
Do you think your job is hard? Well, being the Chief Security Officer at HCA Healthcare, Paul Connelly was able to wrap his arms around an industry where there are 275,000 employees and 36 million patient care encounters each year. But how does he do that? In today’s episode, Paul Connelly shares his endeavors as a Chief Security Officer who built and led HCA’s programs since 2002. Through a good partnership within a very networked industry, they were able to deal with the hectic workload. Paul also shares his shift from being the first Chief Information Security Officer at the White House and into the private sector. So if you think your job is hard, think again and tune in to this episode and be inspired by Paul Connelly’s endeavor.
—
Listen to the podcast here
Paul Connelly: The First CISO at the White House
In this episode, we’re excited to welcome Paul Connelly to the show. Paul is the Chief Security Officer for HCA Healthcare. You may not know how much you know them. They are a Fortune 100 company and the largest private-sector healthcare provider in the United States. Paul has a career in security. He is a partner in Information Security Consulting at PricewaterhouseCoopers. These are all old-school things. He’s the CISO of the White House Communications Agency, where he was inducted into their Hall of Fame. Take a minute to noodle on that and what it means.
Once upon a time, he was an Information Security Analyst at the NSA. Our man might know a thing or two about keeping things secure. Something that Paul describes to us and a tiny bit of his claim to fame is this, “The First CISO at the White House.” I want you to let that sit for a second. Paul served with three presidents in both parties because securing our nation’s data knows no partisan politics. There’s one other super cool thing, but we’re going to save that. Now you know you got to stick around. Paul, welcome to the show.
Thank you, Matt. I’m glad to be here. I appreciate that. It’s a great introduction.
You’ve done some things in your life. I can’t swear the way I want to but holy bleep, you’ve done some things.
I’ve been around for a long time and had some good people working with me. That’s for sure.
Before we get started, I want to help our audience to understand the responsibility that you shoulder. I want to blind our audience with some astounding facts about HCA, 185 hospitals, 1,400 outpatient clinics, over 275,000 employees, and 36 million patient care encounters each year. I love this. In 2021, more babies were born in HCA hospitals than in the nation of Australia. With all of that being said, that’s a lot. Paul, how do you even wrap your arms around that?
You’re right. It is a lot and it’s very complicated. The good news is it’s a shared responsibility with a lot of others. I’ve had a great team and leaders who work together with me. We have good partnerships within our company. We work hand in glove with our IT organization, internal audit, clinical services group, operations and so on. Also externally, we’re very active with the Health-ISAC and working together with other industry partners to share information and make sure that we’re all helping one another. It takes a village.
We’ve had the great fortune to speak with CISOs of large organizations but nothing this size. How do you bust that out, your role compared to your direct reports and their direct reports as you start to factor out or when you need to consider strategy and deployment? We’re talking about all the continents in many countries. How do you deal with all of the things that roll up to what you have to do at HCA to report to the people that you have to report to?
You learn to develop other people and leaders. You learn to trust people once you’ve worked with them and you know the caliber of the work that they do. I depend heavily on the members of my team. We have a group of almost 300 people that run our program. We have a privacy program and physical security information governance as well. They all work together. They’re independent programs. Cybersecurity is one of them and it’s the biggest one. It works very closely with physical security and privacy. We all find ways to support one another.
Learn to develop other people and leaders, and you learn to trust people once you’ve worked with them and know the caliber of their work.
Usually, it’s the guest who blows up the questions that we’ve talked about or what we’re going to talk about but with this one, I’m blowing it up. I make sports comparisons. I look at when it comes to American football, are you the offensive or defensive coordinator compared to the head coach, the general manager, the owner or the commissioner of the league? Given the scope of your responsibility, how does that filter out for you for what you have to do personally?
If you think about the CEO of our company, he’s the commissioner of the league maybe. I’m the head coach of one of the teams in the league. Maybe that’s a good way to put it.
To our audience, this is not false humility. I love that he’s saying, “I’m just the head coach, maybe of all the things.” Remember, 275,000 employees and 36 million patients.
The thing about our company is we never take our eye off the fact that we are focused on taking care of people. In one regard, I’m the defensive coordinator because I’m protecting their personal privacy, their safety in our facilities, and the systems and data that we use to care for them. I also like to think that we’re part of the offense. We enable our company to do things with data, new products, third-party partners and so forth. We have that good defense that enables us to have a good offense. We’re a cog in the wheel, for sure.
