Biggest Security Gap | Google Fridays with Andrew RolloExecutive Interview
Questions Answered in This Episode
- Why are outdated browser management approaches costing health systems time and money?
- How should health systems balance security with giving clinicians the tools they need?
- What makes browser updates critical to your security posture in healthcare?
- Why does extension management require conversation with users, not just blocking?
- What should a CIO verify before deploying a secure enterprise browser?
About This Episode
Why the Browser Is Your Health System's Biggest Security Gap | Google Fridays with Andrew Rollo
July 3, 2026: Andrew Rollo, Sales Engineer at Google, has led browser deployments for organizations with 10,000-plus endpoints, with a dedicated focus on healthcare. Drex DeFord sits down with Andrew to unpack why the browser has become the most vulnerable and most overlooked tool in a health system's security stack. They cover how identity, update cadence, and extension governance define whether a deployment succeeds or fails, what a seamless day-one rollout looks like for clinical staff, and why blocking AI tools entirely is a losing strategy. Practical, specific, and built for CIOs who need answers, not theory.
Key Points:
01:54 Browser Security and Updates
05:25 Day One Success for Clinicians
07:23 CIO Checklist Identity EHR Network
Donate: Alex’s Lemonade Stand: Foundation for Childhood Cancer
Transcript
This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong. Drex DeFord: Today we're talking about browser deployment in health systems and what makes it harder than it needs to be, and what a smooth rollout actually looks like. This is part of our Google Chrome Friday series, four conversations running through the month of July. My guest today is Andy Rallo, Senior Customer Engineer at Google Chrome Enterprise. Hey, Andy. How's it going? It's going great. I'm glad to be here. Yeah, tell me a little bit about yourself. Andy Rollo: So I do a lot of deployment in Chrome, you know, if you hadn't guessed already. a lot of our largest organizations, and I do focus on healthcare. Um, today I think we're gonna be focusing on browser, so I do have some good experience there with large 10K plus deployments. Drex DeFord: Hmm. What's, uh, what's the most common assumptions health systems make about browser management that ends up costing them time and [00:01:00] money? Andy Rollo: Well, actually, the biggest thing to conceptualize is that this is slightly new, right? so folks think that what they're doing today is good enough and, and a lot of times it's not the case. So historically, the browser could be managed, you know, on Windows with a GPO or plist on a Mac with, with Jamf or something to that effect, and that gives you some functionality, but that is not a, a robust management. And, uh, I'm gonna g- make a little bit of analogy here, and I may date myself, so I apologize if, if this dates myself. But I remember a time when, uh, antivirus clients first became popular. Drex DeFord: Mm-hmm. Andy Rollo: You know, in the beginning, you know, there was a handful, and then over time there was a new one every couple months, and that's because people realized we have internet connected operating systems with huge amounts of vulnerable data and they needed a way to protect it. So the way things have evolved to today is now all of [00:02:00] that data that's sensitive is in the browser, and the browser is the thing that needs to be secured. So the old ways that people were using to manage the browser don't quite cut it. You need something a little bit more robust, and you'll see secure enterprise browser become very popular. It is the target of all the hackers, and it is also the tool we're using to make the most out of our productivity. It's where we do most of our work, you know, holistically speaking. Drex DeFord: Mm-hmm. Andy Rollo: so one thing that I like to point out is not only do you need to manage the browser, but you have to keep close attention to how you update the browser. Because going back to that analogy, the update of the browser is actually like the vulnerability scan and fix. Drex DeFord: Right. Andy Rollo: It's our frequent updates of the browser that prevent the browser from being hacked. So you have to manage and you have to play- pay very close [00:03:00] attention to how you update it. That is the most important part of it The other thing that trips people up is, is shadow IT. So- Mm ... with a browser there's the ability to add extensions, which can be anything, a calculator, a PDF reader, all sorts of functionality. You wanna use that, that's what the platform's designed to use, but you don't wanna let people add whatever they want. If you let them do whatever they want, eventually either data will be stolen or the system will become unstable. So one of the things that I harp on is you have to have an extension management plan as well. that's the big one, extension management. What you'll see is you need to give people the ability to suggest whi- which extensions to allow. Right. So it, it's a conversation that you have to have with users, not just block all or allow [00:04:00] all. Th- there has to be that segmentation. One more thing, AI, and I don't wanna talk about it too much 'cause this is a browser conversation, but we're in the sweet spot. AI is getting better every couple months. When it first came out, I'll admit, it was not the greatest. A lot was to be desired of, like, the original- Drex DeFord: Yeah Andy Rollo: stuff that came out, but it's getting better and better. Mm. And at first a lot of organizations I talked to said, "Block it all, Andy." Like, "Just turn it off. We, we don't want any users to do that." But what we're gonna see is that people who have that philosophy of turn it all off are gonna lose the productivity gains. Same with extensions. It, it's the same concept. You have to give users the tools