Better know a CSO: Indiana University Health’s Mitch Parker

Mitch Parker has one of Indiana’s most critical jobs.

As chief information security officer for Indiana University Health, Parker oversees cybersecurity for more than 30,000 employees at 18 hospitals across the state, along with countless numbers of computers, workstations and medical devices, making it the largest health system in Indiana — and the United States.

Indiana University Health is tasked with helping patients recover and maintain their health, but Parker’s job is keeping their data safe. In our discussion, he discussed the state of medical devices, his security team’s priorities and why — when an organization is so big — communication is absolutely key.

This interview has been edited for length and clarity.

We’re talking to chief security officers to learn more about their work, promote best practices that don’t hamper growth and share insights from some of the industry’s most experienced security professionals.

TechCrunch: You’ve been at IU Health for a little over three years. Multiple hospitals, thousands of staff, a range of threats and no two days are the same. What’s the secret sauce?

Mitch Parker: The organization is significantly more receptive to working together towards cybersecurity solutions than when I first got here. A lot of it I’ve found comes down to just taking the time to understand your customers’ needs. I align everything the security team does with our core mission and values and with purpose, excellence, team and compassion. We don’t talk about cybersecurity first. We talk about, how do we improve healthcare, and how do we provide a better patient experience? And we ask, how do we assist in fulfilling our customers’ needs?

So, in a few words, what’s your approach to cybersecurity across the various teams at IU Health?

Cybersecurity is constantly evolving. Healthcare threats change, too. Three years ago we were talking about Ebola [virus] and now we’re talking about new disease threats. Just as our organization has to adapt, cybersecurity has to adapt in the same way. When I first got here, the organization understood that they had a need but didn’t feel they had a valued business partner to work with. That partnership is more important than the threat of the week.

You described IU Health as an organization “the size of a small city,” with numerous hospitals, but also finance, human resources and various patient services to cater for. How do you get your entire staff of more than 30,000 employees on the same page regarding security?

Communication is everything. We took our security training from what I call “death by PowerPoint” — which would be about the best explanation for it — and now use videos for everything. I’m proud of that. We were able to take something that took a half-hour beforehand with a low retention rate. Now it’s under 10 minutes, people can look at it, get it, understand it and be able to apply it. I think the greatest lesson I’ve learned here is being able to take something that’s big and onerous and think about how can I distill this down so that 30,000 people can understand it and not have to really think about it.

What is your security team’s biggest priority?

We have a very large focus on third-party risk. A health system of our size has numerous vendors — with more than 1,000 vendors that we deal with on a regular basis. Plus, like any other health system, we have a number of applications that are both in the cloud and on-site. So we have to be very good about how we deal with our third-party vendors and assessing them for risk.

That must be a huge surface area for attacks, right? And not just the hardware side of things — ventilators, medical devices and imaging machines — but also the software side of things, like keeping systems up-to-date and patching vulnerable devices. How do you keep on top of that and lower those security risks?

We work pretty actively with our medical device vendors to survey the threat landscape. We monitor what’s going on out there to actively discover and address security vulnerabilities. It’s important to have cooperation and a partnership — or a non-adversarial relationship — with the medical device makers. We’ve found that in healthcare, there tends to be a very “us versus them” mindset between health systems and medical devices. But that doesn’t help. I can’t go to our senior leadership team and say, “we have a problem,” [such as a device vulnerability] because the first question out of their mouths are, “well, Mitch, what are you doing about it?”

So what do you do?

Well, we’re not Chicken Little! We go to our senior leadership team and say, “this is what we’re doing” and “this is how we are de-risking the environment.” We’ve done some things that are a little bit different. We’ve published our security requirements on the internet and we openly partner and talk to our medical device security vendors on a regular basis.

How’s that gone down exactly? Have you found these medical device makers are more receptive to your needs?

The larger vendors that we deal with have been incredibly receptive. Several of us actually get together every year at DEF CON [a popular annual security conference]. But a lot of the smaller vendors haven’t really got the message the way I’d like…

How so?

I’ll say this: A lot of the startups that we’ve dealt with want to do it right. What I found is — and this is true across multiple industries — the startups get it right when they design their devices. They’re more willing to ask questions. So it’s an interesting dichotomy — small startups and the very large vendors in this space are the ones more willing to ask questions. But it’s the small-to-big sized companies that are more established… I’ve found they don’t really move as much as either the really large ones or the small startups. I find that very interesting.

With that, has this changed your purchasing decisions?

I’ll say that the openness to communicate about security issues is now a factor in dealing with third parties.

That’s interesting. It’s interesting because there are standards out there that companies have to follow, and laws, rules and certifications that have to be followed. The big law, HIPAA — or the Health Insurance Portability and Accountability Act — sets some of this out. Could more be done to improve the law — to make devices more secure?

I think that the law is improving. I believe that a lot of the issues do not come from the law itself. They come from not having a clear understanding of the intent of the laws. I spend a lot of time with our attorneys talking with our third-party vendors about HIPAA. There’s HIPAA as it’s written and there’s the intent of HIPAA. What I’ve found — and this is from speaking with numerous vendors — is that everyone has a different understanding of what medical device security and HIPAA actually means. We need to do a better job of educating on that. We need to do a better job of making it clear.

If medical device makers are working from the same instructions just differently interpreted, what would make security better — and your professional life easier?

I’d really like to see more of an industry-wide push for greater interoperability. Because, that would make security’s job a lot easier. When you make decisions that remove interoperability, it removes those standards and you isolate yourself. Ultimately what you’re doing at the end of the day is you have downstream effects of what you’re doing that ultimately affects your patients.