I want to make sure that our audience understands the level of your responsibility. Hospitals are the definition of chaos, but HCA is a lot more than that. You have 2,000 other kinds of care sites. There’s a group physicians organization and a college of nursing. There are software development companies involved. There are cancer research and clinical trials. All of which roll up to you.
In the larger sense of what you are doing as the CISO of this massive entity, there are so many things. When we want to view it through the prism of insider threats, how do you do that? What do you roll out to whom? When the information comes back to you, what do you need to do with that? Both of those questions are easily answerable in about 45-second soundbites.
There’s one thing I have to say. A hospital may look chaotic but it’s like an aircraft carrier. It’s a well-oiled machine behind the scenes. It has to be because we’ve got lives that depend on it. We fit our program into all of that. Talking in terms of insider threats, what we try to do is we try to meet our people where they are. We approach nurses differently than we approach physicians, CFOs, financial analysts, developers, IT infrastructure managers and so forth. That’s a lot of it.

The good thing that I should have said in the very beginning is everybody recognizes that this is important. Cybersecurity has raised to a point in the world where everybody sees how important this is. As a result, whether it’s a physician, a nurse or a developer, they’re all looking for ways to incorporate security and privacy into what they’re doing. That’s a huge leg up for us. A lot of what we do is try to give them the information that they need so that they understand the risks and how they apply the right controls to what they’re doing.
You have such a massive responsibility. Do you have the time or availability to do boots on the ground? You have said how much you rely on the team so building the team is important. Do you get the chance to go, walk through, and see what is happening? I can’t imagine the demands in your time, but to get and go through a hospital every once in a while.
The program that I lead is important. I’m being realistic about what you’re saying here but I do. Every opportunity I get, I try to visit one of our facilities. We have facilities grouped by regional division, so I make it my annual goal to visit every single division each year. When I’m at the division, I try to hit as many facilities as I can. Nothing replaces the feedback that you get from the people who are there on the ground.
In addition to that, within our program, almost 1/3 of our team is not based in the headquarters here in Nashville. They’re out in those divisions and business units that you listed so that we’ve got local presence as well and people who are at the table hearing what the strategies are and communicating with people about the risk side of it.
It’s a good cycle that we go through where we try to bring as much from the field into our decision-making. When there’s something that we think is important, we want to reach out and get feedback. You can’t be a security group that sits in an ivory tower, dictates and expects people to follow. It’s got to be a joint agreement on how we’re going to address this risk.
That’s the most important thing about making sure that you’ve built a team that you trust and believe in. I’m not trying to wrong-foot you on that question. When we talk about the notion of insider risk, as all of the teams that you have built and the teams that they have built, and as it continues to filter down to the boots on the ground, when that information comes back up to you, given that your endpoints are people and there are lives on the line, what can you do when you consider the idea of insider threats or insider risks knowing that nobody who works in the hospital wants to hurt anyone?
With the nature of human behavior, and that’s probably a better way of describing it compared to chaos, what can your team do to put them in the best position to limit that in the best way and protect your end users, which are people who need to be fixed and at the same time, keep your facilities in a position to fix them?
Matt, you said the exact words. It’s putting people in a position to be successful. You mentioned 275,000 people. A great majority of them are involved in caring for patients. They are heads down focused on their patients. We don’t want to distract them from that. A lot of our focus is on how we put the right guardrails around them so that it helps keep them on the right track without interfering with what they’re trying to do. That sounds like a great thing. It’s hard to do when it comes to patient care because individuals need autonomy. They want to look at new and innovative approaches. We don’t want to be the people who are slowing everyone down. It’s a big challenge.
A lot of it is working with them and building their trust so that they bring things to you when there’s something new that they want to look at. If an anesthesiologist wants a new technology that they want to check out, we don’t want to learn about it when it lands on the loading dock and is ready to be installed. We want to find out about it upfront, be responsive, work together with them, understand what they want to do, and then communicate to them what we see as the risk so that we can jointly reach a good decision on how we go about doing it. That goes back to that idea about trying to help the offense. Even though I feel like I’m on the defensive team, we want to help the offense by giving a good defense.
How hard is your job knowing that you need to enable the technical people in your company and organization but at the same time, anesthesiologists are like, “This is the most amazing new technology. We have to get this implemented?” You have to protect the entirety of the organization while considering the 36 million patient care encounters you have a year. You’ve got to heal the sick but at the same time, position your people to do the same things. How do you deal with something at this scale?
