This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

UnHack the Podcast: Building a Security-First Culture in Healthcare IT with Steven Ramirez

Drex DeFord: I'm Drex Deford, president of Cybersecurity and Risk at this Week, health in the 2 29 Project. Our mission is healthcare transformation powered by community. Welcome to UnHack, where we navigate healthcare security challenges together because cyber safety is patient safety.

Let's get started. Hey everyone, I'm Drex. Welcome to unh Hack the podcast.

I have Steven Ramirez with me today. Hey, Steven.

Steven Ramirez: Hey, Drex. Good to be with you.

Drex DeFord: Tell us a little bit about, uh, about your job and where you work and, uh, all the good things.

We four hospitals in the area. We have a health plan that we recently, um, did a partnership with Kaiser, which we back into a little bit further on to create Kaiser, uh, Nevada. So some exciting stuff on that. [00:01:00] Lot of fun work with that going on as well. And a lot of other cool stuff going on.

I am our CS o so chief Information Security and Technology Officer, although I'm saying my tee's getting smaller by the day. Um, because we do have some other leaders because I used to own everything across the board and um, now we just have. Service Desk, Microsoft, ServiceNow, it, governance and of course security and all those components.

So still, yeah,

Drex DeFord: interesting.

Steven Ramirez: Still a little bit of other technology, but

Drex DeFord: , As we do the, the CISO summits and we do, uh, other events together, um. I see more and more of that kind of stuff happening. Uh, the CISO, the CTO come together, also the C-I-S-O-C-T-O, um, ascending to the CIO job.

Steven Ramirez: Well, it's a lot easier when it was just me fighting my internal demons.

Drex DeFord: Ah-huh.

Steven Ramirez: But we set up a, we just created an enterprise architecture vertical. Um, and we also have some other functions, um, because we're going through a big databricks build out in the cloud, which I know we'll probably touch on a lot of the components to that.

So creating a. Basically cloud security program overnight. But um, I think that goes to your CIO and your overall organizational risk tolerance and appetite that here at renowned security wins. So we just have the mindset of security by design. So, um, what's really good about me having a lot of the team till we started to, reposition it into like the rightful towers that it should have, is that everybody still has that mindset.

Um, but yeah, we, um, again, I think that just goes to our overall just risk view as an organization that security always does take precedence, but instead of being the department of no, um, it's how like we've gotta be at the table, be able to negotiate, do a lot of different components to you. Not, not be obstructors, but.

A lot of that could just be done with good governance. So I think that we do a good job of that, that makes those awkward conversations down the road a little less frequent. So

Drex DeFord: that was the, so I know you've got a good boss there too. And so talk a little bit about kind of the power of a good boss and how having somebody like that who has your back, who helps drive the prioritization, turns out to be a really big deal.

I sent a, update out from, a lot of the various sources, A lot from our friends and our group chats, um, to legal compliance. Chuck, Marketing communications and all that, and of course getting some great feedback. We ended up sending out, an organizational wide message on some, different hygiene.

But it's just, just having those relationships that, we've built over the years that, just makes Chuck's job easier when I'm. Have those other partners, like my chief compliance officers, um, become one of my good friends and partner that's in crime on that because again, it's easier to have them.

We now have, um, an enterprise risk management vertical. So have that being built out as part of our thing, a dedicated leader to that because we're doing a lot more self-insurance internally. So again, having more skin in the game. So like if we're looking at like things like, um, for example non IT supported applications, I brought it up to my.

So, um,

Drex DeFord: yeah.

Steven Ramirez: So, um,

Drex DeFord: yeah. The, the, when you, so, uh, kind of thinking about all of this, great connections, great relationships, building those bridges across different departments. Uh, there have been a lot of major breaches, a lot of crazy things have happened in the last few years.

Uh, tell me about how that. Those events and the work that you're doing, how does all that arrange into conversations with the board? What are conversations with the board like at Renown?

Steven Ramirez: So we just did our, we do quarterly updates, um, that roll up to our audit and compliance of the board. So we have our board steering committee that oversees all audit and compliance matters.

Um, so a bad guy was able to get that number and try to call around to then call our service desk. But, we have controls in place that we're able to tort that. But it's just showing you really the importance of that we have call recordings, that we can then show how calm and collected these people are trying to talk to service desk agents.

Mm-hmm. And that really helped drive our, um, investment and initiative with Clear. So saying that, we have a great process at verification now, but it's really getting to the necessity of having that next step for, um, ID verification. Um. God bless my friend Jim Bowie. He's, we say he is the founding father of a lot of those processes.

