Q&A: Cleveland Clinic's security chief
Mark Dill, director of information security at the Cleveland Clinic, started his career in protecting critical healthcare data 26 years ago at the clinic. In 2000, Cleveland Clinic promoted him to director of information security.
In another month, Dill will "retire" from the clinic to take a new course in the security realm. He is leaving the clinic, a large, multi specialty academic medical center known around the world, to become principal consultant at tw-Security, a boutique healthcare security firm started by President and CEO Tom Walsh. Dill will be working on security issues with smaller healthcare organizations – 350-bed and smaller hospitals.
After Dill announced his plans at the beginning of September, he made sure to stick around for a couple months to help with the search for his successor and perhaps show him or her the ropes.
"I've poured my heart and soul into this," Dill said. "My brand is at stake, so I want continuity for the next person in the role. I'm leaving when their brand is at its peak, and my own personal brand is at its peak as well."
We caught up with Dill to talk about his experience at the Cleveland Clinic, the changes in security practices over the years and the increasing security threats to healthcare organizations.
Q. What changes have you seen in security just in the last couple of years and over the 15 years you've been director of security?
A. Today you find there is a much greater alignment with the clinical or business needs and the kind of improvements that I ask for. Having a conversation 15 years ago about how to align a security investment with a business initiative was kind of rare. Today it's how they talk about it. So each initiative for new, emerging or legacy threats that are changing and why I think this investment will address it, and that has to be part of the business case. There's no capital investment today that doesn't have a completely articulated business case that has to be stood up before the executives. There's always the pressure to articulate the value that a particular request that I have is going to bring, and they want to see on the scorecard what's it going to do to the scorecard.
Q. What keeps you up at night on the security front?
A. This year has really been the year of the healthcare breach, and I think next year will be as well. If you look at the wall of shame, the entries are always the same. The percentages have changed drastically – so, any kind of hacking activity. I've always managed with a mindset that insider threats are about the same as outsider threats, based on the evidence that you have. Now, obviously outsiders are No. 1, but they compromise inside credentials. Watching how user IDs are being used and behaviors that step out of bounds, watching your super user credentials. You have an occasional malicious insider committing fraud. My chief integrity officer always says: "The good news is 99 percent of your workers aren't committing fraud." The bad news is that 1 percent of a large workforce is still a large number. Anyone of those can keep somebody awake. It's the large breach that everybody worries about.
Q: What project or projects do you have going on that's top of mind right now?
A: If you're not addressing phishing, awareness about what to click on, improving the tools that do that and looking at user IDs and how they are used and – devices, you're probably going to miss the boat. There's going to be a breach for sure.
Q. Would you talk a little bit about the culture of compliance?
A: It's a culture of compliance that includes security. We have our own separate activities, but we all know when we need to contact the other team, either for awareness purposes or investigation purposes. That culture, I don't try to take it on myself. Somebody told me once, "culture eats strategy for lunch." I can't change the culture. What I can do is change enough people's minds who can help me change the culture. I didn't get my job because I was overly technical – I was somewhat technical. I got it because I can develop relationships – with the C layer and the executive layer of the organization. I can communicate to them. I can translate geek speak into C- speak and try to speak the language of the business.
Q. Can you point to any one difficult problem that you faced and how you handled it?
A. I think I've been very successful at getting a lot of things approved and implemented and successful. But, it takes time. The biggest challenge is I could be after something for three-year budget cycles – three years. That's very difficult because, you know, I want to manage this now, and sometimes I don't get to. It has to be prioritized. It's not a technical hurdle per se. It's I've got risks that have to be managed in five areas, and there's only budget to support two or three. You can't get too frustrated then. You have to make a prioritization decision and then focus on implementing that one thing really well rather than worry about what you didn't get. So, I've gotten really good at that. Very few of the tools have any real return on investment. You can't spend a million and save two three years later. You have to spend a million so I can avoid three in liability for the executives.
Q. What's the best advice for someone new coming in?
A. The entire program is based on the quality of your risk analysis. HIPAA has it right up front for a reason. They prioritize the whole way. The most important thing is you have to understand where your risks are. And, when you discover them, you need to prioritize and go manage them. There may be really fun technical thing you can do, it's really about the risk analysis – that you understand what is causing you the risk, why it is, what are the ways to address it. Half is managing risk, and half is analyzing what is at risk. I think the biggest challenge for someone new coming in is they're little over zealous. They want to say 'no' to everything because they think there's risk in it.
[See also: Intermountain CISO on new threats.]
Q. Can smaller hospitals on their own level be as good with security as a Cleveland Clinic or an organization of the same ilk with more resources?
A. The problems are identical. You have to do a risk analysis. You've got to have reasonable policies. You have to conduct awareness. Somebody may have a big, expensive e-learning tool, and somebody else might do an inter-personal session in the auditorium. They all work. One costs a quarter million; one costs $1,000.
Q. What makes it harder or easier in terms of security because you are the Cleveland Clinic?
A. Healthcare data is valuable because it has no time limit. The name, your address, your Social Security number, that's not going to change. It will be usable for years to come. Whereas credit card data you better use it in 20 minutes because otherwise the card will be cancelled. The more data you have, the bigger target you are. You've got to be mindful of that. We've got a major political convention coming up. Healthcare is considered an extension of the government because of who reimburses us. You're targeted because your part of the government. If you have weaknesses, they'll exploit that. Size and scope does matter.