Oftentimes, it’s helping raise their awareness. For example, we have an individual who sees a new technology that they think could help what they’re trying to do in their particular area of focus, but they don’t necessarily have the bigger picture view of what that risk could mean to the whole company. One of the tiny little silver linings, and I hate to even use that word when I refer to ransomware, but when you see an article about a hospital being shut down by ransomware or their IT system is being shut down and impacting them, when people hear that, nobody wants to be the one who brought in the device that caused that to happen. A lot of our focus is on educating people and making them aware of the risks so that they make well-informed decisions and work together with us.
Focus on educating people and making them aware of the risks to make well-informed decisions and work with us.
It’s not a 100% success rate. We’re far from perfect, but the good news is that everybody recognizes that it’s a shared responsibility and they’re willing to work with us. I saw a Wall Street Journal article that made a comment that 80% of data breaches involve inside user error. There’s a lot out there to help educate people and help them realize the important role that they have. We always tell people, “No matter what your job is, you’ve got a Deputy Security Officer badge on because you can affect our company’s security.”
You mentioned the idea that 80% of people are getting this. This is the definition of unwitting insider threats. With regard to an organization this large, how can you influence and inspire them to get better? I feel like that’s something that has been beaten to death a little bit, but for people to want to understand how important everything they do is. Every mouse click and type on a keyboard matters because at the end of the day, the endpoint is a patient.
In terms of insider risk, the huge majority are well-intentioned people. They’re trying to do something fast. They see a great idea. It doesn’t occur to them but they need to think about the security or the privacy aspects of it. I keep beating the same drum but a lot of it is trying to reach out to the people where they are, connect with their role, and help them understand the important role that they play in making sure that whatever they’re doing protects our operations and patients. It means using every possible way to connect with people.
The best way to connect to some people is a 30-second blog post or a pop-up on their screensaver. Other people may have time to watch a two-minute video. There are very few people probably in any business who have time to sit down for hours and hours of training. It’s a matter of catching them when you can at the opportune time using the medium that’s going to connect with them, and recognizing that they’ve got important things to do. You’re trying to add to that in a way that you’re not creating obstacles, rather you’re putting guardrails that help keep them on the right track. I find that people do respond well to that.
Going back to the comment I made about how ransomware raised awareness for people, everybody recognizes that this is important. You don’t have anybody who’s blowing it off. Earlier in my career, that was part of the challenge. You had people who were blowing it off and didn’t think it was important. We don’t have to deal with that anymore. Now, it’s more of a case of getting the right information to the people in a way that they can digest and retain it.
You mentioned hours and hours of training. By definition, the people that are involved with HCA, their chief responsibility is to the patients, doctors, nurses, and all of the surrounding staff that keep the hospital going. There are things like nursing stations that have to be these rolling carts. They can roll up and type in what’s going on, and then they have to run back because things are going on, especially when you get into emergency room situations.
Let’s state this upfront. Nobody wants to go to a hospital unless they’re going to give birth to a baby. That’s an incredible amount of responsibility for you and your team. How do you do that? How do you get the staff to understand that they also have to protect this stuff? That’s probably a derivation of the question that we talked about, but they have so much responsibility at the top of the org, I would assume that part of your responsibility is to inspire them to want to do that. That’s a lot. For lack of a better question, how do you do that?
You said the keywords there. It’s by inspiring them to do that. That’s one of the advantages of being in healthcare. Candidly, that’s why I love being in healthcare. I’m not sure if I would feel the same way about my job in different industries. In healthcare, you’ve got people who by their nature at their very core, they are there to take care of people. It’s a special breed of people.

I don’t think it’s a big challenge to get a nurse who is focused on taking care of his or her patients to realize that they’ve got to be careful about clicking on links and emails because they could trigger something that shuts down the system. They can connect those dots and realize that they could do something that could have a negative effect on their ability to care for their patients rather than caring for their patients.
In some ways, it’s an easy sell but the hard thing is connecting to those extremely busy people in moments when they can hear what you’re saying, have the time to take it in and connect it with what they’re doing. We look at everything possible, whether it’s a poster in the hallway, somebody who’s rounding in the hospital and stops by the nurse’s station to chat with them or a two-minute video that we try to catch their attention.