Yeah. Yeah. We love that

Drex DeFord: guy.

Um, and then just again, keeping it real. Um, and then really just showing them where our investments, keeping them out of the paper so

Drex DeFord: that, that call recording tidbit. Um, I've heard you talk about that before. Um, taking those calls, using those calls as training for people to listen to and then kind of have that like, this sounds like a real doctor.

This sounds like a real person who's really in trouble and needs for us to set, reset their password. Like those things are really useful for post postt-game training activities.

Steven Ramirez: That's why we, uh, again, from talking to Chuck that, some other leaders might think Service Desk is a core tech, but we see that as a security initiative that again, you're trying to enter our organization, you have questions that we're gonna go through verification process.

Drex DeFord: Yeah.

Steven Ramirez: And you go through security and then you have to show your boarding pass to get on the plane.

So it's like, it's no different from, concepts that we're using in our real lives to really how we want to handle identity is an organization. So having real tidbits, um, we always say the, the close encounters. Um, I think those are great to really show not only your investments, but just again, that this is what guys are doing out there.

So we need to make sure that, we're. We're focusing in on those areas, especially with, 80% of, um, attacks being identity based, so.

Drex DeFord: Yeah. I wanna, I wanna ask about, um, resilience too. Uh, tell me, tell me a little bit about what you're doing. Um, the, the phrase sort of minimum viable hospital comes up on a regular basis when we're all together.

Uh, talk a little bit about your resilience planning and the work you're doing.

We know it's always very uncomfortable without technology.

Drex DeFord: Yeah.

Steven Ramirez: But again, it's doable. Um, and then that's gonna help us drive. Different investments in technology. We're doing a huge data center migration right now, so we're gonna have more of the high availability, um, and really focus on resiliency. So we've, um, made a big investment too on like data protection as well as data recoverability, um, with.

A good partner. I know, uh, rubric for, a lot of different tools on just having something in the, the black box to looking at the different layers. Layers from your 365 to your identity. And now that we've moved to CrowdStrike after all these years, there's some really cool integrations and plugins, um, that we're looking at this feature through rubric.

That's really what's helped us move partners strategically to really see where we can do these various, integrations that, are a lot more favorable, um, to really trip up the bad guys sooner. So

Drex DeFord: , So I have to ask about this because we can't have a show without talking about artificial intelligence.

Um, so tell me what you're doing with AI in your security stack today. And maybe what I'm really asking is what's real and what's hype, what's, uh, what's happening with AI and security today?

Steven Ramirez: Again, our, our CIO's great on us not being the, trying the first out of the gate to chase right objects.

And we're also kicking off an initiative to build out Databricks in the cloud. So I think that's gonna set up the layer for us to actually have true AI hype. Um, we're, we're working with Dax for our doctors. We're looking at it for nurses. So I guess the ambient. Component is there, and I think that's very, a low hanging fruit from an AI perspective.

Yeah. But also looking at other areas. I know that our, um, new EDNA leader and Chuck are going to some various conferences to start to look at like the Claude and other healthcare versions of that to see how we can use, um, that technology. It's come a long way on that right now. I mean, I have. All of that block to your par, your point that we've set up guardrails.

Um, CrowdStrike has an agent, we use Netskope that has, a lot of different controls that we can go through. Um, and really again, always say bumper bowling, we only want people to hit what they're supposed to hit.

Drex DeFord: Right.

Steven Ramirez: Um, but yeah, just, just having that out there with AI and us. Kind of being, I shouldn't say late adopter, but being more thoughtful and thorough on how we want to adopt AI as an organization that allows us to catch up from a security perspective.

That we're able to have security by design and a lot of these controls in place when we're looking at rolling this out. So

Drex DeFord: It's complicated. I mean, there's so many different, um, things that are coming at you. Is there, um, is there a framework that you use when you evaluate? End users coming to you with, I want AI this and AI that, and obviously the co-pilot stuff that you're doing.

How do you catch and prioritize and manage that? What's the framework look like?

Drex DeFord: Mm-hmm.

Steven Ramirez: Um, so they'll look at really application rationalization.

That's where we do our security assessments. Look at the whole ball of wax of what this is and what value it's supposed to be bringing to the organization. Um, and before it gets out of idea phase, then we have to do an S four. So then that's presented at the President's council. They have to look at it from the, dollars and cents, but also like, what value is it bringing to the organization.

