There is a looming threat in the healthcare industry today: ransomware. Eddie Borrero, Vice President and Chief Information Security Officer at Blue Shield of California, advocates that companies must start prioritizing security to ensure the safety of businesses and, most importantly, people whose lives are on the line when systems go down. In today’s episode, Matt Stephenson chats with Eddie to discuss the impact of not having the proper safety measures in place within your system. Technological advances and significant changes towards digitization of healthcare services offer conveniences and cost-cutting benefits, but leaders must also back these innovations with security.
Listen to the podcast here
Prioritizing Security in Healthcare With Eddie Borrero
For some of you that are here for the first time, you may know me from pm73media, perhaps the InSecurity Podcast or any of the myriad security events around the world over the years but here on the show, we will be bringing you top experts in the industry for a chat about all that is interesting and what we do to keep our world safe and secure.
Speaking of keeping the world secure, we are excited to welcome Eddie Borrero to the show. He is the Vice President and CISO at Blue Shield of California. His team drives the IT security program. He is leading the team and proactively identifying and mitigating threats, strengthening the security position, and generally promoting safe information management practices. There’s no pressure. He’s apparently quite the salsa dancer. Eddie, welcome to the show.
Matt, it’s a pleasure to be here. Thanks.
Should we open with salsa dancing or save that for Leadership Corner at the end?
I wish I could save it for later but here’s an interesting story. We were camping with probably a little over 40 people. At 10:00 at night, the sun went down. We had a whole salsa dancing event right there at the campgrounds.
There’s a lot to unpack there, whether the sun goes down to 10:00. Don’t give away the OPSEC. I’m jealous of wherever you were. We have all calmed down and relaxed given everything that’s going on in the world. The thoughts of salsa dancing around the fire at 10:00 at the sunset.
It was a little past sunset but it was fun.
Let’s get serious. Blue Shield of California is huge. There’s no pressure on you but for your team, what’s the biggest security concern? There’s so much going on. Stack rank it for me. What is it like every day when you come in?
The biggest one in the healthcare industry as a whole is ransomware. I read a couple of articles on how nation-states are targeting the healthcare companies of the United States. They are targeting us because we have a lot of good data that they want but also, even hackers that are sponsored by nation states are looking for huge payoffs. Healthcare can pay and will pay because there are potential health and safety issues when systems go down.
Ransomware is a big one we see in the industry and all over the place. Suppliers and hospitals are getting hit with ransomware. It’s a big threat. Add on top of that, regulatory compliance and regulations are changing constantly. There’s your typical, “What do you have to do as a security professional to keep an organization safe?” Ransomware is top of the list for sure at this moment.
The biggest threat right now in the healthcare industry as a whole is ransomware.
In your experience, is there a particular threat that stands out above the others? We all hear horror stories. There was that terrible story in Germany a few years ago where an ambulance had to be rerouted, which led to the death of a patient because the closest hospital had been hit by ransomware. Are we looking more inside the building? Is it outside the building? Is it vendors? What can you even choose? Is everybody tied for first?
Those core systems support people’s lives. Think of medical devices and systems that support that. That’s top of the list because that’s immediately impacting someone’s health and potentially can cause death. Outside of that, it’s more about a huge inconvenience for members and doctors. When systems go down, you can’t get the care and pay bills. Insurance companies can’t receive money. The whole ecosystem of healthcare gets disrupted. Funny enough, there are suppliers that supply services to many healthcare organizations in the United States.
When they get hit, it’s not just a problem for us. It’s an ecosystem that has major impacts. On top of that, because you are not able to do your services, you are getting regulatory fines all because of a third-party supplier going down. Business resumption has become a new game for everybody. You used to plan for resumption. When you have a supplier doing something for you, you would ask, “Do you have multiple locations and systems? Do you have redundancy?” Redundancy isn’t good enough anymore because when ransomware hits, everything goes down.
