The healthcare industry has long been a target for cyberattacks, and now with more care delivered via telehealth, and an increased use of connected and personal and medical devices, and with many healthcare professionals working remotely, the attack surface has grown immensely. GeekWire recently connected (virtually) with Premera’s VP, Chief Information Security Officer, Dr. Adrian Mayers for a discussion on the threats and the information security solutions that minimize risk and protect the security of Premera’s customers and providers.
Read the edited Q&A below.
GeekWire: As Vice President and Chief Information Security Officer at Premera, tell us what you do.
Dr. Mayers: What do I do? In a nutshell, I protect and defend the business interests of Premera. And what does that mean? There are a number of cyber threats that are out there that negatively impact obviously the business interests and the information that we’re protecting, the ability for us to deliver our services and products is what’s at stake and what’s at risk. So our program, as well as my team, protect that. So if we’re doing things right, you won’t see us, we’ll just be quietly behind the scenes making things happen, but there’s a tremendous amount of work that goes into that, so that it remains seamless. Not easy to do. Threat actors are changing on a daily basis.
GeekWire: It’s interesting because I think a CISO at any company, any organization in 2021 is in a high pressure situation. But when you add to that the fact that you’re dealing with some of the most personal information that we all have in our lives, I can imagine it’s a pretty stressful job. What kinds of things does Premera do to protect its members’ data that the average consumer technology company might not have to worry about?
Dr. Mayers: Well, it is interesting actually, when you kind of distill it down and you think about it, there are specific tenants to a cybersecurity program that are actually kind of ubiquitous and seen across all technology companies, for the most part. Now, where we start to differ is in the data itself and the type of data. So we’re dealing with protected health information. As you stated, that is extremely sensitive information, but the ways that you go about protecting it are very much the same, regardless of what industry or vertical that you’re in. You’re thinking about identity access management. You’re thinking about device security. What does your network look like? Whether it be cloud on-prem, hybrid, kind of a combination of both. You are thinking about the applications that you are using, whether you’re creating applications or you’re buying them off the shelf, or you’re leveraging a SaaS offering, (software as a service.) And you’re thinking about your data security footprints, how are you leveraging encryption? Where are you keeping your repositories of that data? How are you thinking about authorization and authentication? And then ultimately you’re thinking about your physical security, which I always find interesting that people kind of forget. You can’t have somebody walking in off the street and plugging into your network or stealing a laptop. So the physical aspect also has to be brought together with the virtual or the digital side. When you have both of those kinds of realities in play, then you start to have a program that can withstand the rigors that threat actors are throwing at us on a daily basis as they’re changing and evolving their techniques, tactics, and procedures.
GeekWire: New threats seem to pop up every day. Clearly there are some that are making more headlines than others right now, but how do you adapt and evolve as Premera to these changing threats out there?
Dr. Mayers: Well, there’s a couple of things. I think one of the key things is to have the right mindset. We always say that complacency is the death knell. As soon as you become complacent and think that you don’t have to continuously evolve or understand what’s going on in your environment internally and externally, it’s the beginning of the end. So what do you need to do then? You never get too comfortable. I think it was Terry Crews that said be happy and dissatisfied. So we’re happy with the program, but we’re dissatisfied because we want to continuously think about “how do we evolve?” How do we get in front as much as we can about different ways that threat actors are coming at us. So intelligence is really a big deal here. So you start to see a company like ours being kind of a microcosm of the US government. How does the US government leverage the technology apparatus? The intelligence community informs their decisions when they understand what’s happening at a nation state level or some other non-state actor, it’s that intelligence that’s helping to inform decision-making. So we do the same thing. So Premera Blue Cross is a part of the Blue Cross Blue Shield association. We have shared intelligence. There is a team called Blue Intel, and they collect intelligence and share it across the entire system. So there’s strength in numbers. The other thing that we do is we work with other organizations like the Health Information Sharing and Analysis Center, H-ISAC, where we’re sharing information, we’re looking at specific things that are targeting the healthcare industry or vertical. And we share information and intelligence about that. Internally, there are two kinds of teams that we have. We have a threat intelligence team that’s continuously looking at telemetry that we’re seeing. So what we call indicators of compromise, the ability for us to look at IOC’s to be able to pivot from there to understand different domains that are compromised and what have you. So we harvest intelligence by the way that attackers are coming at us. The other thing is looking at emergent technologies. So we have an emerging technology research team, small team, but still nonetheless, they’re looking at what are these next technologies and how can those be leveraged by threat actors to potentially compromise us, even if we don’t implement or install that technology? Is there something that could potentially give them the advantage? I find it interesting that there’s kind of two hats that we have to wear. There’s the business hat because we’re in business, but there’s also a very militaristic feel to this. And this is where security operation centers, this is how it’s very black and white with the way that they operate and the gray or layers of gray come in the business side. You have to merge those things together and know when to wear the right hat for different situations as they evolve.
GeekWire: I know that Premera’s threat intelligence and response team looks heavily at behavioral analytics and establishing baselines. Can you give me a sense for the day to day work and how things pop up on your radar that you know you have to take seriously?
