Duke Health CISO Chuck Kesler: Healthcare shifting to 'breach-first' mentality
Chuck Kesler has worked in information technology and data security for more than 25 years. He joined Duke Health as chief information security officer in 2011. He and his 16-member team are responsible for all Duke University Health System entities, as well as academic departments, centers and research institutes in the University's Schools of Medicine and Nursing. Before joining Duke, Kesler was the senior manager for Symantec Corporation's Security Advisory Services consulting practice in the U.S.
Kesler spoke with Healthcare IT News recently about the challenges of his job and his strategies for cybersecurity.
Q. How has your approach to security changed over the last couple of years?
A. One of the biggest shifts that I’ve seen in the past year is the breach-first mentality. You have to approach your program from the perspective that a breach is likely to occur, or may have already occurred, and sort of accepting that’s the reality. If you look at the traditional model of security you’re supposed to start with risk assessment and use that to do business impact analysis and design your controls, implement your controls and measure the effectiveness. You do need to do that stuff. But, there’s a sense of urgency out there right now that if you take that more formalized approach – that more traditional approach – it’s going to take you a long time to get to your end state. In many ways what you need to do is start with the assumption that you’re going to have a breach soon, or you’ve already had a breach, and what do you need to do to respond to that? What are the things that may have caused that breach? Those are the biggest risks that you need to address, and obviously you need to put appropriate controls around that.
[Also: 7 largest data breaches of 2015]
Q. What do you worry about the most?
A. I worry about end users the most because attackers will go for the weakest link in the team. Oftentimes that is an end user. It can be anything from the phishing attacks that we see where we’ll get an email, or a phone call in some cases, where we have somebody try to get the end user give over his username and password to the attacker. It’s surprisingly easy in many cases for that to happen. That’s one of the things you have to look at.
Q. Are there projects underway at Duke that are top of mind for you?
A. We have a number of projects. Overall we have about 50 projects that are either in execution or planning. We have some that are much bigger than others and are higher priority. What we try to do in our project planning – inside our IT group – looking not just at security, but all of our projects and how they overlap with each other – in particular where we have the requirements for the same people to be involved. That means in some cases we have to make a choice. We have to delay one project or another.
Q. What security challenges are unique to healthcare in your view, compared to other industries?
A. The key is that every industry has a different tolerance for risk. Obviously there are different types of risk that you need to consider. One of the key things to think about in healthcare is that we’re in it to take care of patients. We’re here to make people better. The thing that really differentiates us from, say, a bank, is we’re here ultimately to save lives. So, where that gets to be difficult is oftentimes the things you have to do to secure information slows our providers down. We may have to make them do an extra login. We may have to make them use multi-factor authentication when they’re logging in. Or maybe in designing our access controls around the EHR platform, we need to restrict what information they have access to for certain roles. The difference in healthcare is you have to balance the need to take care of patients with the need for security control.
Q. We've heard CISOs say that what organizations really need is a culture of compliance. Do you think you have that at Duke? How do you achieve it?
A. You need a culture thay emcompasses both compliance and security. While I think compliance is a very important thing, compliance does not equal security. You can have very compliant systems that are not secure, and you can have very secure systems that are not compliant. Compliance is an important driver of security. I would differentiate it in this way: One of the things that we’re doing differently now is that we try to make security personal for folks. Not only do we explain why doing these things is important to do at Duke, we try to explain why these things that we’re doing here, you should be doing in your personal life as well. If you help people understand why access management is important, why multi-factor authentication is important, why being on the lookout for phishing messages is important, why looking at your financial statements is important, all of those basic things help to create a culture of security.
Q. What's the toughest security problem you've experienced, and what did it teach you?
A. I’m not going to call out any one incident. It kind of goes back to what I was saying earlier: being prepared for the breach. Sooner or later, there’s going to be something bad that happens. When it does happen, you have to be calm, cool and collected. You have to make sure you can respond in a level-headed fashion and not get overwhelmed with the emergence of the moment because you’re going to be faced with probably a very difficult set of circumstances and a lot of fear, uncertainty and doubt when you first get involved in dealing with the incident. It takes a little while to understand what really fully went on and recover from it. You have to be measured in how to do that because it’s very easy to get overwhelmed if you let the situation do that to you.
[Like Healthcare IT News on Facebook]
Q. Can smaller hospitals, with fewer resources manage their security issues as effectively as a large organization?
A. You can. You have to look at what you have. Look at your resources, look at your people. It all starts with the executive commitment. None of what we do, none of what I do here at Duke would matter if we didn’t have the support of our top-level executives. Even in a smaller organization if you have the executive level support for the program, it may not mean that you can go out and spend $5 million for a security program, but if they put the right people in charge of the program and then listen to those people and support what they’re doing, you can certainly make progress. I think it’s taking that measured approach, doing the things that you can do.