Q&A: Partners CISO Jigar Kadakia talks the evolving threat landscape
Jigar Kadakia took the reins as Chief Information Security and Privacy Officer at Partners HealthCare in September 2014, after having served as Partners' interim CISO and CTO from January 2014. He oversees a team of 40-45 people – all of them responsible for keeping Partners' information well buttoned up.
Prior to joining Partners, Kadakia was senior manager with consulting firm Deloitte, where he garnered broad experience working with a wide variety of healthcare organizations across the country.
As an academic medical center, Partners HealthCare in Boston presents many complexities that make the work of security and privacy even more challenging than perhaps at other healthcare facilities. We talked with Kadakia about his approach to glean some ideas that might be useful to other health systems and hospitals big and small.
Q. How has your approach to security changed over the last couple of years?
A. It's changed over the couple of years. We had an assessment done that talked about the security program, which provided us a roadmap on kind of where we needed to go, and how we needed to improve as an organization with regards to security. So, we took that, and we created a number of projects associated with the plan, and we're kind of moving forward with those projects.
First and foremost was around education and policies and procedures, etc., but you know, we've gone from policies, processes to technology over the last couple of years. So improving the technology, improving the processes, trying to automate processes, etc., trying to improve the security posture. So that's continually changed within the security space, and so we have to be flexible enough to move where this led, but also have enough substantiated so that we can maintain the current security posture overall within Partners.
"Your daily footprint lasts forever. You may have thought you deleted it, but the hackers are very sophisticated, and really, it's not deleted."
You can't chase every threat. You have to prioritize and determine the key threats, and how do you block out mundane threats and how do you really focus in on sticky ones.
Q. What do you worry about the most?
A. I think the landscape is changing so fast, and are we flexible enough to combat the new threats. So, part of the threat is education, and really getting the user population to understand there are risks with everything they do, whether they go on Web pages, they go to their banking website, whatever they do, there's risks with the information they provide if it's not in a secure manner. It's not just Partners' risk. It's everyday life for any individual, especially in the mobile technology age where you essentially can use your iPhone or Android device to do anything. Now, a phone is no longer a phone; it's really a computer.
Q. Are there projects underway at Partners that are top of mind for you?
A. We have a number of projects that are top of mind. As you are well aware of, we're doing the big Epic implementation across the enterprise, which brings a lot of risks as we move to electronic health records. So, that's top of mind. From a security project perspective, every project is critical because each project is enhancing an area of our program that either needs enhancement or needs advancement, meaning, you know, we may have a process half manual, half automated, and we'll put a project in place to make it all automated. That frees up our people to focus on other threats, so, detection is a big deal for us. Understanding detection and correlation is really becoming a big important project for us from a strategic perspective at partners.
Q. What security challenges are unique to healthcare in your view, compared to other industries?
A. From a healthcare perspective, specifically a non-profit teaching hospital perspective with Partners, the complexity of our environment is significantly more complex than any other industry or hospital systems. Complexity is built for size. We're rather large. We're also an academic medical research, so we have the academic portion. We have the teaching portion, which is unique. And, then we have the clinical practice So, we have a serious organization with organizational challenges and from a security perspective, you know, BYOD, clinical devices, medical devices, as well as applications, that were grown within the hospital are uniquely different. So, it's not packaged software. Many are customized applications for clinical purposes, and these things really bring the complexity to our organization that is hard to stay on top of.
Q. We've heard CISOs say that what organizations really need is a culture of compliance. Do you think you have that at Partners? How do you achieve it?
A. I think it's not only a culture of compliance. I think it's a culture of security, but more importantly a culture of togetherness. So everyone has a responsibility and has ownership in the process – for not just security, but for clinical care, for patient care and for protecting patients. So everyone has a role they play in it – some a very minor role, and some a very major role, but ultimately everyone has a responsibility to try to do what is best for the patient and best for Partners. Part of that is through culture, training, education and making people aware of some of the decisions, or some of the choices that they make, they impact others.
In isolation, I may be surfing the Web and going to Facebook. But, if you have a threat out there, maybe that's the mechanism that the bad actor uses to infiltrate the environment. So, everyone has a responsibility on what they post, what information they share, how much information they share, where they go, and trying to make people cognizant and more aware of what they do on the Internet.
We leave a footprint, and that footprint could hurt them from a financial identity perspective, or hurt Partners or a patient – trying to make them understand that that footprint never goes away. It's always there. Your daily footprint lasts forever. You may have thought you deleted it, but the hackers are very sophisticated, and really, it's not deleted. So, getting people to understand that and just taking the extra two seconds, or three seconds to think about what they're doing really can make a huge impact on the overall environment.
Q. Hearing you talk, I feel we are all so vulnerable…
A. We are. You know, we like to share. Facebook allows you to share. LinkedIn allows you to share. We like to share pictures; we like to share information, but if you start to take a look at your posts and the places you visit, and when you visit, the type of information you provide, you can start to build a profile of an individual rather easily. And, use it to infiltrate a work environment, infiltrate a personal life or physically rob them because you know they're not home.
Q. What's the toughest security problem you've experienced, and what did it teach you?
A. Well, the toughest security problem is getting people to understand. It's the same issue we had five years ago; it's going to be the same issue five years from now. People are educated, but they just think they're not going to get phished, they're not going to get hacked. But they need to understand, they will get hacked; they will get phished. Teaching them on how not to do it, or how to prevent it is the core issue. We can put in all the cool technology we need and all the monitoring, but ultimately it ends up being a person at a computer or a phone or an iPad that clicks and either provides information, or clicks on a nefarious website, and there you go. They've either been hacked, glitched or phished. Ultimately, it's getting them to read websites and make sure they understand what they're clicking. That's the issue. It's always been a people issue.
"The toughest security problem is getting people to understand. It's the same issue we had five years ago; it's going to be the same issue five years from now."
Q. What's the best advice you can give from your experience to your security colleagues?
A. Education programs, training and testing. So, everyone gets training programs, but you don't test them on some of the stuff. So, whether you do exercises internally, or enhanced training classes, but they will be tested on their knowledge so they understand what to look out for or what they should see. Use some of the events as a poster, the recent events out there. Use those as examples of 'here's what happened, and here's how it could happen to us.' People can relate to it because it's closer to home, and they can see it, visualize it, so they're more cautious and more proactive in what they do.
Q. Can smaller hospitals, with fewer resources, manage their security issues as effectively as large organizations?
A. Yes. Actually, it's probably more effective because it's a smaller organization. More training and using the examples is probably more effective because you'll be able to provide it in a personal way. You can talk to them, you can schedule a meeting, you can physically be with them versus an organization like Partners, we try to do a lot of things in person or via phone call, but ultimately some of the stuff gets published via email, and some folks don't read the emails.
Q. What have I not asked you that I should have asked you?
A. The big question in my mind is how do you project or think about what you do now and what's the impact three years from now? From my perspective CISOs and others in leadership need to be thinking three years ahead. So, we're going to come up with solutions that are good now, but are they really addressing an issue three years ahead? So, we need to be thinking three years down the line what we can do to help that issue three years down the line, and what we do now will still be relevant down the line. It is really hard to do. You have the foundation stuff – policies, procedures, training and awareness, but you have think through from a technology perspective what you want to do and how you're going to do it and what's the impact. And, then the skills. Where are you getting skills to do the work? There is lack of skills in the security space out there. How do you get talent to help you build the program?