Some CISOs are in charge of ensuring the data and IT security of one hospital, some, that of a health system. But for Heath Renfrow, the CISO of Army Medicine, the scope is geometrically larger. He and his team oversee data and IT security for more than 48 hospitals, 600 health clinics, 121 dental clinics, and 100 veterinary clinics, across the globe. In addition, his portfolio encompasses data security at the Army Material Command out of Fort Dietrich, which engages in disease research as well as for other sites around the globe that do data research. Indeed, it turns out that Army Medicine is the largest single healthcare provider in the world, at least of its type, providing care for the 120,000 personnel in Army Medicine. Renfrow is based at Fort Sam Houston in San Antonio, Texas, and in San Antonio, its immediate area of focus includes San Antonio Medical Center (formerly Brook Army Medical Center). But of course, the team is managing data security at the 48 hospitals and hundreds of different clinics of different types, all around the world.
And though Renfrow has 1,200 cybersecurity professionals reporting to him, that number is relatively quite small in relation to the number of sites of care involved. Renfrow spoke recently to Healthcare Informatics Editor-in-Chief Mark Hagland regarding his team´s work, and some of the challenges and opportunities involved. Below are excerpts from that interview.
How would you describe your portfolio and what you do?
Outside all of the challenges that every CISO faces, I also have to worry about the political landscape of the world. For example, if you look at the situation around North Korea, it was a task for us to prepare in that we have a hospital in Seoul, Korea, and hospitals in Japan and Hawaii. And so, for example, what is the egress route for troops, in the event of the need to evacuate them? We had to do robust red team penetration testing at the sites. And from there, we started practicing our instant response plans, which don’t just include IT, but also contingencies in the event of loss of power and electrical grid; and bringing doctors back to paper, if necessary. So we had to put a lot of things in place with regard to our incident response plans in all this.
You have 1,200 people working for you—is that a lot?
Well, 1,200 spread out across all that territory, meaning globally, isn’t really that many people.
Is it enough if the people are deployed in an optimal fashion?
I would actually say that our sites do not have enough manning. But the proper prioritization of our mission requirements, is what we determine our performance from. We’re very challenged in DoD (the Department of Defense); and we can’t afford to compete with the private sector, salary-wise. So I spend $2.5 million a year on training our own people—cyber professionals and administrators. They’re aware of the current landscape of cyber, but are also getting more education. That’s really the only way I can compete. And if they’re interested in another field or another area of cybersecurity, I try to give them opportunities. Still, we are extremely under-manned; we’re reliant on budgets from Congress.
You have to think very broadly about cyber-threats, of course?
And people in the U.S. have to worry about cybercriminals everywhere. And we’re worried about human life. And I have to look at, who is the US not friendly with today? Imagine an adversary being able to access your HVAC system and then shutting it off, and they take control of your automatic doors and lock them. It’s scary. And we put those kinds of scenarios into our plans and try to execute on all different scenarios. And that makes us a little bit unique; but I think that civilian hospital and healthcare leaders should be thinking this way, too.
How do you keep up with the latest trends?
When it comes to threats, luckily, I’m part of the Department of Defense, so with regard to the NSA and US-Cybercom, you get the word. And that’s extremely helpful. But I still use threat intelligence information from Homeland Security, the FBI. And when WannaCry broke, I wasn’t concerned about WannaCry, because truthfully, there’s no money to be made in attacking the Department of Defense. And we felt secure, because we were aware of ExternalBlue when the news broke. And in terms of technology, I’m not really a big technology guy; I’m about the people. If you have the right people, and architecture, and board leadership, that’s so important. Tools are great, but you need to know how to use them. My biggest concern is a sound cyber program. Cybersecurity is a people issue. And it’s not about the CISO; it’s your leadership and board, and business owners.
What’s the cultural change that needs to take place in military healthcare?
When I first got to Army Medicine, I wanted to find out what the phishing success rate was. We were at a 45 percent rate—45 percent of the time, users clicked on the phish. So that was the percentage I went off. We procured a pretty well-known company that works on phishing, with a famous hacker. And when a user does make a mistake, we’re alerted, but the user gets a video. And that expert gets that video. And it’s a friendly video. So we went from a 45-percent rate to an 8-percent rate, between October 2015 and October 2016—the start of two succeeding fiscal years.
And on top of that, I did not like the cyber-awareness program that had been in place. So we implemented a robust cyber program including phishing education, and we send out newsletters weekly, and we monitor consumption of the education. And they’re military websites, and they’re secure.
And we’re focused not just on employees, but on their family life. Think about it. If you compromise a family member, and then the family member asks the employee to plug a USB into a port, right? And we worked with the University of Texas-San Antonio to create an executive-level training course. We had a three-star general attend the training as well.
What was included in the high-level training that was different? They’re obviously very smart people.
Yes, they’re very smart, but also busy. My three-star general is a doctor, so she’s extremely smart. But she’s also extremely busy. And is she an IT professional? No. And one leadership training tactic that’s big in the military. We play the phone game, where one person in the training whispers a story to another person, and it inevitably gets twisted along the way, through the room. And even though we’re DoD and the military, everything’s about a bottom line in dollars. And equipment and service cost x number of dollars. And it came out to 38 cents per person to provide that training. And those are the key points with the leadership; they’re all very smart, but they think that cyber is a “geeky” thing for IT people. So it was amazing the first session of the course; you isolate them from the rest of the world for six hours of training, and it’s at a high level. It’s not technical. And the lightbulbs go off in their heads. And that can work in any type of organization.
What should our readers be thinking about now, in the context of what you´ve shared here?
They need to start working on relationships within their own organizations, having weekly discussions about all of this. Cyber affects everything. Think of even janitorial and housekeeping staffs, which make use of electronic timecards. It’s all about the internal relationships. They need to stop treating IT as an “extra expense.”