Inconvenience seems like such a mild word for this. When you talk about the healthcare system, where the rock hits the water is the ransomware attack on the hospital but there are so many ripples that you have to consider and that your team has to deal with. Patient health is first but then everything that comes after that and at the tail end of everything is billing because we have to keep the lights on with no electricity. If ransomware is crippling you from doing those sorts of things, what can you do? There’s no pressure on you but go ahead. In California, the fifth largest economy in the world, Blue Shield of California is a massive healthcare system. Solve the problem for the world if you mind.
The take I continue to push is to have good business resumption with the consideration that suppliers and systems will go down. What does that mean? How do you keep your services up and running? Even if it’s a minimal percentage of what you’ve done originally, how do you resume business? In a lot of the situations that I’ve personally experienced throughout the years, the CISO participates in corporate crisis management to get the business up and running. You learn you can’t be dependent on one vendor.
There used to be this whole concept of supplier simplification. Now, you have to think through that a little bit. If it is supplier simplification, can you continue your business with a ransomware attack in play with all systems, technology, and communications hard down for at least a week? It’s a different ball game altogether. People and processes are important. Not being independent on one technology or one location to do a particular thing is a new way of thinking. Maybe the old is new again.
We like to plan these things out ahead of time when we talk about what we are going to talk about but you haven’t mentioned business resumption. Once upon a time, storage and recovery were separate teams. It was all under IT, whether it’s the CTO or the CISO, but now, the notion of disaster recovery has to be a security play. Without getting deep in the weeds, you can’t give away the secret sauce of what you do. How integrated are those teams? Do they work together? When you talk about backups and recovery, it seems boring but not when you are in a hospital.
They have to be very integrated, connected and focused on collaboration between resumption and bringing systems back up. A lot of companies are building out their backup and recovery component as something that is not the shield but the response to ransomware. If that’s not protected or guarded, you are now in a game of negotiation, which you don’t want to be. You want to be able to recover.
This recovery process is real. It’s becoming more real for companies as they go through this. What I see as a good practice is to practice that. Test out your recoverability and the assumptions around your business processes and prioritization. What comes up first? In more companies that I work with that have experienced this, a lot of those plans go out the window.
They are recovering systems that they thought would be number 4 or 5 down the list but their customers are demanding, “Bring this thing back up.” It’s more important than anyone even thought about. I don’t think there’s a perfect formula for this but if you are not practicing, testing, and thinking through what the business processes are and how to communicate when ransomware happens, you are way behind the ball.
Redundancy isn’t good enough anymore because when ransomware hits, everything goes down.
It was Mike Tyson who said, “Everybody’s got a plan until they get punched in the face.” What you have to plan for is getting punched in the face. Also, you don’t know where the punch is coming from. As far as planning for the risk of getting punched in the face, it has always been a buzzword or a cliché. It’s the driver but it seems to be getting worse. In your position leading this team to protect this massive enterprise that has lives at stake, what do you do? How do you inspire your team to be ready for anything?
My company and the reason I’m here is that we have a great mission. Get people to start to believe in that mission, and tie their hearts into the work that they do. It’s a lot harder said than done but when you are in the healthcare industry, people understand it. Everybody has had an experience at the hospital with themselves or their families. Everyone gets this mission. When you start to talk about what we do impacts lives, what you do is meaningful to people and when it stops working, there’s an impact.
Nobody wants that. You get to see people get inspired about keeping the services up and running because it’s not about dollars and cents. It’s about making sure people are getting the care they need. We are following the rules we need to follow. Regulation in our space is not just about fines. You can be removed from being able to give care in certain areas if you don’t do it well.
The simple answer to that is tying what you do to people’s hearts so that you get an extra level of motivation and of people being willing to fix the situation, work throughout the nights or multiple weekends, push through the hardships of it all, and get things back up and running. Every crisis I have ever been in brings the best and the worst out of people but when you are done, everyone is more connected.
The people that you have been in that crisis with becoming much more than a coworker. You’ve had the war experience. That builds a lot of camaraderie. The next time something happens, forget it. There’s trust and intimacy. There are people working hard again to get things back up and running. For crisis management, if people aren’t focused on how to do true business resumption, once again, it’s a losing battle but tying to people’s hearts keeps getting people to care.
