A Conversation with Mitch Parker: Security Is Not a Technical Problem, It’s a Business Problem
Mike welcomes Indiana University Health CISO, Mitch Parker. Join us as they discuss the importance of getting businesses to talk and think about cybersecurity not as an afterthought, but as a part of the business that is not overly complicated and draconian. How can the security team and business leaders work together to ensure best practices and to avoid costly breaches?
Welcome to In Scope, the healthcare security podcast. In each episode, we bring you insightful interviews, informative technical tips, and a unique point of view on the challenges facing the ever-changing healthcare ecosystem with host, Mike Murray.
Today’s guest is Mitch Parker. He’s a CISO at Indiana University Health where he’s been for the last four years focusing on medical device security. Before his work in Indiana, he worked as a CISO at Temple Health in Philadelphia, and as a defense contractor. He’s had a long history and career in security which he attributes to viewing security as a business problem. Data breaches happen most often, he says, because of a lack of risk management assessments and plans. It’s not all about forcing security on organizations, it’s about understanding and supporting the business. They’re solving business and organizational problems using technology.
Mike then asks Mitch about how healthcare organizations allocate funds and keep up to date with security software. It was in business school that Mitch realized ROI projections rarely, if ever, included security assessments. CISOs have to educate about the operating cost of IT and security and return on investments. A data breach on a medical system, Mitch says, automatically translates to a negative ROI. A big improvement in security’s standing in the business world in Mitch’s opinion is Moody’s addition of IT and security questions. This changes the game because it directly impacts the hospital’s credit ranking and ability to borrow money.
Being in an academic medical center is a double edge sword, Mitch explains. They have the most cutting-edge technology and highly skilled doctors. He’s tasked with securing devices other healthcare CISOs haven’t seen yet, as well as securing enormous amounts of data. Everyone in the medical community who wants to access and share their data has to be able to secure it, and he has to be transparent on how he secures things as well. Device inventors have become better in recent years about focusing on security as they create new technology.
As the episode ends, Mike and Mitch discuss their industry pet peeves.
– Host Mike Murray opens the show.
– Mike introduces guest, Mitch Park.
– Mike’s secret to longevity in security.
– Managing technology and out of date software in healthcare.
– ROI for IT and security.
– Academic medical settings and security.
– Mike and Mitch discuss industry pet peeves.
0:00:02.8 Speaker 1: Welcome to In Scope, The Healthcare Security podcast. Each episode, we bring you interviews, technical tips, and a unique point of view on the challenges facing the ever-changing healthcare ecosystem. Here’s your host, Mike Murray.
0:00:18.3 Mike Murray: Hello, and welcome to this week’s episode of In Scope, The Healthcare Security podcast. I’m incredibly excited about today. I have with us Mitch Parker, who’s the CISO of IU Health, Indiana University Health, out of Indiana. And Mitch is somebody that I’ve followed on Twitter for a long time, and we’ve been in each other’s orbits, but this is an opportunity to talk to somebody that I’m really excited to talk about and to hear his thoughts and opinions. So Mitch, welcome to the podcast.
0:00:46.8 Mitch Parker: Thank you very much for having me here, Mike.
0:00:49.2 MM: Absolutely. And maybe just for the people who don’t follow you on Twitter or follow your social media misses, maybe talk a little bit about who you are and how you ended up where you’re at and your career and all those sorts of things.
0:01:00.8 MP: Absolutely. So I’ve been at IU Health for about the past four-and-a-half years. My areas of focus have always been on medical device security and doing good root cause level analysis of security incidents, which ended up being here in Indiana. Because for about eight years before that, I was the CISO at Temple Health in Philadelphia. And prior to that, I spent six years as a defense contractor specializing in information insurance. And before that, I was a consultant, believe it or not, doing software development and database work. I got into security almost 20 years ago, and look where I ended up.
0:01:41.4 MM: You’re still here. I find it interesting to talk to people who’ve been in security a long time, ’cause I think security is a discipline that a lot of people join, and they’re in it for a couple of years, and then they drop out. What do you think the secret of your longevity in this industry is?
