Esmond Kane
CISO
Steward Health Care
May 2020
COVID-19 has been the ultimate business disrupter, and no industry has felt its force more than health care. As CISO of Boston-based Steward Health Care, Esmond Kane must empower his organization to deliver care, securely, in an era of remote work and digital transformation.
What follows are highlights from a recent interview with Kane, edited lightly for context.
I read that Massachusetts will be hit harder than most states, and health care is being hit the hardest. Steward is a multi-state and international company, but how will these factors in Boston affect the overall business? How is the executive team responding & preparing for a recession?
Boston is likely better prepared than other locations, both out of sheer necessity and as a result of our industry concentration. We are the nation’s premier Healthcare and Academic center, a large IT and startup community, and with a large urban population some of which is comprised of international students. It’s been both hazardous and beneficial to be in Boston recently!
Steward was the first in the US to dedicate an entire location, Carney Hospital, to the pandemic. Our leaders were phenomenal; there was a concerted, multidisciplinary effort to treat COVID-19 patients while also preparing the multi-state workforce for an increase in demand and changes to how we operate internally. Our response ran across the spectrum, answering queries and concerns from our patients, handling logistics around ventilators and PPE (personal protective equipment) supplies, preparing our workforce to work from home and above-all, the necessity to collaborate and communicate.
Healthcare has jumped into action. As an industry we have had to pivot some strategic plans to accelerate telemedicine and telehealth and to scale our cloud services. We’ve been greatly helped by some pragmatic measures taken by our regulator, OCR (Office for Civil Rights). We had to deal with a revenue impact, a lot of elective procedures were postponed, and we must plan for an extended downturn or recession. Some of our costs have increased exponentially as we’ve had to negotiate the necessary but challenging digital prioritization exercise.
What has been your biggest challenge as a CISO in this crisis?
I like to say that “shortcuts have sharp edges.” We must ensure to make educated decisions based on risk, to avoid arbitrary self-destructive ones. Security must help the business handle the immediate tactical necessity. We must focus on the strategic security vision – to advocate and educate for best practice. Believe me, the bad guys are not taking a break and will try to capitalize on any oversight.
I believe strongly that business leaders are overcoming the perception that Security is an afterthought. One lesson from COVID-19 is that IT and Security are now enablers and being sought for their creativity and innovation.
Beyond scaling up and improving your security posture, has Steward been able to push through any other projects? Are you thinking about security’s role in the future of digital transformation?
Even when we consider Federal efforts like HITECH and Meaningful Use, COVID-19 has done more for digital transformation than CISOs and CIOs have in the last 10 years. I hope we can continue the momentum of positive change and mitigate any negatives.
Without going into too much detail and providing a roadmap for the bad guys, the projects that we’ve accelerated have been to support SaaS-based telemedicine and telehealth, for remote work technologies like VPN, endpoint hygiene and MFA (multi-factor authentication) improvements. These are the areas where I’ve seen pervasive acceleration across the industry. In the future, there’s a great opportunity to stitch these together, especially with conditional access and continual validation, into a Zero-Trust effort.
Are there ways you are reducing costs?
It’s a lot of “back to the basics.” Work directly with your existing solutions and vendors to optimize and extend where you can; this will also be of great benefit in any long-term impact assessment or recession planning. Revisit if a best-of-suite makes sense instead of a best-inbreed. Think if you can help your procurement and supply chain departments identify potential consolidation and cost-saving opportunities by leveraging your third-party risk assessment trove.
Be wary of some of the vendor enticements, the pilot overload – right now, projects need to have a solid return. As much as CISOs should be very miserly with their time and conscious of work commitments, it’s even more important now. One thing I miss is the ability to go out and network with fellow CISOs. Evanta has been a huge resource for this, to help combat vendors over-promising and underdelivering, so if anything, relying on your network to break through the noise is more important now than ever.
What are some things you’re doing to keep your staff motivated and engaged?
Acknowledge the work they do, that they may be working long hours in isolation or handling issues in the home. Be empathic. Your team may be accustomed to a level of remote work, but now you need to be conscious of external reality and to communicate that it’s okay to deal with children, barking dogs and more. We are all now that BBC reporter with his toddlers barging into his news segment. Work in the home is now something you need to include as part of your work/life and talent management strategy. I’ve encouraged people to use collaboration platforms for more than just work-related activity, but to also focus on team building, a virtual “Water-Cooler” or “Happy Hour.”
We’ve historically taken some traditional approaches for data-leak containment for the remote workforce with VPN posture-assessment, endpoint-agents, proxyfilters, file shares and email inspection. Now that we’ve had to accelerate some collaborative tooling, we’ve really taken advantage of sharing information through these channels in a much more coherent and enjoyable format. Hopefully that’s also integrated into your DLP and threat management. We also need to be conscious of the potential for insecure home-remedies and Shadow-IT.
Any last words of wisdom?
In the Post Pandemic Review, history will favor what you did to be resilient and to mitigate risk. Survival of the fittest isn’t necessarily those who had the best-laid plans; it’s those who were adaptable, flexible and more able to respond to change as the nature of the emergency become apparent.
Now that IT is critical to the delivery of healthcare, please collaborate with your business leaders to demonstrate the true value of security during this crisis.
Lastly, don’t forget your staff, be empathic and human. Roll with the changes and overcome.
Special thanks to Esmond Kane and Steward Health Care.
by CISOs, for CISOs
Join the conversation with peers in your local CISO community.