Q&A with Bob Schlotfelt, Executive Director, CISO, Valleywise Health: “A My Way or the Highway Approach Doesn’t Work in Healthcare”

In this interview with healthsystemCIO’s Anthony Guerra, Bob Schlofelt, Executive Director and CISO at Valleywise Health, discusses:



* His experience in multiple industries;

* Why healthcare is up there with the most difficult industries to be a CISO (hint: because every doctor is another boss);

* Why the fact that many health system physicians are not employees makes IAM challenging;

* Keys to successful BCP (hint: practice, practice, practice);

* Thoughts on the merits of different CISO reporting setups;

* Keys to a great first 100-days plan for CISOs starting new positions;

* How to handle risk acceptance by business units (hint: document it)





LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE. 



Anthony: Welcome to healthsystemCIO’s interview with Bob Schlofelt, Executive Director and CISO at Valleywise Health. I’m Anthony Guerra, Founder and Editor-in-Chief. Bob, thanks for joining me.

Bob: Thank you, Anthony. Appreciate the opportunity to talk to you.

Anthony: Awesome, Bob. Let’s start off with you telling me a little bit about your organization and your role.

Bob: I’m with Valleywise Health. We are a health system in Phoenix and the county hospital for Maricopa County. We used to be part of the county government, we sort of are now. We do get some of our revenue from county property taxes.

We are also what’s called the safety net hospital for the county. In the event there’s any kind of disaster, we get called up first. We’re also the POTUS hospital for Arizona. If the President or VPOTUS comes to town, they don’t necessarily stop by but if there’s an event we’re their first stop.

Anthony: I didn’t know that. Is there a designated hospital in every city?

Bob: It depends on the President and the Secret Service. There was one time last year when POTUS came to town and one of our other hospitals in the area was called upon because he was going to be visiting there anyway, it made sense for them to just do that. Myself and/or the CIO will get a call from Secret Service or advance team asking “are you guys ready, anything we need to know about, anything going on?”

When the VPOTUS came to town we had just moved into the new hospital so it’s kind of a showcase. It’s all brand new. That was one of the reasons we were picked again. Usually they’ll pick a government related facility, not just a private facility. Being a safety net hospital is just that, we’re the county entity for Maricopa County, the largest county, population wise, in the state.

Anthony: Very good. I know that you have spent the majority of your career outside of healthcare, correct? But in security?

Bob: I’ve been in and out. I’ve was in healthcare once before with St. Joseph Health in California. I was a Regional Security Officer, and I covered Texas and New Mexico.  I was also with BASE, a life sciences company that made heart valves and then I came to Valleywise, a true health system.

Anthony: With that experience, do you have any thoughts in terms of what you see inside healthcare versus outside when it comes to cybersecurity, either a commitment to, a percentage of spend or even risk profile?

Bob: I think the risk profile is the same regardless of the industry. Because we’re a county hospital system, we are a target. If you think about the bad guys who try to get data, then try to get money. We have a lot of data. If you think about your medical record outside what your accountant or tax preparer h...