0:01:55.3 MP: I don’t consider security to be a security problem, I consider it to be a business issue, and it’s a business problem to be addressed. One of the things I did when I first got to IU Health, I had a meeting with our then chief operating officer, Al Gatmaitan. And this guy was very funny. He leads off the meeting, I have never met someone outside the city of Philadelphia, outside of people that work for ESPN, that know more about the Eagles and Sixers than this guy did. So, had the conversation with him about leadership, Doug Peterson, Andy Reed, and Chip Kelly, and the leadership differences between the three. Then, I start talking about security, and I started unpacking a few security events, because part of what we do on our team is we unpack to get the real root cause of security events.
0:02:42.7 MP: I started talking about the OPM data breach, and I explained one of the main root causes for it was they didn’t approve the funding to upgrade from the Oracle form system they were on to a newer version of the Oracle software they needed that would have addressed this issue. And it came down to it, I said, “Oracle gave them that option for years.” And I said, “While Oracle did a pretty good job of actually supporting the software for a very long time, however, you gotta move on. And some of those companies just can’t keep supporting the software forever, so they moved on, but unfortunately, the vendor didn’t.” So I said, “If you take a look at almost every single security event, you take a look at the root causes, you realize there’s a lot of non-technical concerns that cause security events.”
0:03:33.7 MP: And what I also did is I also got in front of our senior leadership team right after I started, and I said, “I don’t believe that the Office for Civil Rights has ever fined an organization for a data breach.” I said, “I took a look at every security incident on the wall of shame, they were not written up for a data breach. They were written up for lack of a risk assessment, lack of a risk management plan, or lack of following up on open risk items.” So I said, “What I plan on doing here is those three things.”
0:04:05.8 MM: That’s fascinating. How was that received? I would imagine that that was a breath of fresh air for a lot of those business folks.
0:04:11.5 MP: Absolutely. And again, it got a lot of people talking. And that was the most important thing, because people make cyber security out to be this huge, overly complicated thing, mainly because a large portion of it involves assembly language. It’s not all using and abusing the MOV instruction. It’s a lot more about people. And what you have to do is you have to talk to people about their business and their needs. Because if you force security on people, people are gonna fight back. And that’s been a concern that I’ve had when I go in the into organizations is people are used to security as being the really, really draconian people who say, “Thou shalt not.” They’re not the ones sitting there going, “I understand your business. Let’s talk about how we can get what we need done, get it done as part of your business, and make it so that your people can understand actually what’s going on.”
0:05:15.8 MM: That’s totally right on as far as I’m concerned. The idea of the security person as is the technical person is such an overused trope, and it’s so wrong. We’re not solving technical challenges, we’re solving business challenges and culture challenges using technology sometimes.
0:05:31.2 MP: Absolutely. And again, not to say I haven’t written my fair share of assembly back in the day, because I have. And I just think that there’s a lot of people that come into this industry, they come in guns blazing, and they burn out very, very quickly because of it. And there’s a lot of really technical people that, because they’re good at security, end up in this role. I know, because I was one of those people. And it took me a couple of years to get out of being very, very overly-technical and more about realizing most of the technology issues we deal with are not with the technology, they’re with how the heck you’re managing it.
0:06:13.3 MM: You talked about that root cause analysis and out-of-date software. Especially in healthcare, that’s an endemic problem, right? Especially medical devices that have a useful life of 20 years and that are running operating systems that had support for 10 years of security patches. It’s like one of these things is not gonna work out very well. Right?
0:06:32.8 MP: Oh, absolutely.
0:06:33.6 MM: If you stop patching it after 10 years. How do you deal with that, as much as anyone can deal with it, in your role?
0:06:40.2 MP: The realistic thing you have to do is it’s not just the hardware, it’s also the software. A lot of healthcare organizations are not as evolved as they need to be with operational budgeting. And I learned this in business school. I was one of those people that decided, “Hey, I’ve been in this role for a few years, how about I totally mess things up and get myself an MBA?” The justification I gave to my boss, the CIO at Temple Health at the time, was, “Hey David, I need to learn how to have a conversation with you.”
