Q&A with Children’s Hospital & Medical Center CISO Melissa Rappl: “What makes a person effective in this role is relationships.”

It’s not easy to be a CISO in today’s risk-filled IT environment. And part of the reason for that is the difficulty getting clinicians and staff to grasp the depth of the danger. But it’s something Melissa Rappl, CISO at Omaha, Neb.-based Children’s Hospital & Medical Center, is passionate about. And the way she goes about getting buy-in is with storytelling and relationship building. To her, it’s the bottom line. In this interview, Anthony Guerra, editor-in-chief and founder of healthsystemCIO Media Inc., interviews Rappl regarding the top problems CISOs are facing, including the potential transition to zero trust, direct targeting attacks, click-happy staff and how CISOs are in an arms race with the “bad guy.” With her vast experience, Rappl offers ways CISOs can succeed in today’s constantly changing security landscape, despite the challenges.



LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE. 



Bold Statements



* Healthcare has a lot of partners, and I love our vendors, but they can also open us up to a lot of risk.

* It’s shocking how much data our partners have, and people don’t fully understand what they’re doing with that data.

* I think for some sectors, zero trust is going to be a lot easier to get to. I think it’s always going to be a hybrid approach for healthcare.

* As soon as the tools get better, then they’ll just find another way to approach an organization.

* Anyone who is a CISO knows that what makes a person effective in this role is relationships, because you have to be able to tell a story.



Guerra: Melissa, thanks for joining me.

Rappl: Pleasure to be here today.

Guerra: An interesting place to start is to talk about your career path and how you ended up where you are. It’s not just healthcare, it’s not just IT, its healthcare IT security, so it’s a pretty specific niche.

Rappl: Wow, what a fabulous question and what a great journey as I look back on it. I’ve been in this space since 1994, so I guess we can do the math on however long that is. Around 1994, I took a position at a non-profit, and they had not put in a network before. I was young enough, eager enough, naïve enough to take on that task. My bachelor’s degree was in public administration, so literally I had no technical background, at least from an education standpoint. But I was curious, and I had great mentors in the space. I had the CIOs at the two hospitals in Lincoln, Nebraska and they worked with us because we’re a non-profit and they were generous with their time. I took MCSE classes, networking classes, and we worked together, and we took this old hospital where the non-profit was located and built a network from the ground up.

And what an amazing opportunity. I was there for 24 years. It was a wonderful organization, and I thoroughly enjoyed my time there, and I got to do everything. I got to do networking and system administration. We put in our first electronic medical record software package, and we subsequently upgraded those. The amount of experience that I was able to draw from that role was really tremendous. I went back and got my master’s in health informatics and really wasn’t quite sure what I wanted to do.

And then, I became certified in corporate compliance. Because you wear a lot of hats at non-profits, I was their IT director, their infosec director, and also their corporate compliance officer. I really loved the compliance and security pieces. In 2017, there was a role that opened up at NRC Health as their director of information security,