Transforming from Compliance Constraints to Enabling Innovation: A Healthcare CISO’s Path to Advancing Modern Care Solutions

When Jason Elrod, CISO of MultiCare Health System, articulates the challenges of legacy healthcare IT environments, he underscores a critical perspective: “Healthcare often progresses in reverse, focusing on the present rather than future needs.” This retrospective approach has historically defined healthcare IT, an industry where technology uptime is paramount for patient care. Security teams traditionally operated as protective barriers, often seen as the “Department of No,” prioritizing risk mitigation over innovation in care delivery.

However, as the healthcare sector undergoes profound digital transformation, the limitations of this traditional mindset are becoming increasingly evident. MultiCare, operating 14 hospitals and hundreds of urgent care clinics with a workforce of nearly 30,000, recognized the need for an evolved security paradigm—one that fosters innovation without compromising safety. This evolution commenced with a leadership-oriented mindset shift, driven by experienced navigation through complex operational tensions.

Elrod, with over 15 years as a healthcare CISO, offers a unique viewpoint on the security challenges inherent in healthcare organizations. He identifies several operational realities that create distinct security dilemmas:

• Continuous Operations: “In healthcare, the question is when you can afford to take a system offline,” Elrod states. The sector operates around the clock, leaving minimal opportunity for downtime during upgrades.
• Critical Access Requirements: Accessibility to information must be immediate and frictionless. “When lives are on the line, every second counts,” Elrod emphasizes.
• Widening Attack Surface: The rise of telemedicine and connected devices has expanded vulnerabilities. “It resembles a bowl of spaghetti where communication must only occur between necessary connections,” he quips.
• Conflicting Objectives: “IT has historically aimed for availability and high-speed access, while security emphasizes protection, creating evident friction,” Elrod remarks.

This creates a cycle of stress and misunderstandings between teams. The question arises: can security become a facilitator for healthcare rather than an obstacle?

The turning point for MultiCare was the adoption of identity-based microsegmentation through Elisity’s framework. Elrod notes, “The identity of individuals represents the largest attack surface. Attacks invariably target identity, which hinges on the need for immediate access to information.” Traditional segmentation methods, reliant on intricate VLANs and firewalls, resulted in complicated, inefficient setups.

Elisity’s innovative approach pivoted toward user identity, altering the landscape of security:

• Dynamic security policies that adapt based on user identities, workloads, and devices, regardless of their location.
• Refined access controls that establish security boundaries around individual assets.
• Integration of policy enforcement within existing infrastructure, facilitating microsegmentation without necessitating new hardware or complex setups.

Initially, skepticism met Elrod’s proposal for Elisity. Technical teams expressed doubt over the feasibility of such solutions with their current infrastructure. Yet, the transformative capabilities of the technology quickly dispelled doubts, showcasing the potential for efficient policy adjustments and visibility across formerly isolated environments.

The most unexpected outcome of this transition was the enhancement of interdepartmental relations. The traditional friction points that prompted complaints about network constraints were replaced by a collaborative ethos. “Our interaction shifted from avoidance to cooperation as teams recognized they shared objectives,” Elrod states, affirming a newfound unity between IT and security.

This cultural shift manifests in various operational advantages for healthcare providers. “With reduced concerns over access and compliance, clinical staff can concentrate on patient care rather than regulatory issues,” Elrod explains.

• Accelerated Delivery: “We can now operate according to patient needs rather than bureaucracy,” he continues.
• Personalized Control: “Imagine securing your own network segment based solely on your identity, no matter your location,” Elrod suggests.
• Reinforced Trust: “Instilling confidence in our systems assures staff that they can move at their desired pace without security hesitations,” he elaborates.

The delineation between security and IT operations is rapidly fading as organizations recognize the strategic advantages of holistic integration. Studies indicate that a substantial percentage of organizations recognize the detrimental impact of miscommunication between these teams on their security posture. Furthermore, healthcare institutions that experience ransomware attacks with isolated teams report notable increases in patient mortality rates.

Investment in integrated security-IT models, such as Cyber Fusion Centers, is on the rise. Forward-looking firms are adopting these frameworks to enhance their security capabilities, with significant projections for future implementation across large enterprises.

For Elrod, the shift towards identity-based microsegmentation symbolizes more than just a technological upgrade; it embodies a progression towards a more future-ready healthcare system. “Past technologies served their purpose but often became obsolete over time,” he explains. With Elisity, MultiCare can transition seamlessly to a more secure and efficient operational model.

Overall, while identity-based microsegmentation alone cannot resolve the myriad of security challenges faced by healthcare, it serves as a foundational component of creating a culture where positive engagement, rather than obstruction, defines the relationship between security measures and clinical operations.