Cyber Security Leaders - Al Rottkamp, ISM Cybersecurity Program Administrator @ Renovo Solutions
Al Rottkamp is the ISM Cyber Security Program Administrator for Renovo Solutions. In this capacity, he serves as a medical technology vCISO to several clients across the US.
His position evaluates medical device cybersecurity risk across their system, working with each hospital to select their best mitigation options.
He is currently developing risk reduction models to increase resilience and a more efficient return to operational readiness, post incident.
Why did the role of the CISO appeal to you and how do you see the role evolving in the future?
I am a Medical Technology vCISO, working remotely with several hospitals in different states. I was attracted to the challenge. The challenge of providing a safe patient environment with 1) complex medical technology, 2) multiple disciplines, 3) limited resources and 4) numerous regulations, without breaking the bank.
The role requires being able to effectively communicate with the many disciplines involved in patient
care; clinical, financial, technical, physical, legal, and executive. Each domain has its mission, skillsets, personalities, and expectations. It would not be unusual to meet with a medical physicist in the morning and the CIO in the afternoon. The required knowledge base is dynamic, wide, and challenging. The role is evolving into a direct board level reporting structure and therefore CISO’s must communicate in both financial and operational terms the need to invest in the infrastructure.
The evolving roles will require experience and education in operations, finance, information systems and disaster recovery patient care.
Under the Caremark Decision, SOX, State Privacy laws and emerging federal laws, members of the board are required to understand the risks of a Black Swan event and the resultant impact to the hospitals mission. For publicly traded stock companies, the Securities and Exchange Commission (SEC) requires a cybersecurity discussion in the annual report.
As a CISO how do you communicate the seriousness of cyber risk to the board?
It’s basically a discussion around risk appetite, resource availability, revenue, and expenses. If the board is risk adverse, they are more likely to invest in the infrastructure over time to reduce the negative impact to revenue, operations, and brand. Continuous investment builds resilience and reduces the impact allowing a timelier return to normal operations with minimal losses.
If the board has a high tolerance for risk, it’s a much different story. With a weaker infrastructure and poor disaster recovery resources, the organization may not be able to recover. Recent healthcare security incidents, highlight the significant dependence on the information technology infrastructure and the ability to provide patient care, perform imaging and laboratory testing, and generate timely invoicing. If they are a publicly traded stock company, the impact is discussed in the annual report.
How often do you think security drill and exercises should be employed in order to maintain the profile of cybersecurity within the company?
The underlying question is about the board level responsibilities of risk culture, strategy, and governance. They prioritize goals and commit resources.
People are the weakest link in cybersecurity. Statistics indicate the majority of malware enters the system through emails and social engineering, so ‘people testing’ should be dynamic and conducted monthly.
Tabletop drills and exercises should be scheduled quarterly with mandatory participation. Combine that with surprise drills on weekends, holidays, and nights. Incidents can occur anytime.
Results of the tabletop exercises, social engineering and phishing tests should be tracked, audited, and presented to the board as an agenda item.
Is Zero Trust the solution? And can it be obtained?
In healthcare, Zero Trust (ZT) is a goal that can be obtained in five to ten years, depending on manufacturers commitment to ZT, healthcare capital replacement cycles and internal resources in each hospital.
Margins are thin pushing hospitals to utilize equipment past the depreciation period; many hospitals keep equipment passed End of Life (EOL) and End of Service (EOS) dates. When the availability and quality of the third-party parts is limited and poor, the device is unreliable in terms of clinical availability and safety. At that point, new devices must be purchased for utilization in a ZT architecture.
How do you assess the risks that new technologies introduce and how do you mitigate those risks?
This is the dilemma: the risk of accepting the new technology Vs the risk of rejecting the new technology.
It’s a clinical, technical, and financial decision. For example. Do we purchase the new MRI guided Linear Accelerator or do we continue to utilize the current older model? If we purchase the newer MRI we can provide increased diagnostic and therapeutic value to our patients. If we continue to use the older model, we maintain current diagnostic and therapeutic values, while meeting other financial demands: salary, debt reduction, smaller capital purchases, etc.
You mitigate the risks by performing due diligence, configuration management, and revenue projections. Due diligence includes vetting the need for the technology, reviewing product comparisons and asset lifecycle requirements.
Vulnerability management starts prior to connecting the device to the network by confirming the Operating System, enabled services and patch/update schedules, defined in the purchase agreement.
Revenue projections are a component of enterprise risk management. Is there a new reimbursement code for using the new device, is there a specific donor contribution, will using the new device differentiate you from your competitors and increase patient volume? Device and IT risks are often greater when factored into an enterprise risk analysis.
What channels are available for fostering the exchange of information and ideas among the CISO community?
The number, quality and type of communication channels are increasing, mainly due to necessity. The three main channels are professional organizations, your professional network and law/insurance channels.
Professional associations include ISC2, ISACA, AAMI, HIMSS, CHIME, and others. Your professional network is probably composed of colleagues, professors, and social media acquaintances.
Depending on your security clearance, law enforcement participation maybe a strong option.
It’s a tricky problem; there is a strong need for trusted communications, but no one wants to give away the secret sauce or air dirty laundry.
Follow Us
.
