Q&A: Jackson Health System’s CISO Takes Measured Steps for Security

HEALTHTECH: How has healthcare cybersecurity evolved in recent years? What do healthcare organizations need to be more wary of now, compared with five years ago?

BARRERA: I think a lot of it has to do with what I see as an avalanche in the scope, breadth and rate of breaches that have happened. WannaCry in 2017 was really a major catalyst for what’s been a constant stream of ransomware attacks, especially in healthcare. Warnings from the FBI and the Cybersecurity and Infrastructure Security Agency have also focused more on healthcare as a main focus for attacks.

Because of that, organizations have had to be more vigilant in several domains. One of them is the Internet of Medical Things, where for years biomedical equipment had been largely unmanaged because of certain expectations for a “pristine” environment from manufacturers, for instance. Another area is zero trust, which has grown a lot in healthcare.

For organizations that tend to be pretty conservative in their cloud use, it’s getting harder for that to be the case, and it’s often no longer their choice anymore. Some solutions just don’t offer an on-premises option. In many cases, we've gone from a structure of perpetual licensing to subscription. The expanded risk profile that may come with going to the cloud is a big deal.

That also impacts identity and access management, which is core for zero-trust security. When you know your systems are no longer within your walls, and you either have primarily a cloud environment or some kind of hybrid environment, maintaining the sanctity of that identity is important. You need to know what your organizational roles and responsibilities are as things shift to the cloud.

Similarly, as AI plays a larger role for organizations, your users are already relying on AI in some form or another and trying to circumvent controls. And the adversaries are absolutely using AI to try to hurt different organizations.

READ MORE: Purple team exercises can enhance your threat management strategy.

HEALTHTECH: What areas of security has Jackson Health been interested in? Why should other healthcare organizations focus on those areas?

BARRERA: Through cyber liability insurance, we’ve turned to relying on immutable backups. It gives us a considerably different level of assurance that provides us the ability to know that our backups are not infected, and that once the data is backed up, it cannot be modified. Previously, if a ransomware attack were to happen, we might have had a backup that was compromised. So, switching to immutable backups is relatively low-hanging fruit.

Because of the cloud, AI and having, in some ways, a decentralized architecture, a very strong identity and access management solution is necessary. Managing identities across the board is key for zero trust, especially having a privileged access management solution. I think that when you have PAM, you're in a different league than just having regular credentialing that is not managed in a vault.

For Jackson Health, as we focus within the AI space, we want to know how the credentials being used are managed, because many times there’s a huge gap. There’s somewhat of a sprawl of AI technologies being stood up, and if some of these technologies are not within a regimented hardware lifecycle process, you could have quite an issue. When it comes to AI, follow the basic principles. Don't give it administrative root access if it just needs to read.

Over the course of several years, Jackson Health has been incredibly successful with periodic access reviews. We do monthly control audits, and we have Active Directory credential validations. A lot of these are fully automated. This is another basic we follow so that we can support the more modern or cutting-edge technology solutions that everybody wants.

HEALTHTECH: How have you involved other stakeholders in sharing responsibilities around security? What works in connecting security priorities with patient care?

BARRERA: Depending on the culture of the security team, being too technical when it comes to spreading security awareness and partnership may not be the most appropriate move. When I was giving a training of sorts to a group of incoming residents recently, I was telling them that security is a shared responsibility, no matter how great our security tools are. I also try to connect that responsibility to something personal.

It takes a lot of hard work, because everyone is very busy. When clinicians have many patients to tend to, cybersecurity training can feel like a burden. But when you meet with other departments face to face, share the headlines, share the personal stories, it feels more meaningful. We also have committees that are made up of a cross-section of the organization. Over time, there’s incredible engagement with workers from other departments.

Within those committees, we also plan to do face-to-face “road shows.” After this outreach and in-person interaction, we get a lot of synergy, and we even have people who want to mentor others. So, people are paying attention, but that takes care and feeding. It really is like risk management in that it is a continuous cycle.

It helps that security is built into our culture. When leadership is engaged and supportive, that really makes all the difference, to be able to have all these activities, such as the road show and the yearly security awareness training that everyone is required to take. In some organizations, if someone doesn't do the training, nothing happens. But at Jackson Health, we have 100% compliance. Everybody does their required learning because otherwise, their account gets disabled, and they have to go sit with HR to take it before they can return to their job.

DISCOVER: Strengthen your security with cost-effective training.

HEALTHTECH: How will AI/ML and data needs impact healthcare security moving forward?

BARRERA: We're all at different degrees of adoption. I think one of the most critical things to realize is that even if you think your organization is not using AI, your users are. At Jackson Health, one of the first ways that we're using AI is to do certain repetitive processes that are prone to errors if done by humans. One example is rescheduling appointments that have orders attached. The average human, even if they have a script, may just delete the appointment in order to create a new one, and then realize, “Oh, I've deleted the appointment with an order, three orders, five orders attached.” Those orders are gone. And so that process is being replaced with automation that is more accurate and efficient.

The IT security team works hand in hand with the data science team for application integration. Everything that comes in before procurement, we're going through a security questionnaire. We are evaluating risk. At the time of deployment, we are scanning, we're validating, so we're learning about the solution.

I think, though, that there's a very bright future for AI in healthcare. We have had a behavioral analytics solution that has leveraged AI for many years. So, we are continually looking at how we can bring efficiencies to our security operations center, which is the cornerstone of our incident response, and things like that. With the rate of attacks using AI against healthcare, we need to combat that with the same or better. We believe that when we bring in or are already using AI, that gives us a fighting edge on anything that happens.

We're also working on communication and outreach. We're shifting our policies for the health system on acceptable use of AI, being fully cognizant that people are constantly using it off the network. We do regulate a wider number of things that we can. For example, we don't allow ChatGPT, Grok or other generative AI tools similar to those, but we know there are always ways employees can circumvent those controls. It’s up to us to maintain what’s acceptable use, patient privacy, and prevent data from wrongfully being exchanged. We want the AI solution we connect with to help achieve our health system’s slogan, which is “making miracles happen.”