MARK HAGLAND | SEPTEMBER 30, 2019
Errol Weiss, who became the chief security officer at H-ISAC earlier this year, shares his perspectives on the differences between the financial services and cybersecurity landscapes
On April 23, the Titusville, Florida-based Health Information Sharing and Analysis Center (H-ISAC) announced the appointment of Errol Weiss as the organization’s first Chief Security Officer (CSO). As described on its website, H-ISAC is “is a trusted community focused on sharing timely, relevant and actionable information to prevent, detect, and respond to cybersecurity and physical security events so members can focus on improving health and saving lives.”
As a press release published on that date stated, “In his new role, Weiss will be responsible for the strategic vision and direction of the H-ISAC’s day-to-day Cyber and Physical Security Services offered to H-ISAC member organizations, including the delivery of Cyber and Physical Threat Intelligence, the H-ISAC Security Operations Center (SOC), Identity services, community exercises and other special interest services. Weiss will define, implement and deliver Cyber and Physical Security Services to H-ISAC members which are consistent with the long-term goals and objectives of the H-ISAC – to attract and retain members, operate with execution excellence, and deliver community defense for the healthcare sector.”
And the press release included a statement from Denise Anderson, H-ISAC’s president and CEO. “Errol is globally recognized as an information security visionary and leader,” Anderson said. “He is and has always been a strong advocate for information sharing among and within the critical sectors. Errol knows that by working together, we can help improve security and lower risk. We’re thrilled to have Errol bring his vision, drive and experience to the members of H-ISAC and to the global health and public health sector.”
As the organization explains on its website, “H-ISAC was founded in 2010 as the National Health Information Sharing and Analysis Center (NH-ISAC). In September 2018, H-ISAC dropped the “National” from its name to more accurately represent its international membership. H-ISAC is a global, non-profit, member-driven organization where health sector stakeholders join a trusted community and forum for coordinating, collaborating and sharing vital physical and cyber threat intelligence and best practices with each other. Membership is open to public & private hospitals, ambulatory providers, health insurance payers, pharmaceutical/biotech manufacturers, laboratory, diagnostic, medical device manufacturers, medical schools, medical R&D organizations and other relevant health sector stakeholders.”
And, the organization notes, “H-ISAC partners with other global security organizations such as governments, law enforcement, other ISACs, and global CERTs to share information, create situational awareness and mitigate against threats and incidents.”
Weiss previously worked at Bank of America (BofA) where he was a Global Information Security executive working with internal partners to protect information, customers and staff by reducing the impact from cyber threats. Before BofA, Weiss worked for 10 years at Citigroup, where he created and ran the bank’s first Cyber Intelligence Center, a global team providing actionable intelligence to internal staff.
Weiss began his career at NSA conducting vulnerability analyses and penetrations of US Government systems and then spent ten years with consulting firms delivering information security services for Fortune 500 companies. Weiss was instrumental for the creation, implementation and operation of the Financial Services ISAC and is one of the four named inventors on the patent for Trusted and Anonymous Information Sharing.
Recently, Weiss sat down to speak with Healthcare Innovation Editor-in-Chief Mark Hagland to share his perspectives on having transitioned from cybersecurity management in the financial services (FS) industry, to the healthcare industry, and some of the differences between the two industries, with regard to cybersecurity concerns. Below are excerpts from that interview.
How do you see the cybersecurity landscape in healthcare, five months into your new position?
It’s been interesting, coming from financial services, where I spent the past 20 years, and involved in FS-ISAC, the financial services ISAC. I had been working very closely with that group for the past 20 years, and helped to deploy the FS-ISAC in 1999, then became a member through Citibank and Bank of America, and was on the board of directors of FS-ISAC for a while. And coming into the healthcare sector, there are some similarities, certainly, but also many differences.
What differences do you see?
One of the biggest differences has to do with the sensitivity of personal information is temporal in finance. Someone steals your credit card, you get a new one. Someone steals your health information? You can’t “get a new one.” Also, the connectivity of medical devices—that involves a vastly different landscape, with no equivalent in the financial services industry. That’s why it’s great that we have both patient care organization leaders and medical device manufacturing leaders involved in H-ISAC.