One thing that we have found that helps is we try to focus on helping people be as savvy as they can about their personal security and privacy, and sharing it with their family members. It’s the idea that if they’re smart about what they’re doing online, they’re going to carry that forward when they come into our facility as well.
A lot of our awareness and the way that we try to set the hook is this is something that’s going to help you and your family. It will prevent you from being scammed or help you avoid online fraud and that kind of thing. There are a lot of different things. We use humor whenever we can. A lot of times, people who are working so hard, you catch something that’s going to make them laugh. That will be a memory and will help them take the time to look at what it is that you want them to know. It’s a lot of different things. We’ve got a creative team. The audience is great to work with, so we’re fortunate in that regard.
If you hear the emotion in my voice, it’s because I’m utterly in awe of the responsibility that you carry. I’m not doing this fake like, “It’s so amazing,” because it really is. You use humor and our discussion is leading up to this. You talked about one of the things that HCA is doing internally, which is the Be the Hero Campaign. That’s something that would give responsibility for this huge amount of employees who affect this huge amount of people. You gave birth to more babies than a country in a year. That’s incredible. Tell me about that. How did the Be the Hero Campaign unfold? What has the impact been? How has that worked?
Be the Hero is the brainstorm of our communications team, which is this incredible super creative people. The idea was in a healthcare company, you’ve got heroes around you every day. You’ve got doctors, nurses, pharmacists, other clinical staff, and people who are doing things that turn people’s lives around and save their lives.
We know that we’re surrounded by heroes but we use that as a theme for our campaign to make the point that this is another way of being a hero. If you protect us from these cyberattacks and protect this data, so it doesn’t fall into the wrong hands or isn’t misused, that’s another way that we’re taking care of our patients and taking care of our colleagues too.
It’s a theme that we feel has resonated. We use superhero figures in our campaign, so it’s something that catches people’s attention. We use some humor there as well. We’re constantly in search of ways that we can connect with people at the right time with the right information. We found that it has been a good campaign.
If you’ll allow me to interpret that, it feels like you have built something in the larger team to allow doctors to be doctors, nurses to be the nurses, and EMTs to be EMTs. There’s a surrounding team and organization that lifts the burden off of their shoulders and lets them stick their fingers into people’s guts to fix problems.
Yes, as much as we can. We can’t lift all the burden off them. There’s still some responsibility that they have to share with us, but it’s anything that we can do. The theme of our whole corporate infrastructure here is to try to take the burden off the folks who are out in those facilities. The goal of our team is to make it as easy as possible but there’s still some responsibility that they have to take on too.
I’ve been yelling at you for twenty minutes. I apologize for that. I’m so fascinated by the scale of what you do. You mentioned physical as part of what you do. When we talk about the notion of security, that’s not always something that comes into play. Organizations have different approaches. Sometimes physical security is involved, sometimes not. With you, it is. When it comes to the notion of insider threats for your larger organization, where does your physical security team come into play? How do they roll up reporting to you to create the strategy for how you keep everyone safe?
Insider risk is one of the areas where having physical security as part of our program is a big advantage. We have a physical security program with a Chief Physical Security Officer. They do everything from policies to cameras, access controls, badges, infant protection systems and duress systems. They have about 2,400 security officers whom we contract with as well who are out in all of our facilities.
If you think about insider risk, access control, and any kind of intelligence on activities that are going on that maybe are suspicious, oftentimes there is this connection. Knowing where the person is physically and being able to track them in terms of their badge login or what facilities they come into aligns with what we’re trying to do from a cybersecurity perspective as well.
It has been an evolution. I joined the company twenty years ago. In the beginning, I was the CISO. I was in the IT organization. I hardly lifted my head outside of IT. We were focused on firewalls, antivirus and worms, you name it. Over time, we evolved to where we moved out of IT to make the point that this is a business issue and a shared responsibility among everybody.
We brought privacy into the fold with us, and information governance because we were all about protecting information. The most recent change was the physical security was moved in as well with the idea that we’re all about understanding the standards that the company wants to meet, going out there, doing assessments, remediating our risks, communicating with people, and getting everybody to understand and buy in.

If I’m a nurse working, I can look across the park at one of our top centennial hospitals here in Nashville. Rather than getting one set of messages about physical security, another set about privacy, and another about cyber, we try to give them an integrated message like, “These are the things that you need to worry about to help protect our facilities.”
