Security specialist Tom August on how to protect the healthcare industry despite pressure from budget cuts
Defending the networks of a healthcare system used by millions of Americans might not be the obvious career path for a trained accountant.
Tom August was a self-confessed “science geek” with a background in finance when he first discovered cybersecurity.
August was working in IT auditing in the early 90s when he was asked to perform a pen test for a Department of Defense contractor. He’s been hooked ever since.
Fast-forward to 2019, and August has been working as the chief information security officer (CISO) at US healthcare organization, John Muir Health, for more than four years.
John Muir, which serves 2.5 million patients across the San Francisco Bay Area, provides preeminent centers for neurosciences, orthopedics, cancer care, cardiovascular care, and high-risk obstetrics.
With fresh healthcare data breaches and healthcare cyber-attacks now a seemingly daily occurrence, the issue of security has never been so crucial for medical centers around the world.
August’s role has seen him build security policy and procedure from the ground up, focusing on assessing and reporting technology risk and HIPAA compliance matters, as well as raising employees’ security awareness, both in the workplace and at home.
The Daily Swig spoke with August about the triumphs and challenges he faces daily as a healthcare security specialist.
Could you outline your day-to-day responsibilities in your role as a CISO in the healthcare industry?
Tom August: The responsibilities of a CISO come in many forms and flavors. First, you need to understand that you’re only as strong as the team you lead. Developing talent and providing clear direction is paramount.
Also, consistently bringing technical knowledge, industry perspective, and skilled resources to projects and initiatives helps to demonstrate tangible value to your stakeholders.
One of my biggest responsibilities is to educate and raise awareness, not just of security risk but also how the healthcare system can work better with process improvement.
Another responsibility is to actively assess the risk to the organization at both the technical and the strategic level. And I try to do all of that in a way that enables trust.
Listening more than talking, focusing on facts, pausing before taking action, being transparent, and staying cool, calm and collected under pressure are all factors that build and grow trust over time.
A CISO that doesn’t build and grow trust is going to fail.
What challenges and successes have you seen in your time as CISO?
TA: First, we have raised awareness about security and what it means. My philosophy is to have honest conversations about risk in terms that people can easily understand. It doesn’t need to be overly complex. I don’t believe in FUD [fear, uncertainty, and doubt] – only facts.
We built a cybersecurity education program for the health system staff. We update articles on the intranet every week, we do roadshows for teams and departments talking about cybersecurity topics, we give rewards for reporting phishing. We’ve tried to make it really interactive, easy to understand, and relevant so people can also apply it outside of work.
The biggest challenge for healthcare CISOs today is helping organizations understand, prioritize, and manage risk while under extraordinary financial pressure.
Everywhere you look there are closures, consolidations, and practices shutting down. Healthcare providers are under financial pressures that we’ve never seen before.
What can a healthcare CISO do to improve the security posture of a facility at little to no cost?
TA: Understand the risks you face as an organization. Compliance is important, but it’s not a substitute for a real risk-based approach. Secondly, align with the business.
Get as involved with the business as possible – understand how money is made, the workflow, know about hospital and outpatient operations. When you understand their priorities, concerns, and needs you’ll be much more successful. Finally, don’t be afraid to engage your vendors.
They work for you and are here to help solve problems. Be very clear and ask them help you with the solution. If they aren’t helping in measurable terms, consider changing vendors.
And what would you advise if cost weren’t an issue?
TA: From my perspective, merely throwing money at security doesn’t make a company secure. The budget you manage should directly align to the risks identified during the risk assessment, and projects and initiatives should be implemented to address it.
The best thing that CISOs can do for the security of their organization is to understand and effectively articulate the problem that they are trying to solve. If you can’t articulate the issue, or the vendor doesn’t understand it, no shiny product in the world is going to solve it.