That’s such a great point. With all due respect to every other industry outside of healthcare like finance, video games, Netflix, and all the stuff that makes the world tick, we are all going to get old, get sick, and have to deal with something. What your team is doing is protecting people who are coming to you because they are in a crisis situation. When you talk about connecting with our hearts, can we talk about the dinosaur? That’s a terrible segue but I had to figure out a way to get to it.
We are working hard to build unique security. I can think of it as an advocacy program. We call it the Data Defenders. It’s all about helping people understand how to protect themselves and their families at home and then teaching them that they can take those skills to work and help protect Blue Shield of California. We are connecting to their hearts because we are making it personal. We train them around what they could do at work to be much more secure in their day-to-day activities.
The dinosaur comes in because we leverage Elevate to give people a personalized scorecard of where they are in their day-to-day activities in regards to protecting the company. It’s getting specific, incentivizing, and encouraging people to do more to protect our company and our members. On the side, we then serve to make sure we have all kinds of training blogs and videos, you name it, that people can pull from. We push content out to folks as well.
It encourages good behavior but also gets very specific around what you as an individual can do to protect yourself, your kids, and our members. We are trying to get into this place where we can start to personify that, meaning if you are in accounting, there are probably unique things that you need to be aware of and focus on to protect our financials. You are in member services or customer support. There are different things you’ve got to think through and think about.
How do we create a scorecard or incentivize a gamified program that encourages people to do what they need to do in their job function and as an employee of our company? The dinosaurs help because as you get better, you become more indestructible. You get better caricatures but it’s making sure it’s going to get better at being specific to our individual employees. It’s not like you don’t get the mass training, “We are talking about you and your behaviors. Here’s what you can do to help us even more.”
Everyone at Blue Shield of California is going to be chiming in with their dinosaur or whatever they received. How do they get motivated because of this thing? I love that idea. I liked that you mentioned the notion of accounting and all this stuff because I feel that, in general, people have two thoughts when it comes to healthcare. It’s where we go for healing, and then it’s when people get mad at it afterward.
Part of your job too is that you have to protect both sides because it’s not about billing patients, which is something that needs to be done but it’s also making sure that patients are taken care of by connecting them with the insurance industry and all of the things that are covering all of this stuff. When you talk about the employee to care, you’ve got an interesting group. Our industry, by definition, is cynical. It is 1s and 0s. It’s as black and white as it comes but when it comes to healthcare, that’s a different thing. There are so many balls in the air. How hard is it for you and your team to juggle all of those things?
That’s super hard. I work with a lot of different executives outside of Blue Shield of California. I’m in mentorship programs and all kinds of different things around trying to help bring up urban children from the classroom to the boardroom and getting people into tech. From CEOs, CFOs, and CIOs, security is one of the most complex jobs that are out there because there’s no set direction or goal.
For a CFO in finance, you have to be writing the books and doing accounting practices. You know that job. You can even be taught that job. Experience enhances you. CEOs know what they have to do. You have to promote the business, rise stocks, and lead a team of executives. Security has to cut across everything. We get involved in every aspect of the business.
You want to pick a supplier or do a merger. You have an issue. You want to build a new application or business process. We are here to help make sure it’s compliant and secure. We also throw in some strategic things. I have a team of people that have worked at 30 different companies in 30 different industries that can bring new flavors.
What I’m seeing is that especially the CISO role is turning into a much more business executive-style role that has great technology experience and that helps the strategic goals of a company be achieved. The other thing I see is CEOs, key leaders, and organizations are starting to realize this is a position that can help, especially when you think about health, growth, and being a differentiator.
Let’s stick with healthcare. We achieve the goals and aspirations that we have in the healthcare industry to make healthcare more like an Uber experience. Imagine one day I need to see the doctor. I get on my phone. I go to an appointment. I know who I’m going to see. It’s easy. I get in there. I know what it’s going to cost, what my conditions are, and my entire history. I know what my kids are doing and their health.
