Photo: Steven Ramirez
An effective cybersecurity strategy focuses on operational excellence as much as business resilience, said Steven Ramirez, chief information security and technology officer for Renown Health, a nonprofit health system based in Reno, Nevada.
"You can't have an organizational strategy without a cybersecurity strategy because they work in parallel," he said.
Ramirez will hold a discussion on how cybersecurity controls align with the organization's strategy roadmap at the upcoming HIMSS AI & Cybersecurity Virtual Forum on Tuesday, Nov. 18.
His presentation, "Building a Culture of Cyber Resilience from the Top Down," will draw on insights from Renown Health's cybersecurity controls and the agility it's shown in adapting to a constantly evolving threat environment while supporting wider organizational goals.
Ramirez will also focus on how security teams can better collaborate with clinical and business teams and earn trust through softer skills, such as storytelling and "salesmanship."
"We're like Jack Sparrow's compass – really keeping up on where the true north is," he said. "That's our job – to navigate uncertainty and make sure that we're aligning with the organization and governing the chaos."
We spoke with Ramirez this week for a preview of his session at the Virtual Forum.
Q. What has been your experience embedding cybersecurity teams into enterprise strategy discussions, and what steps are absolutely critical for organizations?
A. It's really important, with any investment the organization makes for innovation and modernization, that we're at the table. We're collaborators in making people understand that cybersecurity is part of culture, that it's the number one risk of the organization.
We have various committees that we work collaboratively with across the board at Renown Health.
Before we buy anything, we know that cybersecurity needs to vet it. It's in our DNA, more or less, that we know that we need to do that. Anytime we're looking at things strategically, from our digital front doors and beyond, we ensure that we're incorporating cybersecurity hygiene.
If we need to make a change for outsourcing this, or insourcing that, switching to another technology, going on-prem or going to the cloud, it's very dynamic. But, if we have the basics, we're able to scale up and down, pivot, move left, right, north and south, very quickly.
Q. How can cybersecurity teams address any potential security complacency in the pursuit of development?
A. Governance and collaboration are key because you can't be successful in cybersecurity without reaching out to and working with others.
It used to be that cybersecurity – multifactor authentication, antivirus, all these things – happened behind the scenes. But it's trickled into all work streams, processes and a lot of what we're doing in day-to-day.
To be successful, you have to be able to collaborate, discuss and then govern what's in your ecosystem. An important tool is storytelling.
When hitting potential headwinds in cybersecurity – such as when care teams push back on certain controls because they say it's impacting workflows – we're not doing our jobs if we're not able to sell the importance of the security actions.
Storytelling helps holistically, so we need to be salesmen, ensuring that people understand why we're putting controls in that might disrupt their workflows. We are putting speed bumps in a road that they may be used to generally driving down, but it is scary to see that some organizations still haven't embedded proper controls.
If you do the fundamentals very well, then you're likely going to stay out of the paper.
Governance level setting and discussions with the business are critical as attacks are becoming more sophisticated. Before groups bring in new tool sets to support clinical workflow, that's where you really need to make sure that you're having that strong collaboration to ensure a proper, secure rollout.
Finally, just because [artificial intelligence] is the big buzzword doesn't mean you need to be running to implement the newest, latest and greatest AI security tools. If you do MFA, good password hygiene, focus on access management, endpoint and antivirus early detection, as well as incident response and cyber resilience – all the core fundamentals – you're going to be very well off as an organization.
Q. What are your recommendations for aligning cybersecurity with organizational goals?
A. You can get creative in aligning with business goals. While many have goals to do more with less in the coming months and years, we could all better engage patients. Expanding digital front doors, our footprints, better care for our patients, and more process efficiencies are the biggest tech initiatives.
This is where, as cybersecurity practitioners, we need to understand where our organizations are going from a technology perspective.
Every organization is trying to improve patient workflows, add virtual monitoring, et cetera. Understanding the pulse of our organizations and how they want to leverage technology helps us to stay ahead of the curve and understand how we're going to embed [those technologies] into our ecosystems securely.
We need to be at the table and understand that our clinical teams want to look at certain technologies. We have an AI questionnaire and have our compliance and privacy officer come to the table. We do a lot of pre-vetting work; it's almost like football. We don't want to go out and just get surprised by everything that comes at us. That's why it's important to have those relationships and that security-first governance is embedded into our DNA.
Q. What leadership-driven approaches will attendees gain insight into?
A. If somebody forgets, make sure security-first governance remains front and center so the organization can address challenges in growth, technology enablement, technical debt, mergers and acquisitions, and more.
It all goes back to relationship building, clear and concise communication, collaboration, transparency and then delivering on what you say you'll do. Don't be the department of no. We have the technical controls that enable us to really loosen the leash a little bit on what we're able to do. There are ways if you understand the process.
For example, we have data loss prevention tools, and we can control things within our brick-and-mortar a little bit easier.
Build trust by looking at some of these scenarios that people need assistance with. There is a degree of bargaining, in a sense, to negotiate security. It's really important to know that there's a fine line in taking your wins and building trust.
Also, you're never going to mitigate all risks. Your job is to just be that collaborator and make sure that you're able to support the business, but also secure the business and ensure you're not interrupting clinical operations.
The HIMSS AI & Cybersecurity Virtual Forum is free to attend on Nov. 18. Learn more and register.
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.