There may be a little bit about physical security, privacy and cyber but that’s the approach we’ve taken. It works well. The teams help one another. Even though they’re their own programs and they’ve got things that they do that are unique to them, if you think about it like a Venn diagram, there are also these overlapping areas where we help one another.
You’ve got over 500,000 people moving in and out of the facilities every day. Your mandate is to coordinate securing the people but also their data. When privacy comes into that, it’s a similar thing but it’s not necessarily the same. How do you adjust your approach when it comes to protecting financial data and PII as opposed to the idea of keeping a hospital physically safe? It seems like a ridiculous mandate for a single team to do. This is probably the tenth time I’ve asked you this, but how do you do that? That seems so much. You run the Army, Navy, boots on the ground, Air Force, Space Force and the whole thing.
It’s big and complex, for sure. The size of our company makes it harder. In many ways, I feel so lucky in this role because we do have such great partners. I’ve never felt like it’s all on me or my team. It has always been that we’re a larger team that’s all working on this together. There are things that we have to do to be successful but if we do those things the right way, we get that partnership and everybody jumps in to help. I never feel like it’s just on us.
When we talk about the notion of insider threats, one thing that HCA has done is to diversify. You have acquired software companies and that brings in a different type of energy. As they are developing things for you, what is the approach as you were developing your thing? I don’t want to say compared to the standard because there’s nothing standard about healthcare and running 145 hospitals but it’s a software company so that’s different. How does that affect your approach? What are the benefits that you get that you’re also in the software industry compared to where you were before?
The company made that decision because we found some small companies that had products that we were their number one user. We wanted to have the ability to help direct where they went. We felt that as a big backstop behind them, we could bring a lot to them that would help them grow their products. It has been an interesting and neat thing for us to be involved in that.
You’re right. It’s very different but it goes back to trying to meet people where they are. I was referring to doctors and nurses, but you could say the same thing. If we’re working with a company that’s a software startup, even though we may have the largest ownership stake in them, we try to let them maintain that attitude of being a startup and focus on the development, their customers and so forth.
What we try to do is be the advisor who helps them. There are certain standard philosophies that we don’t want to deviate from in terms of how we protect information, and risks that we’re willing to take and not willing to take. As much as we can, we try to let them be themselves, knowing that we’re there to advise them and check on how they’re doing and how they respond if they’ve got a question or something is off the tracks. We want them to keep that philosophy of being a small software company and not let it get swallowed up by this big Fortune 100. Instead, take the advantages that we can bring to them of the knowledge of technology and security, and use it to improve what they’re doing.
Take advantage of the technology and security knowledge, and use it to improve what people are doing.
Given how much you have to explain all the things all the time to all the people, you’re explaining this pretty well. We got it. To our audience, if you didn’t get that, hit me back. You will find this @Hello_Elevate. We will help you understand these things. On the heels of that, given what you and your larger organization are required to deal with all the time, what’s the biggest headache? There’s so much that’s going on. What is the thing that seems to occupy the most time to protect your end users being the patient, but also all of the faculty staff and medical personnel?
Healthcare is a very networked industry, so we work a lot with outside parties. The biggest challenge is the third parties that work together with the partners that we have and having us all on the same page in terms of the standards that we’re going to meet in terms of how we’re going to protect ourselves and our information.
If I look back over the last couple of years of incidents that have occurred that have involved us, easily 90% of them have been third parties that had something happen to them where we had nothing to do with it. We did not have a way to prevent it but it affected us. When you’ve got that dependency on third parties, you have to up your game in terms of who you choose to be your partner, how you set the right expectations, and how you continue to work with them to make sure that it’s a two-way street. We’re both living up to the expectations.
That’s a huge challenge. That’s number one on the list for us. Like everybody else, it’s the Internet of Things. What it comes down to are the things that are outside of our area of control and getting our arms around them. Third parties are outside of our control to a large extent. When Internet of Things devices are introduced, it’s hard to pull them under our IT organization’s purview necessarily.
For us, that could include medical devices and building management systems, which are critical in a hospital. In recent years, we’ve expanded our focus and worked together with our partners both on the IT side and the facilities management side to make sure that we’re bringing all those things into the same pool as the systems that are traditionally our IT organization has managed.