It’s all right there at your fingertips. We are so far away from that but yet so close. The thing that is going to make that real is security because we have to match the data we are giving you and confirm it to you. We must bring all this stuff together about who you are as an individual. All that data is highly protected from a regulatory standpoint and highly coveted by nation-state threat actors.
Imagine how important security is to healthcare and making that strategic vision a reality. Everyone is after that experience trying to make things simpler and more digitized. Think of the likes of Microsoft, Google, and Amazon. Every healthcare company in the world is trying to digitize healthcare and make it simpler but without security, that’s never going to happen. How do you do it? When you are in those discussions, the security mindset or the CISO has a role to play to help make that a reality. It may dare to say lead some of that stuff.
You made the Uber comparison. I’m trying to imagine which is more horrifying. I flip up on my phone and be like, “Dr. Borrero will be there in nine minutes,” or you, as the person who is in charge of all of the security between Dr. Borrero and me, are making sure that everything that happens between the two of us is secure. My heart will be transplanted, and everybody is going to be able to do it appropriately, and the hospital lights aren’t going to get shut off because the Russians are chiming in and seeing what’s going on.
I read an article in Forbes. They were talking about some of the unexpected outcomes of COVID. When COVID hit, TeleHealth spiked up, and because of that, some organizations in the industry saw costs of healthcare go down and the equity of healthcare increase. That’s one of the major goals of every healthcare organization, “How do we reduce costs and bring more equity into the healthcare system?”
TeleHealth is a way. As TeleHealth builds up, it’s going to be more than just a Zoom call, “Matt, put your heart monitor on. Let’s get your blood pressure reading.” All that stuff is going to be digitized and interactive, at least in Eddie’s vision of the world. To do that, you have to be secure. Imagine if your heart monitor is on there, and it even gives you a false reading because some hackers in there are trying to scare Matt to death.
Every healthcare company in the world is really trying to digitize healthcare and make it simpler, but without security, that’s never going to happen.
“Stay in the hospital. Pay more. We are going to take your credit card.” What we have been hearing with the advent of 5G, faster internet, and the true global connection is that we will be able to perform surgeries remotely. I don’t think we are there yet but that’s something as far as all of the things that are stacked on your plate that you need to have already done what you are already doing, and as you look to the future, it’s your priority for your team. This is a massive healthcare system. I cannot understate this. It’s the fifth-largest economy in the world, not a state in this country but the world. There’s no pressure on you but what do you look at every day you come in? You’ve got to rerank everything that you’ve got to do.
I’m going to answer this question more as a practitioner than anything else because security is super complex. You can never have the privilege of prioritizing one thing. That’s part of the challenge. If all things are priorities, then nothing is a priority. For me, it’s about cloud security. How do we make that more real because everything is being digitized?
It’s about the architecture of the technology that Uber built. It’s the building blocks. What does that start to look like? Are we doing that in a way that can not only keep things secure now but into the future when it’s going to be used, seen, and interacted with differently? Measuring and communicating risk is a big thing for us. What does that look like?
Third-party supplier risk is a big thing for me as well but measuring that risk is complicated because you can have the best business partner in the world. They can have the top scores on our security risk assessment, and because we didn’t confirm it or look deep, we get hit with ransomware. Now, they are maybe not the best choice. It’s discovering those risks and looking at things from not just a technical aspect but looking at leadership skills, experiences, and financials.
Does the company have longevity and a proven track record of success? In this world, it’s hard to find that combination in all your suppliers. User access, I talked about that a bit, is another big thing. When someone is interacting with us, I have to confirm who they are and ensure that the data that they are accessing is what they should be accessing. That gets complicated.
I will use two examples. Hopefully, they are simple. One is if you are a provider, you should have access to all the information you provide to us or all the members you care for. I’ve got to connect all those dots. If you are a member or a father with children and a spouse, you’ve got to connect all those dots. I have to make sure it’s you. When you think about the complexity of our healthcare solutions like the different providers, what we do, and our business partners, it becomes very crucial that user access is at the heart of that. It’s the foundation of connecting data.