0:07:12.7 MP: And it was the truth, because the leadership team at the time, I was one of two non-MBAs on the leadership team. So when you started taking a look in there, and one of the classes that really got my attention was finance, because finance started talking about five year ROI projections. And I started realizing that every five-year ROI projection they were talking about, nothing included technology or operational maintenance. And I extrapolated it and started taking a look at some capital budgeting requests people were doing and started taking a look at what I was seeing across the industry, and it was an endemic problem. And I always remember also another class I took of Professor Jaganti at Temple and it was a strategic management class, and you had a group of the millennials I was in class with all talking about, “Hey, IT is just a sunk cost. IT is IT.”
0:08:05.9 MP: There’s this inherent assumption in the business that IT comes… It’s just there, and that IT will just do it for you. And what that means is that people put systems in place thinking that security will just be added on by the IT people, because IT takes care of my windows. Literally, I’ve heard words like that come out of my customer’s mouths. So what you have to do is educate more about the operational cost, return on investment, and that’s, “No, cutting out the IT portion and security portions of the operating cost just to increase your percentage increase in ROI is not going to help you. Matter of fact, it’s going to be much worse later on should you have a security issue. And the next thing you know, you will be paying double the cost of the system in the first place to bring in a company like CrowdStrike to help you clean up.”
0:09:08.1 MM: You go instantly negative on any ROI calculation as soon as you account for the potential expected loss, right?
0:09:15.1 MP: Absolutely. Unless you’re running some massive, massive electronic medical record records system, a data breach on a system is an automatic negative ROI.
0:09:25.2 MM: I don’t think many business leaders, even today, even with all the focus on cyber in the last 10 years, I don’t think many business leaders get that. And I don’t think that they easily calculate out the expected negative value of, “We are gonna get breached at some point in the next 10 years, we have to calculate that in as part of our ROI calculations, at least in some way.” But it’s easy enough to say, “Oh, I’m not gonna get breached, so that number is a zero.”
0:09:51.2 MP: The model a lot of American businesses take, especially the public ones, is more about reducing the expenses not directly related to production of goods by transferring risk and transferring liability to third parties. So you see a lot of that; and therefore, a lot of people, they… I mean, because the model in the rest of the business is to transfer risk and transfer liability out of the business, IT and security are just going along for the ride.
0:10:22.3 MM: Yeah. But unfortunately, cyber insurance is not yet an effective transfer of risk in most places.
0:10:27.5 MP: Cyber insurance is not an effective transfer of risk, because the cyber insurance companies were giving it out. Now that they’ve become significantly more restrictive and requiring companies to actually do due diligence, that is a good sign. However, I think the best improvement that I’ve seen has been Moody’s. Moody’s, the big credit rating agency, has a cyber questionnaire they’ve been giving out to the companies they rate.
0:10:57.9 MM: Interesting.
0:11:00.7 MP: Talking about their security posture. I actually spoke with one of the people that works on it a few weeks ago. And that is more of a direct impact, because if I go to a CFO and say, “Insurance company,” you might get their attention. If I go and say, “Moody’s,” one thing I learned in finance class is that the interest rate at which companies can borrow money at from the bank is directly tied to their credit rating.
0:11:25.7 MM: You bet.
0:11:26.5 MP: And if that credit rating lowers because of a data breach, you blow apart people’s financial projections, then suddenly the cost of not doing due diligence is an eight-figure loss. That’s how you get people’s attention, is, “You can either do this, or you can potentially affect your credit rating and your ability to borrow money from the bank.”
0:11:50.8 MM: And suddenly, the CFO and CEO are paying attention to cyber issues in a way that they never could have before, because you’re speaking their language.
0:11:57.8 MP: Absolutely.
0:12:00.0 MM: Right? That’s so fascinating. I hadn’t heard that about the Moody’s stuff. I’m gonna have to check that out. That is a game changer. You’re right. And especially if that catches on with all the other rating agencies and things like that.