Dr. Mayers: Well, I think I go back to the intelligence model. So we have a number of sensors that are collecting. Whether it be on devices or whether it be on our websites or in the cloud, and we’re collecting data continuously. We’re seeing these threats happening, these attacks happening in real time and we’re protecting and defending. But as I said, we’re also analyzing them. Was that an IP that we’ve seen before, what domain was that? Is that associated to a known threat actor? How does that threat actor operate? And here’s the key thing. And a lot of people don’t talk about it, but it’s about looking at the external and the internal threats. I like to remain kind of on the tip of the spear when it comes to looking at both. Obviously a lot of vetting that we do, but we also have to maintain and understand that we have people within the environment that we have to monitor to a certain degree. So it’s about that insider threat, as well as the external threats that we look at. And by pulling this information in, we also work with strategic partners like FireEye and others to help us distill down that data and be able to focus our resources, our human resources on those anomalies. The things that are just noise when it comes to that signal are just noise, we want to be able to orchestrate and automate those things out. But where I want to focus my team on, eyes on glass, is those things that are not just considered noise. So that’s where we want to be able to focus and then do deeper dives and look at that layered approach because that’s absolutely what you need. You need to have this defense in depth approach to be able to protect this information in a meaningful way.
GeekWire: In your career you have actually followed the pattern of a lot of our audience, in the technology industry at Nokia and Microsoft and Vertafore. What have been the lessons that you’ve learned along the way in the transition from the pure technology world to the healthcare world? And are there things that you would tell people who are thinking about making similar transitions themselves?
Dr. Mayers: I think one of the things that I would share with people is that don’t be dissuaded. It could seem daunting to be able to move into these different spaces, but remember what some of those common denominators are. It’s a business, whether it be a product or a service that’s being delivered, it’s still a business. The other thing is remember that there are going to be people in all of these different industries and all of these different companies. So remember that human factor, as you’re looking at this and you can adapt and really thrive in any of these organizations that you choose to, but you just have to remember that at the end of the day, there are business objectives. What are they? How does the security program compliment, enrich, augment those things, because it’s not something that you bolt on. You have to be integrated and interwoven into what you’re doing from a business objective perspective. In order to have time with executive leadership, board of directors, what have you, you have to have business acumen. So carry that business acumen across all of those industries and companies. And remember that people are at the core of all of this. Technology is an enrichment for people. It doesn’t sit on its own. It doesn’t solve its own problems. It’s there to help us. So remember that you’re dealing with people problems and the way that you find those solutions is usually through technology and process.
GeekWire: I can tell you are really passionate about healthcare and health and insurance. What makes you passionate about that?
Dr. Mayers: Well, it goes back to the people aspect of this, and specifically in healthcare, think about scenarios when you don’t feel well, you need to go see your doctor. You need to get a prescription filled. Those are times in people’s lives where they need all the support. So what I think about when I get up every morning is, hey, I have to make sure that their information is protected and that they have access to the services that we provide. It needs to be seamless. We cannot get it wrong even once. So that’s what drives me. When they’re at their worst we want to be able to be there to help them. Making healthcare work better. That’s our core thing. That’s our purpose. So what does that mean? That means that when they go on their application on their phone, Apple, Android, whatever it is, when they go on the website, it’s all there. It’s all available. We’re anticipating and know what they need, and they can seamlessly execute and do what they need to get done to feel better, to get better. So that’s what drives me.
GeekWire: Thank you, Dr. Mayers, as we close, is there a last point that you would like our readers to know?
Dr. Mayers: There is one. Well, there’s probably a couple, but the one that I definitely want to double click on, and you’ve heard this from maybe some of the other talks that I’ve done is around the national security piece. I don’t want to lose an opportunity to drive the idea of that collective defense, a whole of nation approach to cybersecurity and cyberspace is absolutely what is needed. We are seeing just a feeding frenzy of things happening in cyberspace, and in cybersecurity. Lots of threat actors specifically around ransomware right now. But there are other things that are constantly operating. One of the things that we’re seeing holistically across industry is that cyber insurance is going up for all of us, whether we have a good program or not, we’re all going to be impacted. So there is a requirement, a sense of duty to feed in and contribute to national security. But we all have to work together to make that happen. Public, private, everybody has to be speaking the same language because the threat actors are not discriminating. And if we don’t start to come together, we’re going to continuously have this fragmented approach and this reactionary posture that we’re in today.
GeekWire: Would you tell me what could happen if we do come together around this?
Dr. Mayers: So here’s how I see this. If and when we do come together, because I’m very positive about this and I’m not just kind of saying this from a rah-rah perspective, this is an amazing country. There’s nothing that we cannot accomplish if we come together. We have just gone through and we’re still going through a pandemic, but think of what we were able to do when we said, look, here’s a common goal. We need to figure this out together. All of a sudden things were truly mobilized at scale. So I feel that if we come together and when we do, we’re going to be able to start solving some of the very significant problems that we’ve had for years. We’re going to start sharing information in a more meaningful way without feeling that we’re compromising our own IP, where there’s going to be no blow back, those kinds of things. We’re going to get more insights from the government to be able to have a more proactive posture. Ultimately, if you look at how technology is powering everything within our society, there has to be that security component. And if we don’t come together, it’s going to be a problem. But when we do, the sky’s the limit when it comes to what technology can truly do, if we can manage the risk accordingly.
GeekWire: That’s great. Thank you. Thanks for the time today and sharing such great insights with our audience.
Dr. Mayers: Thank you. Great questions. And I really appreciate you doing this. I think every opportunity we can get the word out is just going to make us better.