So I think good governance really helps us just set us up for success on looking at that. And, everything has, some kind of AI to that. So our, we initially set up an AI policy on. Using nist, using a lot of just other best practice on what we should and shouldn't be looking at in partnership with our quality and safety as well as our compliance and privacy team.

Drex DeFord: Hmm.

Steven Ramirez: So we're gonna really look at. The Epics, the Microsofts, uh, I'll just make up another name like the Yeah.

The CrowdStrike of the world, like partners that we have relationships with versus us having to go out and. Build it ourselves. So the whole build versus buy discussion that we've just really married up to that idea that we're gonna really focus on platform based ai. So

Drex DeFord: We could do another whole show talking about build versus buy, but this idea too, we hear a lot of folks talking about the, for the, for the.

Partners we already trust when they're rolling out AI components, we spend a little less time kind of worrying about those, or beating ourself up around doing those investigations compared to something brand new that's coming in that we kind of have to take it through the whole process. It sounds like your governance process applies.

Steven Ramirez: just another set of eyes is the way we look at it. So we have our Enter Enterprise analytics. Leader that will look at it and or set the framework. So yeah, we're not gonna create a special because if it's AI today, it's quantum computing tomorrow, and we'll just be trying to ever like cybersecurity the same focus that we want to kind of have an all risk approach, so more of an all holistic technology approach that we just have strong governance and intake that we'll be able to really just shape.

What we're doing. So,

Drex DeFord: um, you, you talk about the value of these projects as they go through the phase gates and, what, what's the business plan, what's the value? So when you walk into the CFO's office, when you and your internal, uh, co-executive, internal partner on one of these projects walk into the CFO office, how do you, how do you frame those conversations and how do you talk about risk as part of those conversations?

But I think that's really the importance of this intake process, that we're looking at all of these things, having these discussions. Then they're having that from the SBAR level as well to have the value based discussions as well. And we have enough different layers. We're all friends here. That's a, great organization here that we're able to talk through a lot of what is your strategic plan?

Um, what are we doing with these different components? For example, Databricks, we're bringing that out. We're building an Azure, so. Um, I really didn't feel like I had the program I needed from a cloud perspective. So I got investment in funding to hire a cloud security architect. That starts in a few weeks where, you know, buying a NETSCOPE plugin for data protection.

So by able being able to have those discussions when the ROI and SBAR that are presented to President's Council and our leadership team, they know that we have those discussions from a security perspective. We have our tools, we have the people. We have our partners that are ensure that we're successful in that.

So, um, that's just how you do there. It's about having partnerships, especially on these bigger projects. Um, and I think our intake process is a very good job of making sure that we just ask that blunt question on how's this gonna be supported? Have we looked at it from a security perspective? How's this gonna integrate and what's the importance of data?

Yeah. So we get that perspective that it's crawl, run, walk, fly. But you need to be able to do that well before we can do all these. Fancy things, but the other low hanging fruit stuff, the chat GPTs, the copilots, that of the world, um, we feel comfortable with our controls and of course getting the HIPAA and healthcare versions.

So

Drex DeFord: yeah, that's good that the crawl, run, walk, fly, fly is the part I've not heard people sort of talk about. Where'd that come from?

Steven Ramirez: I heard that at a, I love that. I heard that somebody else, I'm giving credit to somebody out there and the, but it's like, because we all talk about run, but it's like run. It's just like you're, we all wanna fly, we want Excel.

I mean, everyone in healthcare, CISOs especially, how do you avoid burnout? What are you doing with you and your team? What's the, what's your approach to that? How do you keep yourself from, there's always more work. How do you, how do you stay on top of it but not go crazy? No,

Steven Ramirez: that's a very timely question.

because we've been having some of those. Internally because if you have a leader like me that my foot just stays on the gas, I'm sending emails, I'm sending teams messages, and sometimes I don't realize the downstream impact that that has on my team on just what they generally have on their plate. So just setting up more discussions, um, being more flexible on making sure that people do work life balance, and then just making sure that people push back because I'm.

Like I'm all, we're gonna go with this tool. We're all in. We're gonna get to the finish. Make sure it integrates with everything. So I need to be mindful because again, everything's changing so quickly. Of course. I'm like boom, boom, boom. We need to do this just to be very strategic, not be overbearing.

And then remember to, um, push your team to take time off as much as you push them to go out and do, get the job done. So like we're doing. After our chat here, I'm taking my whole team out to, to lunch. We're making sure that, we're just having a lot more personable time having communications because I think we live in a crazy world.