0:12:09.5 MP: Oh, absolutely. In healthcare, though, it is Moody’s. Because literally, if a health system’s credit rating changes, it’s front page on Becker’s Hospital Review.
0:12:20.7 MM: Right. Yeah, absolutely. It hits every one of our inboxes in that morning. Right?
0:12:27.2 MP: Mm-hmm.
0:12:27.8 MM: I wanna go a little bit of a different direction for a second, ’cause something that I think is so fascinating about your role is you’re at an academic medical institution. And I think that people don’t often think about what that means from a security perspective, but in academia, there’s a lot of openness and free sharing of information and things like that that probably make your life more challenging than most. So I’d love to hear if you have thoughts on that.
0:12:50.9 MP: Absolutely. So academia, actually, it’s a double edge. First of all, the academic health centers tend to be the ones where the most specialized doctors are at. So you’re gonna have the latest, most cutting-edge things. You’re gonna have medical equipment that is really cutting edge. People go to academic medical centers because when you’ve got the latest and greatest, I mean, I’m very sad to say the patients that need it the most are going to go to the place where the cutting-edge treatments are; specifically those that have cancer, specifically those with very rare congenital diseases. So we have the need to make sure we secure things that, honestly, the rest of the industry hasn’t even seen yet, or literally it may be the first or second time it’s been used outside of a vendor’s lab. So literally you’re writing it as you go along. And also, in addition to that, you have significant data requests which you have to make sure are appropriately de-identified and appropriately secured. And the greatest challenge we’ve had there lately has been with intelligent systems, because the intelligent systems are only as good as a combination of the algorithm and the data sets that they are trained on.
0:14:17.0 MM: Yep.
0:14:18.0 MP: And who has more data than large academic health centers? They want data for AI. And if there’s been a vendor out there that’s been selling a large-scale AI solution on the market, we’ve probably talked to them. And part of their goal is they want access to data. And I think Mayo Clinic has done some incredible work with federated learning with Google, for example, with being able to perform these calculations without revealing the actual data. And IBM has done some incredible work. Again, they’re publishing papers left and right on homomorphic encryption. We have significant challenges, because again, you’ve got to make sure everyone who wants your data, and that’s a lot of people, they really have to secure it.
0:15:05.6 MP: They have to understand why you’re doing things the way you’re doing it. And with us, we have to be completely transparent about how we secure items, because I literally have people coming to us with technologies that I might have only read about in TechCrunch. Or literally, I’ll get something going, “Oh yeah, check out this pre-print paper.” And we have to figure out, “How are we gonna secure this, because this is unlike anything else we’ve see in the industry?” So that’s the challenge of it. That’s why I like working here as opposed to other places, because I get to help solve problems that a couple of years before I didn’t get to see anywhere else.
0:15:50.2 MM: Something that I think is interesting about that is, how do you do that? Because, in my experience, those new technologies are also the ones with probably the least security discipline put towards them during the development, ’cause they’re just trying to get the new algorithm or new radiology device to market. I’m sure they’re going through all the FDA-required threat modeling and all those things, but at the same time, it’s not like that’s been in market for 10 years, and they’ve got 10 years of patches and upgrades to fix all the vulnerabilities that they probably wrote in the code as they were developing it. Right?
0:16:19.7 MP: I would actually say there’s been a significant C-change in how medical device vendors have been developing, at least the larger ones I’ve been dealing with. So I also do some work with IEEE on the side. I’m a co-vice chair of IEEEULP2933, trust, identity, privacy, protection, safety, and security for the Internet of Things. I speak with the engineers from for many of these vendors, and cyber security is now a tier one issue at some very large vendors. I’m not clear to say any of the names, but I’ve spoken with principle engineers at a number of these companies, and everyone is talking about security. And the one I’m gonna talk about… Well, Michael’s no longer there, is Philips. Michael McNeil, when he was there, he got the…
0:17:09.1 MM: He’s great.
