Some CISOs are in charge of ensuring the data and IT security of one hospital, some, that of a health system. But for Heath Renfrow, the CISO of Army Medicine, the scope is geometrically larger. He and his team oversee data and IT security for more than 48 hospitals, 600 health clinics, 121 dental clinics, and 100 veterinary clinics, across the globe. In addition, his portfolio encompasses data security at the Army Material Command out of Fort Dietrich, which engages in disease research as well as for other sites around the globe that do data research. Indeed, it turns out that Army Medicine is the largest single healthcare provider in the world, at least of its type, providing care for the 120,000 personnel in Army Medicine. Renfrow is based at Fort Sam Houston in San Antonio, Texas, and in San Antonio, its immediate area of focus includes San Antonio Medical Center (formerly Brook Army Medical Center). But of course, the team is managing data security at the 48 hospitals and hundreds of different clinics of different types, all around the world.
And though Renfrow has 1,200 cybersecurity professionals reporting to him, that number is relatively quite small in relation to the number of sites of care involved. Renfrow spoke recently to Healthcare Informatics Editor-in-Chief Mark Hagland regarding his team´s work, and some of the challenges and opportunities involved. Below are excerpts from that interview.
How would you describe your portfolio and what you do?
Outside all of the challenges that every CISO faces, I also have to worry about the political landscape of the world. For example, if you look at the situation around North Korea, it was a task for us to prepare in that we have a hospital in Seoul, Korea, and hospitals in Japan and Hawaii. And so, for example, what is the egress route for troops, in the event of the need to evacuate them? We had to do robust red team penetration testing at the sites. And from there, we started practicing our instant response plans, which don’t just include IT, but also contingencies in the event of loss of power and electrical grid; and bringing doctors back to paper, if necessary. So we had to put a lot of things in place with regard to our incident response plans in all this.
You have 1,200 people working for you—is that a lot?
Well, 1,200 spread out across all that territory, meaning globally, isn’t really that many people.
Is it enough if the people are deployed in an optimal fashion?
I would actually say that our sites do not have enough manning. But the proper prioritization of our mission requirements, is what we determine our performance from. We’re very challenged in DoD (the Department of Defense); and we can’t afford to compete with the private sector, salary-wise. So I spend $2.5 million a year on training our own people—cyber professionals and administrators. They’re aware of the current landscape of cyber, but are also getting more education. That’s really the only way I can compete. And if they’re interested in another field or another area of cybersecurity, I try to give them opportunities. Still, we are extremely under-manned; we’re reliant on budgets from Congress.
You have to think very broadly about cyber-threats, of course?
And people in the U.S. have to worry about cybercriminals everywhere. And we’re worried about human life. And I have to look at, who is the US not friendly with today? Imagine an adversary being able to access your HVAC system and then shutting it off, and they take control of your automatic doors and lock them. It’s scary. And we put those kinds of scenarios into our plans and try to execute on all different scenarios. And that makes us a little bit unique; but I think that civilian hospital and healthcare leaders should be thinking this way, too.
How do you keep up with the latest trends?
When it comes to threats, luckily, I’m part of the Department of Defense, so with regard to the NSA and US-Cybercom, you get the word. And that’s extremely helpful. But I still use threat intelligence information from Homeland Security, the FBI. And when WannaCry broke, I wasn’t concerned about WannaCry, because truthfully, there’s no money to be made in attacking the Department of Defense. And we felt secure, because we were aware of ExternalBlue when the news broke. And in terms of technology, I’m not really a big technology guy; I’m about the people. If you have the right people, and architecture, and board leadership, that’s so important. Tools are great, but you need to know how to use them. My biggest concern is a sound cyber program. Cybersecurity is a people issue. And it’s not about the CISO; it’s your leadership and board, and business owners.
What’s the cultural change that needs to take place in military healthcare?
When I first got to Army Medicine, I wanted to find out what the phishing success rate was. We were at a 45 percent rate—45 percent of the time, users clicked on the phish. So that was the percentage I went off. We procured a pretty well-known company that works on phishing, with a famous hacker. And when a user does make a mistake, we’re alerted, but the user gets a video. And that expert gets that video. And it’s a friendly video. So we went from a 45-percent rate to an 8-percent rate, between October 2015 and October 2016—the start of two succeeding fiscal years.
And on top of that, I did not like the cyber-awareness program that had been in place. So we implemented a robust cyber program including phishing education, and we send out newsletters weekly, and we monitor consumption of the education. And they’re military websites, and they’re secure.
Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.