“How do I know if things are good and if controls are working?” When I think about security operations, it’s not like The Bourne Identity scene where you see people monitoring everything. It’s about, “I’ve got to ensure that every control that we have in operation is operating effectively.” That doesn’t mean uptime. That means, “I’ve got to attack it and make sure it’s doing what it’s supposed to be doing.” There’s so much that goes on around operations. One of the things that I look at every single day is this, “What’s the health of our controls? Are they operating the way they should be?” It’s a big one for me.
I’ve got a lot to unpack there. We don’t have time to get into all of it. Consider this your official invitation to the first of the show’s all-star games, whether we do it quarterly, once a year, end of the year or whatever it is. You said something that, to me, sounds horrifying because I’m not a CISO, nor do I want to be one. Congratulations to you for wanting to do this thing. When you said, “I need to know if everything is good,” I was like, “How do you know things are good?”
It’s the constant, “Expect what you expect.” It’s a lot of work.
That’s from the guy who has to negotiate all of these C-Suite meetings and knows exactly how to sidestep the landmine while still answering the question and providing valuable information. I know that we can’t get deep into the details but let’s talk a little broader stroke for you as a CISO of a large organization that is dealing with this. How does your org break out security functions? Let’s get these large pillars in the Venn diagram of things. When you come into your team, whether it’s daily, weekly, monthly or how often you do this, how are you broken out to address the needs of the organization?
I worked with a gentleman. His name is Jason Zirkelbach. I’ve got to give him lots of credit here. We worked together for many years in multiple companies. As the cloud was picking up, we were the big pushers or leaders in the space, and some of our organizations on how to do that securely. We are constantly reinventing ourselves. This is a big part of his thinking. What we came up with was, “Why don’t we productize the security model? It seems to work well in every cloud company, every dev shop in the world, and every software company out there.”
We took that and ran with it. I’m a big advocate of this. We have an engineering function. Think of that as DevOps. In there are product teams that align to certain capabilities. Think of endpoint security, data protection, and threat intelligence. All those folks are our product team. They live, breathe, and eat what they do and maintain their tools or capabilities. They make sure they are inspecting what I expect in those spaces. What we have found is that you build this ecosystem across functionality that takes off like a rocket because the teams aren’t just tool guys, ops guys or developers on the side.
They are taking care of a capability. It’s almost as if they are running their own business within the organization. Part of that is we’ve got to have people that support other product teams in the company that aren’t security products. Think of capabilities and claims because every capability within our company is supported by technology and products within that. How do we implant security in such a way that we are not expanding crazily? We are simplifying and streamlining what we do but focused on that space. Think of that as regular product support.
I mentioned access control. I have a big focus on identity and access management both on the customer side like members, providers, and brokers and then internally. We have a trust organization. Think of the teams that are helping our organization manage risks, maintain compliance, and get into ensuring the right controls are in the right business processes. Lastly, I have my administrative function, which is super important because you can’t do anything without finance and a budget.
They do the budget and our advocacy program. They help me run the business of security. That’s extremely important to have because, without that, my life would be consumed, “Where are we spending our money? What do the contracts look like? Are we doing the right things? Are we managing our employees effectively from a business standpoint?” A lot of that work needs to happen. Every CISO needs support in that space because it can be very time-consuming.
We are coming up at the end of this. It stinks because this is a good question. You are going to have to compress your answer. Do those teams work well together?
Yes. That’s not by accident. It’s by design. I’m the kind of leader who forces collaboration and team integration. I do that with a lot of design thinking techniques. Even if you have people that are against, “This is my space and what I know. I don’t like what you are doing,” you have a choice. You can participate in the process or choose to go someplace else.
What I find is once people get into the process of designing this, the other thing I do is I don’t tell the team what to do. I encourage them, lead them to others, and let them build their capabilities. There are some things I will insist on but on other things, I focus on hiring people that are a lot smarter than me. I let them do their jobs.