0:17:11.1 MP: Oh, he’s great. He got their development process, it was one of the first companies. They were one of the first companies to get their development process certified by Underwriters Laboratories. So I actually went to the point of speaking well about the work that he did. It’s incredible. I mean, that’s a company that’s done some incredible work. And there’s a few others that have really been there and started pushing it through their entire product process. Obviously, it’s gonna take five to 10 years for the rest of the industry to see what they’ve been doing, but cybersecurity is a big concern of theirs because, literally, I had the principle engineer from one of the largest medical device companies tell me, he goes, “The last thing we want is a patient safety issue because of cyber security.”
0:17:53.7 MM: Yeah. It drives a lot. And really, it was the FDA pre-market guidance in 2014 that got religion for a lot of those folks.
0:18:01.1 MP: Oh, yes. And we’ve talked to Dr. Schwartz. Suzanne is awesome.
0:18:05.9 MM: I know. Suzanne is one of my favorites. I don’t know if you know, Mitch, I actually used to be in charge of pre-market security at GE Healthcare.
0:18:11.5 MP: Oh, awesome.
0:18:12.6 MM: So I was on that side. I actually got to know both of those folks when I was at GE, ’cause we interacted with the FDA all the time, and obviously I saw Michael at all the various meetings that we all had. I love that space. And I love those people.
0:18:26.1 MP: And again, I can tell you, when I go to DEFCON, who do you think I see there?
0:18:30.9 MM: Right. Have you done things with the Biohacking Village folks?
0:18:34.7 MP: Yes, actually, last year I moderated a panel with Michael McNeil, Rob Suarez from BD, and Florence Hudson, who’s the chair of P2933.
0:18:45.6 MM: That’s a great group.
0:18:48.0 MP: Oh, yes.
0:18:49.5 MM: Man. Now, I gotta go back and watch the recording of that panel, it’s probably on YouTube somewhere, yeah?
0:18:55.6 MP: Yes, it is.
0:18:55.7 MM: We’ll link to it in the show notes for anybody else, ’cause that’s a sort of Murderers’ Row of awesomeness on that panel. So with that, I wanted to take a couple of minutes and maybe we can geek out a little bit about something that we both have ranted about at various times, which is, especially in healthcare, the sales tactics of our entire industry. One of my least favorite ones, and I think one of yours, is when security vendors don’t know what HIPAA stands for. How many times have you seen that one misspelled? The one that’s been bugging me lately is how many times I hear people call it personal health information, PHI.
0:19:31.4 MP: Oh, yes. It’s not the content as much as the delivery method that I’m getting. And again, a lot of my really good friends in the industry happen to work in sales, and they happen to be incredibly great at sales, and they’re getting upset because it’s giving them a bad name.
0:19:50.6 MM: What do you mean? Just the blitzing of emails, the overwhelming set of LinkedIn requests, or something else?
0:19:57.3 MP: So I look at it as a combination of literally the email, the LinkedIn requests, the phone call asking if you got the email or LinkedIn request, and the people sending you information thinking that you don’t do risk assessments, or the people that haven’t done their homework. I mean, somebody sending me an email going, “Hey, did you see this about HIPAA risk assessments?” And I’m sitting there thinking, if you had spent five minutes Googling my name, I’ve written textbook chapters on how to do HIPPA risk assessments. I have a book coming out on how to do it for mobile.” And it’s also, what I don’t like about it, is a lot of it, it’s just kids out of college, and you know that there’s somebody behind them literally throwing these people to the wolves.
0:20:51.2 MM: Yeah, absolutely.
0:20:52.0 MP: And it’s a lot of bad sales leadership, because these are… Again, these are really nice people. You take a look at some of these people, I mean, I got nieces and nephews their age. And I hate seeing young people like this being told, “This is how you sell to people. This is how you build relationships.” And what ends up happening, it makes the companies look bad, it gives these people a bad impression, and it gives others a bad impression of them. That’s not leadership, what you’re teaching these people. What you’re doing is you’re basically churning them out and throwing them away, and you’re discouraging them from a career in technology, or a career… Any kind of meaningful learning. And to me, that’s just disconcerting. It’s not that I don’t like vendors, it’s I don’t like a lot of the tactics that a certain very few use that just annoy the crap out of people. And, more importantly, they really put these young people at a disadvantage.