Enough of this genuine humility about what you were doing inside of this organization and all the things that you have been a part of the building. You were the first CISO in the history of the White House. You worked for three presidents. How do you do that? How do you transition from that into the private sector? I don’t even know how to ask the question because it’s so awesome and inspiring. That is an incredible step to make from doing that to doing this. What inspired that, and then what did you take from your time in government protecting a nation into protecting the people that are occupying the nation?
It was an incredible experience and it was fairly early in my career too. It built a foundation that has helped me in everything I’ve done ever since. This was a long time ago before the internet. When I first started, there was no internet. A lot of the focus was on protecting communications. We were worried about the Soviet Union intercepting communications from Air Force One and things like that.
Talking about a pressure cooker organization being at the White House was incredibly challenging. Working under those conditions with people, a lot of lessons were carried forward. I talked about how important it is not to distract nurses, physicians, and other clinicians who are caring for our patients. It is the same way when you’re talking about these senior leaders of our country. The President needs to know that his security is being handled, but I’m not going to get a lot of time to debrief him on what he needs to do.

A lot of lessons were learned there, like working under pressure, doing things that are important, knowing that a failure could have significant consequences, how to work together with people, and problem-solving. I learned great lessons from it that I was able to carry forward even to my job now. It was a great training ground. I was so fortunate to be able to do it.
It was so far back that the term cybersecurity didn’t even exist. I don’t think the CISO term ever even existed back then. I was called the ISO, Information Security Officer at the White House Communications Agency. We were the first ones to go down that path. It is neat to know that I’ve got that little tiny sliver of history. It’s not important to anybody but I like to say it anyway.
I feel like it might be important to a few more people like you. Let me tell you, my friends. This is not false humility. This is a man who has been there. He built the block, went around the block a couple more times, and then built other blocks for other people. You said that it was before the internet but you were there during the evolution, from the early days of DARPA into the time when you were doing this in the Clinton administration when there was an internet.
How difficult was that to manage? You’ve got to secure the communications and all of a sudden, it’s like, “This stuff is doing what? It’s being communicated how?” compared to either typed or written. I made the punch card jokes but at some point, it became digital. That was part of your purview or am I assuming too much of that? It feels like you were there in one of the most dynamic times in technological history.
That was part of why it was this incredible experience and fascinating. It was new for everybody. We were all figuring it out. Maybe that was an advantage because there wasn’t an expectation of expertise. It was like everybody was working together on this. I started at the National Security Agency. In the first three years, I was at the White House, I still belonged to the NSA. I was supposed to be on a 3-year assignment, and at the end of the 3 years, they were going to hire someone who would be the permanent leader. They ended up offering it to me, so I stayed.
I had this great connection back to all of the resources and support of the National Security Agency, which is still one of the world leaders when it comes to cybersecurity. Once again, it was not up to me. I was not on my own. I had a huge support complex that was helping me put all these things in place. I felt like, in some ways, I might have been the point of the spear because I was the person who was there and had the title, but there were incredible groups of people who were helping us all be successful.
We’re doing a hard switch. For the audience, you’ve probably known me to make the joke before. You can feel the click in the segue on this. It’s almost like talking to someone whose parents have two children who are Olympic athletes. Your brother is Michael Connelly. If you are not familiar with things like Bosch: Legacy or The Lincoln Lawyer, he might have done a thing or two. Paul, you have also been involved with that. As you very humbly describe it, you have served as an Informal Technical Advisor but you have also done some formal technical advising to the evolution of his stories.
When you see things from the entertainment industry, whether it is a cops and robbers story, and I don’t mean that derisively, I love Bosch: Legacy and The Lincoln Lawyer, both versions of it, but when you watch movies and television and the way that law enforcement, DOD, and executive branch government because you have been inside of this and even into hospital stuff, whether it’s ER or Grey’s Anatomy and this type of thing, are they getting it right? Are they setting reasonable or unreasonable expectations? What input do you get to give to be like, “This is how it works. It’s maybe not so much how that works?”
It’s pretty neat that this has become a regular topic. My involvement is very minor but it’s exciting.
It’s like you’re having a beer on a Saturday and he is like, “What happens when a bad guy does this?” Suddenly, you drop a 45-minute speech.
I’m glad to see that they want to be accurate. Generally, that’s how I weigh in through my brother or the writer’s team for Bosch: Legacy. They’ll say, “We’re thinking about doing this and here are the steps that we’re planning to follow in the plot. Do you think this is realistic? What tools would they use? What are some of the names of what they would do?”
