Guardians of a world-class academic medical centre
When Simeon Bell, MD, set the stage for academic medicine in Kansas City and the wider region, his gift to the world was the establishment of a hospital, founded in 1906 as part of the University of Kansas School of Medicine.
From humble beginnings on Goat Hill in the small town of Rosedale, now part of Kansas City, the hospital has evolved into a destination academic health system sought out by patients and top-notch medical professionals from around the United States.
The hospital reached an important milestone in 1998 when it became an independent hospital, and 20 years on from that point, The University of Kansas Hospital joined with The University of Kansas Physicians in 2017 to form The University of Kansas Health System.
Michael Meis is the Associate Chief Information Security Officer, a role supporting the VP of Technology, Sean Roberts, and the CIO, Chris Harper, within the Health Information Technology services team. Meis’ role supports the cybersecurity, operations and defense strategies.
“What really makes the health system so special is the people. Both those that are directly providing patient care and then those in support roles like myself. All of us have this very singular focus on creating a world-class patient experience, whether that's in the direct interactions with our patients or in building the systems that enable that type of world-class care,” said Meis.
In order to accomplish this mission, the health system leverages a range of innovative technology to support care providers as well as augment and empower all their employees.
As an academic health system serving the people of Kansas, the region and the nation, The University of Kansas Health System enhances the health and wellness of the individuals, families and communities they serve.
Cybersecurity’s critical role in both patient care and employee care
Protecting data is paramount as a patient care provider in a health system, where the relationship is built on patients' trust.
“They must trust that we're going to give them the best possible care and that we're going to keep their data safe from cyber criminals or anyone else who wants access to that data who’s not authorised to it. In order to keep that trust, there is the data privacy component to protect such critical information,” he said.
“We've recently seen cyber threats that have been very focused on disrupting the availability of critical infrastructure, including healthcare. And so we, as a cybersecurity team, need to make sure that not only is their data safe, but also that those medical systems, devices and records are available when the care provider needs them.”
According to Meis, cybersecurity strategy is split into two core components: a tactical angle focused on attack paths, threat actors and how they operate, and then a more strategic angle to understand the business in regard to how the organisation communicates and what the revenue cycle looks like.
Using threat intelligence allows the cybersecurity team to shrink the pool of potential threat actors down so they can only focus on threats that are most relevant to the health system.
“Once we've shrunk those down, then we can focus on the capabilities of the threat actors, what their tools, tactics, and procedures might look like, and then compare those against our own internal detection capabilities. We look at what we might be able to stop, where we might have gaps and then focus our maturity efforts on shoring up those gaps. Even if it's only a detection method in the meantime, we must understand cybersecurity as it relates to the business and be able to justify the investments into security technology,” said Meis.
The art of cyber warfare
Meis understands that the organisation is never going to be able to protect themselves against every possible threat.
Being a U.S. Army veteran himself, Meis is a big fan of warfare strategy, finding many parallels between these tactics and cybersecurity strategy. Cybersecurity attracts a lot of veterans for these reasons – and a warfare mindset is a crucial step one in becoming a highly effective cybersecurity professional, according to Meis.
In the military, your mission is to keep yourself, your squad, and your platoon alive. “That lofty mission,” said Meis, “is something that very, very few organisations are able to replicate in the civilian world. Cybersecurity kind of gives that purpose of defending organisations and people who otherwise wouldn't be able to defend themselves. You see a lot of veterans who end up in the cybersecurity space after they separate from the military.”
According to Meis, it is an adversarial relationship with threat actors, “whether they're financially motivated, hacktivists or just want to watch the world burn, at the core, they are trying to get into our health system and disrupt what we do.”
Whether that's stealing patient data or disrupting the availability of systems, monitoring is vital to an effective cybersecurity strategy, or otherwise “you're going to be checking compliance boxes while they're somewhere else causing damage.”
Handling the cyber talent shortage
It's no secret that there's a shortage of cybersecurity talent. Meis remarks that it’s probably become the number one risk to the industry over the last two to three years. Within the team, Meis and his colleagues have placed a really big priority on putting people first and making sure that they're at the centre of the cybersecurity strategy.