Um, and adding in just, go, go, go, um, all the time we're gonna see burnout. it's just, yeah, just as a leader, making sure that you don't add that, extra fire on what else is going on in the world. So,

What, what, what's one thing you see people doing that you were like, oh, I wish you weren't doing that. Like, I don't, let me help you not do that. What would that be?

Steven Ramirez: Well, I think buying too much without like a end goal. Um, like, and then like what we had talked about with integrations, a lot of what we were buying was.

To just build up, to be able to, drive maturity and didn't really have the vision till we were halfway along on, now we wanna make sure all these talks talk. If we're able to do a lot of these components want to do from an automation standpoint, we're gonna have to pivot. So I think just having flexibility, um, not trying to go too far into the future.

Um, like I always do three year roadmaps, which I almost think we almost need to go to like. Year and a half, two years now. It's unbelievable how

Drex DeFord: fast things change. Yeah,

Steven Ramirez: yeah. Like sometimes you just get lucky, like I budgeted for cloud and all of this. I'm like, see, I'm Nostradamus. I knew we were gonna be lucky.

Um, and then if we do the fundamentals very well, we'll do very well. And now the fundamentals to me are identity. I'm going crazy in the identity space on a lot of different components that, we're looking at, we're implementing. Um, because again, it's 80%, that's, a lot of the grades I got in college.

So if I could just. Consistently get that college B nice BI feel like we're doing, we're doing well. And then the other areas are just good hygiene and, vulnerability management, different automations, but everything's root cause is always, oh, the compromised account or this, this, or this.

So if we can get our more complex and our, a lot of our other pieces into the identity piece that I feel like we'll be doing very well as a health system.

Uh, just really quickly, like is there some clue that you have for everyone, everyone who's struggling with. How do we do identity better? How do we do better identity hygiene better? What's one tip you would give folks who are trying to figure that out right now?

Steven Ramirez: Well, identity's very complex. Like it's its almost own program and that's where we're trying to compartmentalize it under like cyber operations just because there's so many layers from Pam to.

MFA to, um, like you had said, the non-human identities and there's a different tool, a different process, a lot of different components that. Just because you have MFA doesn't mean you have strong MFA.

Just

But by us going with clear, putting a big investment into that, can that get us into that two to 3% of knowing this is gonna better protect us? The human identity piece. Um. We partnered with Silver Fort, which I heard from my buddy Nate made up at,

Drex DeFord: Oh, right.

Steven Ramirez: Yeah. So he's, and anything he, he's great on the needle.

I think he does a, I heard him speak at Vibe. He's, he's amazing for what he does for the, um, industry and

Drex DeFord: Totally.

Steven Ramirez: If he's using it, I'm, I'm very interested. So that's something that we've been looking at for the non-human identity side of the house with. To kind of layer into your privilege access management, your MFA to your, your CrowdStrike identities to, like the identity rollback.

Then can you go and does that account have, wide open access? So know, just looking at all of those different components and risk-based authentication then is another safeguard to that.

Drex DeFord: So don't try to solve world hunger. Yeah.

Steven Ramirez: So there's

Drex DeFord: like, the more you know, the more you realize that there are other problems you just kinda have to prioritize.

And

Steven Ramirez: the kill chain's just crazy in identity versus some of these other

Drex DeFord: Yeah.

Steven Ramirez: Areas like, zero days. We know vulnerability management and is it external facing? And then kind of stops there a little bit and then you go down to these layers we talked about. But identity is just, it's, I just envision that big mirror of dominoes, like if you don't think about this, this, and this.

Drex DeFord: right?

Steven Ramirez: It's a huge, huge project. That's where relationships, transparency, um, and use cases. Are really, really important. And then integration that we're setting up all these little niche components from an identity perspective, you sure as heck better know from an alerting and monitoring perspective.

Mm-hmm. What is what? And then just because this tool can block this, you need to have it talking and or integrated and this to stop that kill chain. So it's,

Drex DeFord: it is a, everything's connected to everything else. And that is, that complication is part of the part of the problem too.

Steven Ramirez: Yeah. So understand the anatomy of the attack and.

Drex DeFord: yeah. That's great. Um, hey, thanks for being on the show today, Steve and I appreciate it.

Steven Ramirez: Of course. Thanks for having me.

Drex DeFord: Thanks for joining on UnHack. Remember, we're not alone in this. Every healthcare leader needs a community to lean on and learn from. Join our community at this week, health.com/subscribe and share this not only with your security crew, but with your entire leadership team and staff.

Together we are stronger.