they need to do their job, but you have to, like, manage what they can do. So with AI what you're gonna wanna do is standardize on something, restrict the browser to [00:05:00] only use that- Drex DeFord: Mm ... Andy Rollo: and take it a step further, restrict the browser to only allow passing certain data types into your AI of choice, right? So you, you'll definitely wanna stop them from entering, you know, people's medical record numbers and, and, and, you know, o- other sorts of things. but you will wanna give people those tools just to do their job. Drex DeFord: Time is money, yeah. What, what does a successful deployment actually look like for the clinical team on day one? Andy Rollo: I mean, honestly, it's invisible, right? Th- the ideas- ideal scenario is that no one notices at all. I mean, that's, that's a little bit of embellishment. Like, they're gonna notice. there should be some changes, but nobody should be complaining. So if the help desk is inundated with 1,000 tickets, that's obviously not a good thing. Right. But there should be changes. There needs to be changes, and the biggest one is [00:06:00] understanding your different personas. We talk about this all the time. We call them, customer user journeys, right? So in, in a healthcare space, you could have a nurse, you could have a pharmacist. they both need access to a PC. They both need access to a browser, but they have different tools. So the idea is for all these identities, when they log in, they see a different thing. So a pharmacist would see inventory, a nurse might see a, a different set of, of scheduling functions. The browser would open with the tabs that they actually need- Drex DeFord: Mm ... Andy Rollo: and bookmarks that they need, and nothing else. I'm not saying you should block everything else, but, like, when those people log in, they should see their, their desk, you know, their workspace, what they expect to see, how they do things, and, and know what to do next, right? So frictionless If you're using a secure enterprise browser, you'll probably have some safe browsing tools, like, embedded [00:07:00] that will pop up if they go and do something silly like, like click on a download that's obviously a virus. So it's okay if they notice that, but those things should be elegant, and all of the other things they notice should be helping them get to where they need to be. So, so ideally the only comments you get are good ones. That's the measure of success there. Drex DeFord: I love it. Well, what should a CIO be asking their infrastructure team before they commit to a new enterprise browser deployment? Andy Rollo: So I really like this question, uh, 'cause I, I get to get into the more nerdy, uh, parts of, of this sort of deployment. The big thing about a managed browser deployment is the identity, right? So a user has credentials. whether it's a smart card, badge tap, username, password, those folks need to log in, and that identity system needs to work well in the browser. Like, [00:08:00] absolutely. The only way you can protect people is associating them with an identity. there's a couple reasons for that. One, you can restrict the identities to see certain things based on their role, and two, if something happens, you can audit and figure out which identity is nefarious, right? So number one, identity. And it's not to say that the EHR isn't important. I would say almost for the clinicians involved, the EHR is the most important, right? Does the EHR system, the medical record system work in the browser? Does it work well? Obviously, that's where everyone's gonna be doing a lot of work, so you need to make sure that that is- Mm ... is very tight. In some instances, some of the EHR providers might have a legacy application that doesn't run in the browser. So in that case, you wanna be checking with your tech team about do you have a virtualization vendor. There are se- several of them out there, um, Citrix, VMware, uh, [00:09:00] Cameo i- is one that we use that, that does everything through the browser, but you need to make sure the EHR runs in the browser or have a plan to virtualize it The other interesting one is, network throughput. Like, a lot of healthcare systems have constrained budgets and, how much bandwidth you have is very important. Most of them are doing telehealth and a lot of video conferencing. So it's very bandwidth intensive. But as I mentioned before, we'll do a callback, your update cadence for your browser is, key to your security posture. So you need to know what your network usage is at any given time of the day so that you can make sure that if you have 10,000 browser endpoints or more, that they are updating regularly, but at the right time, so that you're not pulling down all this information a- and potentially leading to bad healthcare outcomes. Because at the end of the day, it's people's health, you know, and, and [00:10:00] quite possibly their lives. So you need to be very careful that the EHR isn't disrupted, the network isn't disrupted, and that everyone has access to only the things they should have access to, and that you have a record of that. You know, there's a lot of HIPAA regulations that are coming out. As, as HIPAA evolves, you know, with this digital world, there's gonna be stronger constraints on encryption and other things, so you really have to keep that tight. Drex DeFord: Yeah. Hey, uh, thanks for the time today. I really appreciate it. Yeah. I'm looking forward to seeing you in person somewhere on the road sometime soon. Andy Rollo: Yeah, definitely. Sometime very soon. you know where to find me. Speaker 5: thanks for joining this executive interview with me, Drex DeFord. Here at This Week Health, we believe every healthcare leader needs a community to lean on and learn from. Build your network at thisweekhealth.com/subscribe, and share all of this with a colleague. Thanks for being here. I'll see you around [00:11:00] campus