It’s been great to have both sides of that coin represented, to address the issue of how to secure devices, how to provide patches and updates, how to safely disclose vulnerabilities and get the patches updated.
Also, there are countless end-users in healthcare organizations who have public-facing personas, and every type and size of patient care organization is in that situation. Can you contrast that with the situation in the financial services industry, with regard to the complexities and challenges involved?
One of the areas I mentioned was in the medical device space, and certainly, the challenges there are that, given how important those devices have become in the delivery of healthcare, and the sensitivities in keeping them patched and updated, are certainly causing a lot of the stresses between delivery organizations and device manufacturers. And in terms of the recertification of the products as they’re becoming updated, the FDA [Food and Drug Administration] has stepped in, and that’s helped. And I don’t get the sense that anyone’s pointing fingers; rather, they’re at least willing to come to the table and work on these efforts together. And at H-ISAC, we have a very robust working group—a medical device manufacturers and users getting together called the Medical Device Security Information-Sharing Council of H-ISAC.
When was the Medical Device Security Information-Sharing Council created?
In October 2015; we already have over 100 members. And so the idea was to bring together the device manufacturers and providers to work on best practices, facilitate information exchange, work on security solutions together. That’s been a really great example of that kind of work. And in terms of the difference between financial services and healthcare; I’ve been a fan of responsible vulnerability disclosure and bug bounty.
Tell me about those.
The idea of responsible vulnerability disclosure is that there are many white-hat security researchers out there who find a vulnerability and will work with a vulnerable party, whether a retailer or device manufacturer, will let them know that they’ve found this problem; they’ll help them address it, and once they’ve fixed it, the researcher can release the information publicly once it’s been fixed. It’s great for the researcher because they’ll get recognition. The bug bounty piece involves the fact that, over the last ten years generally, and in my experience in financial services in the past five years, they’ve adopted this BB technique, where basically, the organization, like a big bank, would have an open invitation to any security researcher, to come in and test a system, report any vulnerabilities they’ve found, and if they get validated, the person can get paid for that; that’s the bounty part. There are companies that help facilitate that exchange. And there’s fairly wide recognition that there’s opportunity there.
So I’ve had a good amount of experience in that world. What’s interesting is that the difference between financial services and healthcare is that, where the researcher gets to the point of announcing that vulnerability to the world, it gets a bit of media attention and splash. When it happens in the medical device world, it gets a lot of attention. And it can become sensationalized. So when the medical device manufacturers go public, they need to get that kind of attention in the media.
What would you like to say to CISOs and CIOs, about the current landscape in the industry?
I think the health ISAC—when you look at the evolution of all the ISACs, we’re still at a very early stage in the evolution of the health ISAC, specifically around membership growth. We’ve had a significant amount of growth since Denise Anderson came on board as CEO, and we’re continuing to grow forward. The thing that excites me about being here is that as we’re creating more services and are enhancing the threat intelligence services, as the membership grows, the opportunity to do more collaborative work between and among the members is something that’s going to be really powerful.
So I would tell CIOs and CISOs, you’re going to get a ton more out of the H-ISAC for your organizations, if you continue to interact with peers through the H-ISAC. I was thinking about this the other day: even the junior people I see participating in the online collaborative forums, they’re really learning. And sometimes people are a little bit shy or embarrassed about getting involved; but I’ve seen really junior people grow in this participation. So there’s an incredible opportunity, and that essentially makes us all stronger through the shared learning. That’s the big push that I’d like to see.
What will happen in the next few years?
For us, the big growth area will be on the international front. We’ve got a lot of growth opportunity in Europe and Asia; we’ve got our first European summit in Zurich next month, and our first Asian one sometime in the first quarter of next year. And I think in terms of what else is coming, I’m working on some tools and automation to help get the right information to the right people—and that means really putting the power of the subscription capability, for example, into the hands of the end-users, so that they can define what they need from the Health ISAC. So if they’re a technical person, they can get the technical detail; if they’re a non-technical leader, they can get that. We’ve got a new security daily summary going out now, for example. So it’s about fine-tuning what the end-user can receive.
Is there anything you’d like to add?
On the threat and vulnerability information that we’re providing to the membership, I want to make sure that we contextualize why it’s important for an information security professional in healthcare, so that it becomes more actionable. I want to make sure we can answer the question, “Why is this important to me?”