I pulled my team to weigh in on it, and the members of my team think it’s the coolest thing ever. I was in Orlando for the Health-ISAC Conference earlier in 2022 and had a conference call where a group of people from my team who were with me at the conference all got around it and we were answering questions.
It’s pretty neat. Not only it is a topic but the fact that it’s a topic in these shows only shows that this is for real and it’s part of life. It matters to everybody. If it were some obscure thing, they wouldn’t include it in the show. To me, that shows that this is part of life and everybody is aware of it. The fact that they want to be accurate appeals to me. When I’m watching a show, if I see something that I know would never happen that way, the show loses its credibility.
To communicate, whether it’s personal responsibility or corporate responsibility, especially coming out of the pandemic, we are consuming more media than ever. Is there a responsibility for fiction to convey how much is going on and that there are steps you can take without doing it in a heavy-handed way? Whether it is hospital dramas, cop dramas or government dramas like RIP, The West Wing, which everybody loves, there’s a way to get the message across that is smart and clever without pandering to the audience. Is there a responsibility to get that in there and say, “This is how you could tell that story the right way?”
I do think it’s great. I never thought of it in terms of being a responsibility but it can be damaging if they’re not accurate or they make it seem like it’s not that big a deal. The more accurate they are to me, the better it is. Hopefully, that also helps attract their audience. That’s the way I’ve always looked at it.
Let it be known that this is not in any way on Paul Connelly, Michael Connelly, HCA or even Elevate Security, but the scene in NCIS where two people were typing on a keyboard at the same time or every episode of CSI: Cyber, please don’t ever watch that again unless you want to laugh about it. That’s an opinion brought to you by Matt Stephenson, independent contractor. Here’s the third least important question. Are the Gators ever going to be good again coming off the loss to Tennessee? What happened?
They gave it a good shot. That was quite the scene in Knoxville with the checkerboard and 100,000 fans. That was pretty incredible. They had the ball at the end and a chance to win the game. You can’t complain too much about that. I do think they’re on the way back. They’re pretty good in 2022 even. In a few years, give this new coach some time and they’ll be right up there.
Let’s move over to the leadership quarter. We’ve talked a little bit about the other amazing things you’re doing when you’re not keeping almost 300,000 employees and over 500,000 people a day safe. Let’s see what you do when you’re not doing this. What’s on your playlist? Is there music or podcasts in your car? Are you reading anything? Are you cooking? Do you garden? Are you Hang Gliding? It’s not like you have a lot of spare time but what are you doing when you’re not doing this?
I’m a firm believer that everybody has got to have some break, recovery time, and time away from things. As much as I can, I try to read. I love Patrick Lencioni. He came and facilitated a couple of corporate development weekends with our IT organization years ago. I’ve always been a huge fan of his books. They’re so relevant. Gary Burnison of Korn Ferry wrote a book called The Five Graces of Life and Leadership that I thought was good. I have to admit that I get a tiny sliver of the amount of time to read that I would like to. I’m big on podcasts and books through Audible or whatever while I’m in the car.
Everybody has to have some break, recovery time, and time away from things.
It doesn’t have to be about cybersecurity. Sometimes it’s about leadership, taking care of yourself or whatever it is. In this business, I’m sure it’s the same for your business, you always have to be in the mode of trying to get better at whatever it is that you’re doing. Sometimes taking care of yourself is a way to get better at your job. Getting better at your job gives you more time to take care of yourself. I find that these things all help one another.
I don’t think anyone would judge you poorly if you said, “I don’t get the time. Sometimes I sit outside quietly. I don’t read anything. I’m cool with it because I need to relax.”
That was one of the benefits of the early days of the pandemic when everybody got sent home. For the first time ever, I would be able to sit outside in our backyard with my wife first thing in the morning and watch the dogs run around in the yard while she was sipping coffee. Those times were so restorative.
Here’s the last thing, shameless plugs. If people are looking for you, if you are writing or speaking, if there are charities or cool things that HCA is involved with or anything like that, let’s give you the spotlight to point it anywhere you want to go.
There’s not a lot that I would point to about myself. We try to keep a pretty low profile as a company so it’s rare to do things like this. I don’t have anything out there on the web. Nothing on social media. We’re very active in the Health-ISAC, which is an organization. You’re probably aware of all the different industries in ISAC’s Information Sharing and Analysis Centers where they share information. We try to be very active in working with others in healthcare and sharing information, whether it’s threat information, vulnerabilities or best practices.
