Connie Barrera, Jackson Health: Security requires a culture of 'empowerment'
As chief information security officer of the six-hospital Jackson Health System in Miami, Connie Barrera has her priorities. Sure, things like cybersecurity, access management and app security are on her list. But they're not at the top. Culture and people are.
"Many times in security, we view the users as the problem," said Barrera. In reality, though, most employees and clinicians want to understand how they should do things, she said.
Barrera strives to frequently communicate with every business unit at the health system. She educates them about the ins and outs of HIPAA rules, data security best practices, the risks of personally identifiable information and more.
It's "very time consuming for me, but the payoff is huge," she said. "The fruit of that effort is we have people around the organization mentoring others, saying, 'You're not really supposed to do that.'"
Creating that engaged culture, what Barrera described as one of "security empowerment," is one of the most basic but also one of the most important things one can do as CISO.
"You can have the most stellar security team, and if they're the security team from yesterday -- the ones in that dark room behind the locked doors that were really unapproachable, never really seen and never interacted with people -- that's a problem," she said. "We need to get out there and talk to our users."
Creating this culture proves key, especially for Barrera and her team of three FTEs who are responsible for the security of 13,000 end points and more than 2,800 servers.
"It's challenging," said Barrera. But she and her team make it work. They also enlist the help of IANS Research for security decision support.
Barrera's word of advice to other CISOs and security leads?
First, it's essential to know your network and systems, she said, even if they're vendor-supported.
"How do you know if something is broken, or something is wrong if you don't know what's normal?" she said. "It's very easy to say, 'that's vendor supported, that's vendor managed.' That's not good enough because at the end of the day … the people are going to expect you to keep the data safe, whether you have partnerships or not."
This means you need to have the right language in the contract, make sure it gives you the right to audit. You also need to ensure vendors provide you with SSAE16 and SOC 1 and SOC 2 reports, she added, referring to the AICPA reporting options.
In addition to this, Barrera always asks for what she calls a "data flow diagram," so she can know exactly where her data is going.
One of her last big recommendations? Pay attention to patching and versioning. It's basic and straightforward but often overlooked.
"In healthcare, it's a huge problem because of legacy," she said. "There are hundreds (of applications), and the vendors -- regardless of HIPAA -- aren't keeping up versioning."
She recalled when she first came to Jackson Health and was "blown away" by the number of machines they had running XP.
"In a small business, if they took care of the fundamentals from patching the servers appropriately, making sure that the applications were patched, being able to do that alone will really put the organization in a really good position," said Barrera.
|CISOs: Healthcare's new rock stars|