“A lot of the cybersecurity vendors try to pretend like their tools can run without human intervention, and that sounds great. At the end of the day, you need people to be able to win these adversarial relationships with threat actors. So we support their development, something that's often overlooked in corporate culture, and, specifically within cybersecurity, where people don’t always get opportunities to stretch into new roles or to another role within the same team.”
The organisation invests heavily in training so that, for instance, you may be a risk analyst today, but should you want to be a penetration tester tomorrow, that’s a possibility. Dedicated horizontal and vertical career progression opportunities prevent staff from being defined by the initial job they happen to land in when they first arrive in cybersecurity, enabling growth and increasing job satisfaction, while reducing turnover.
“We've seen an incredible rate of burnout across the industry, so we focus on that with our people as well, supporting them with a robust PTO policy. We have mental health support and then a really positive work environment that focuses on making sure they're taking care of themselves, as well as focusing on the mission.
“It’s also essential that we communicate clearly, so there’s not a mysticism around the direction of the organisation. We communicate with transparency and also give people the space to be human. Everyone is going to make mistakes,” explains Meis.
This approach facilitates how they find and recruit new cybersecurity talent: looking within the health system for the right types of people, focusing on aptitude like problem solving, finding creative solutions and being able to move at a faster pace.
“That ability to problem solve at scale and at velocity becomes very important. We look for a great attitude and an aptitude can be supported with technical training throughout their development. Within 6 months, you can have a highly competent and driven cybersecurity professional. So we look at non-standard backgrounds, because frankly, we're all competing for the same people who have those ‘standard’ cyber backgrounds.”
With staff turnover below 10%, the health system had achieved results exceeding the industry average.
Adopting cyber risk quantification practices
Being able to speak the language of the organisation in business terms is key. In the case of the health system, it has driven the adoption of Cyber Risk Quantification, which looks at potential loss scenarios to understand the probability and cost of that event. With data behind them and a structured approach toward measuring the inherent uncertainty of risk, the cybersecurity team is able to communicate risk in the universal language of money.
“Everyone understands money. Everyone understands an annualised loss exposure and a loss exceedance curve. We want to remove the dark security magic out of security communication and start communicating like a business executive. That's been an important piece for us and for our health system leadership: to be able to understand cybersecurity risk in business terms without having to take a cybersecurity crash course.”
Meis acknowledges that risk awareness has fundamentally changed the way they think about cybersecurity, shifting from just a technology problem to one of overall business risk: “It puts your organisation in its entirety at risk, if it's a large enough attack. There was a news story recently where we saw a small university that experienced a ransomware attack and was unable to completely recover from it, so it is now shutting down entirely.
“Our industry has kind of played in the basement for the past 30 to 40 years, and now cybersecurity has become so prevalent that that's no longer good enough. In order to evolve, we need to be able to adopt these risk quantification techniques,” said Meis.
Cyber a young industry
“When you think about us as an industry, we're very young – especially when you compare us to the finance industry or legal; they've been around for a couple hundred years at minimum. But we've started to see that same maturation of our industry, and I think that's going to continue and it's going to require the security leaders of tomorrow to evolve.”
According to Meis, those leaders of the future must understand how the organisation operates in terms of revenue cycles and where adversaries are going to target and be able communicate this effectively to other business leaders.
“Maturation and automation around security technology is key, as that talent gap is not going away anytime soon,” he added.
Even with the education initiatives the cybersecurity industry has recently put in place, it's going to take several years for that to come to fruition.
“We know that over 80% of the cybersecurity industry is over 35, meaning that there is a mass retirement party coming at some point soon. To address that, we need to continue to invest in automation as a force multiplier for the people that we have right now to avoid burnout.”
Meis adds that the final piece of what we'll see in the future of the cybersecurity industry is around regulation, at both federal and state levels.
“At some point, there are going to be more Intercontinental agreements between nations. The UK, the United States, and the EU have collaborated on several pieces of legislation – we will most likely see more of that going forward. So, if we haven't invested in our GRC programs, we're not going to be ready to take those on,” said Meis.