0:22:02.0 MM: I think a lot of the time it comes from a lack of understanding of what the other side is like. I find very few sales leaders that have not spent time on the other side really get it. And all the best sales leaders that I’ve ever met who understand how to reach out to a guy like you, or a guy like me when I was in the CISO chair, are folks that have spent time on the other side as a potential customer. The folks at Scope will never do that. We will never have that kind of sales tactic, because it would drive me nuts if I was this customer on the other side. And so I’m just like, any time somebody comes close to a line like that, I’m just like, “Nope, that’s not what we’re doing, ’cause I’ve sat in your chair.” And I think more of us need to be like that. We need to have more of our sales leaders, and especially those young folks, not just get experience on the sales side, but also live on the other side and be sold to for a little while, ’cause I think that’s what gives you the empathy to make good sales decisions. It’s just my opinion, but I agreed agree with you, those folks get taught that that’s how it is for five years, and then they become sales leaders, and they do it to other people.
0:23:06.4 MP: Absolutely. Meanwhile, the best people I know that work in sales are the best relationship managers that I know in the business.
0:23:15.4 MM: Absolutely. And the good ones are like gold, right?
0:23:18.3 MP: Oh, absolutely. They’re not going anywhere.
0:23:20.8 MM: Yeah. Well, and the secret to that from a sales perspective is you’ll be their customer, whoever they work for and wherever you work, if they do the relationship management right. It’s not about annoying you, it’s about creating this long-term bond that comes with trust.
0:23:35.5 MP: Yes, it is. And I’ll tell you, I worked as a consultant for a few years before I became a defense contractor. I did sales. But I will tell you this much, I did more listening than I did trying to bombard people with a bunch of information in 30 seconds. And I didn’t read from a script. I understood my customer’s needs, they told me what their needs were, I understood, and we worked on something, and I didn’t have to advertise.
0:24:05.7 MM: Right, exactly. Because they knew that you were there to help them, not just for yourself.
0:24:11.7 MP: Absolutely. And I cannot emphasize that enough. It’s basic relationship management, understanding needs and not trying to make something fit a customer that isn’t a fit.
0:24:25.5 MM: Totally, totally. With that, Mitch, I know you’re a busy guy. I wanna let you get back to being the CISO of IU Health and get back to your day, but thank you again for coming on. Where can everybody find you? Where are they gonna see your talks this year? Where do they find you on social media, all of the like?
0:24:42.1 MP: So I can be found on LinkedIn, obviously Twitter, @MitchParkerCISO. And also, let me see, I’ve got Signal, and I’ve also got my email [email protected] So not afraid to have people reach out, and again, I really do love working with people. And, more importantly, I really enjoy the collaboration I’ve had with a lot of people across healthcare. So bring it back with an example, you worked at GE. I know two people you worked with at GE who I still talk to on a semi-regular basis, because it’s a small industry, everyone talks; and more importantly, we have to collaborate with each other, because the scope and scale of what we’re dealing with requires us to do so.
0:25:30.0 MM: Absolutely. With that, thank you so much for coming on. When your next book comes out, we’ll have to have you on again. And we’ll have to do this again sometime soon. I’m looking forward to it.
0:25:38.5 MP: Awesome, man. Thank you so much for having me.
0:25:42.7 Speaker 1: Thanks for joining us for this episode of In Scope. To make sure you never miss an episode, hop on over to www.scopesecurity.com to sign up. Or you can listen on Apple Podcasts, Spotify, or Stitcher. And if you have ideas for topics, guests, or technical tips, please contact us at [email protected]
ABOUT THE GUEST
Mitchell Parker, CISSP, is the chief information security officer at Temple University Health System (TUHS), a four-hospital, 1,000+ bed clinical enterprise with annual revenue of over $1.4B. He specializes in the areas of: information security, incident response, education/training, policies/procedures, configuration management, and network infrastructure. He works extensively within the IT department, with the Office of Counsel, Human Resources, and multiple other stakeholders, and believes in an inter-departmental approach.