There are two different things. You lead by inspiration and would rather be the dumbest person in the room. How are you even in the C-Suite? How does that even happen?
Humility and hard work go a long way.
The last thing is Leadership Corner. When you are not doing this, what are you doing? We already mentioned salsa dancing. If that’s what it is, what are you doing?
I love to cook. I’m a YouTube junkie, to be honest. I do cooking shows. I have a couple of different side businesses like real estate. I invest. I use a lot of YouTube to learn new concepts or look into what people are doing. I spend a lot of time there. I read a lot of magazines because as my travel builds up, I’m picking up magazines. All of a sudden, I’m like, “I love Forbes.”
What I remember, though, is I was in high school in the ’80s.
I like the paper and the feel of it. I do a lot of Bible study. To say that is probably not very PC but I do find that looking into my religious beliefs and the history of the world is very interesting. I have all kinds of other things. I love comic books. My daughter and I were watching all the Thor movies in the buildup for the new Thor: Love and Thunder. I have a Marvel encyclopedia. We are always in there, “Who’s that character? Who’s this thing? What’s that thing there?” We have a lot of fun with that.
That’s the official confirmation that you are a human being that sits atop in the rarefied air of the corner office of one of the largest healthcare systems in North America. You are a real person doing things. What are the odds? Let’s do a second for shameless plugs. If people are looking for you out there on social media or anything, where do they find you? Are you one of those security guys?
You can look me up on LinkedIn. I spend a lot of time there because my other side passion is helping especially underprivileged youth and veterans, have a better life. We do that by helping kids come from the classroom to the boardroom, which is one of the things that has been set out there but also helping underprivileged folks get into corporations through technology and learn technology skills. LinkedIn, to me, is a great medium to promote those opportunities and organizations that are doing more in that space. I do spend a lot of time there.
There are real-life people inside these giant buildings with the big corporate logos on them that make them function. What are the odds? Eddie, this is terrific. We’ve got so much more to talk about. The invitation is extended. Hopefully, you will have the time and availability but you do have a few things on your hand to make sure that the people of California are safe, healthy, and secure. Thank you for coming by.
Matt, it has been my pleasure. Use less words. I love that sign. We talked about it earlier. It’s a message for everyone. When you told me that, it’s not just the difference the space makes. It’s a really big communication tool. Listen more. Talk less.
I might be inviting you to be my co-host on some of the other stuff that I do. Stop stealing my thunder. You are the guest. You are not supposed to say stuff that cool. That’s it. Thank you for joining us on the show. For more information on all that’s good in the world of cybersecurity, make sure that you check us out. You can find us on LinkedIn and Facebook, as well as ElevateSecurity.com. That’s where all the cool stuff is going on.
You can find me @PackMatt73 across all the socials. Come back to our thing. We’ve got so much good stuff coming up. Believe me, Eddie is coming back. We have another Ed coming up. We’ve got more things to do. We are going to have some fun. We haven’t even talked about comic books yet and how they apply to cybersecurity but it is happening. Stick around, folks. We will see you next time.
- LinkedIn – Elevate Security
- Facebook – Elevate Security
- LinkedIn – Eddie Borrero
- Blue Shield of California
- InSecurity Podcast
- @PackMatt73 – Twitter
About Eddie Borrero
Eddie drives Blue Shield of California’s IT Security program, leading the team in proactively identifying and mitigating threats, strengthening its security position, and promoting safe information management practices as they prepare for growth opportunities.
With more than 18 years of information security management experience, Eddie’s clear vision and inclusive style will guide Blue Shield of California in aligning their cross-functional security strategies, enabling them to support their members securely and protect their environment as they scale for growth.
When he’s not Salsa dancing with Michelle, his wife of 25 years, Eddie enjoys spending time with his son Julian (14), and daughters Sofia (11) and Alexandra (9) and staying involved in his community. Eddie is also a veteran of the U.S. Navy, serving on the USS Abraham Lincoln.