We’re up to nineteen CISOs and other organizations have come out of our team here. We’ve got a natural connection to a whole bunch of other companies and other CISOs that we try to stay in touch with and share information. That’s probably the biggest thing. Here’s a personal thing. I’m heavily involved with a group here in Nashville called Dismas House that helps men who are coming out of incarceration to adapt back to society. We provide them with housing, meals, and health benefits. We help them get back on their feet with jobs and so forth. That’s a place that I always advocate for.
This is genuine humility. This is not like, “I don’t want to talk about myself.” This is for real what is happening. I want to tell you one more time what HCA is doing. They are birthing more babies than a continent. It is a place where things get done. If you want to find out more about what they’re doing, please go to HCAHealthcare.com. All of the social media information is out there.
Paul is too busy to be tweeting. I cannot prove or deny that he’s not making dance videos on TikTok. I just haven’t seen any yet but that doesn’t mean that there might not be any of them out there. Paul, thank you so much for taking the time. Your day has to be ridiculous. I can’t believe that you even get any sleep but science proves that you have to sleep to be alive. Thank you for coming to the show.
It has been great. Thank you, Matt. Thanks for covering for me there. That should have been my answer about the HCA Healthcare website.
It’s okay. You got enough to do. You don’t necessarily have to have that on the tip of your tongue. Paul, I’m going to offer to steal more of your life because we are going to put together some round tables where we’re going to have some interesting conversations. Given that I probably got into about 1 out of 87 of what your day looks like, if you would like to come back 86 more times, you’re welcome to. We got some more stuff to talk about. You got to tell us more about the Bosch writer’s room because we got to talk about that. It’s only going to get weirder.
That is it for this episode. Thank you for joining us on the show. For more information and all that’s good in the world of cybersecurity, make sure that you check us out. You can find us on LinkedIn and Facebook. The mothership is ElevateSecurity.com. You can find me @PackMatt73 across all the socials. I don’t talk about myself very much, I talk about them.
This episode was a lot of fun, as my voice was dying because I talked too much when we got a great guest. Make sure you check out the show across all of the platforms. All we ask is for you to subscribe, rate and review, so you’re never going to miss all the great folks who are coming on the show to talk about all the cool stuff. I can’t guarantee that everybody is involved in cool things like The Lincoln Lawyer but we’re going to try. I’m sure we’ll be able to do it again. Until then. We will see you next time.
Important Links
- ElevateSecurity.com
- LinkedIn – Elevate Security
- Facebook – Elevate Security
- HCA Healthcare
- PricewaterhouseCoopers
- White House Communications Agency
- Health-ISAC
- Be the Hero Campaign
- Patrick Lencioni
- The Five Graces of Life and Leadership
- Dismas House
- @PackMatt73 – Instagram
About Paul Connelly

Paul Connelly is a uniquely-experienced cybersecurity executive – the architect, builder, and operator of the program protecting the nation’s largest healthcare provider, a consulting practice covering the Southeast U.S. for a big four public accounting firm, and the first program at the White House over a 38 year career in this field.
Currently, Paul is Chief Security Officer and a member of the senior team, leading Cyber Security, Privacy, Information Governance, and Physical Security programs at HCA Healthcare, the nation’s largest provider of healthcare services. He built and has led HCA’s program since 2002.
Paul started as an information security analyst at the National Security Agency in 1984, spent nine years as the Information Security Officer and builder of the first Information Security program at the White House, and six years as a partner building and leading an information security audit and consulting group that covered the Southeastern U.S. at PricewaterhouseCoopers.
Career highlights include:
- The first Information Security Officer at the White House, serving under Presidents Ronald Reagan, George H.W. Bush, and Bill Clinton.
- Inducted into the White House Communications Agency Hall of Fame.
- Recipient of the federal government’s top award for achievement in Information Security, the Rowlett Trophy.
- Information Security Executive of the Year for North America.
- 29 members of Paul’s teams have been selected as Chief Information Security Officers at other organizations.
- Paul has Bachelor’s and Master’s degrees in Resource Economics from the University of Florida, completed the US Naval War College National Security Studies program, holds the National Association of Corporate Directors Directorship Certification and Cybersecurity Oversight Certification, and is part of the Leadership Nashville class of 2018.