Q&A with Northwell Health CISO Kathy Hughes: “BCP Requires More Preparation Than Ever.”

Having been a victim of identity theft, Kathy Hughes, VP/CISO for Northwell Health, is probably more sensitive than most to the possible effects of data breaches. As such, she and her team work extremely hard to make sure they don’t happen; but to be in a position to respond quickly and efficiently if they do. And being efficient with one’s reaction, to Hughes, means having processes queued up and ready to go when something happens, not using that as the starting point to put a response team together. In this interview, Hughes also talks about the importance of IT not being isolated in the organization, how important it is to prepare new hires for immediate phishing attacks, and how to address employees who can’t seem to keep from clicking.



LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE. 



Bold Statements

“ … you could be down for days, weeks or even months and you really need to be prepared to deal with that.”

“ … ultimately what we do and how we protect our systems isn’t an IT issue, it’s an enterprise issue.”

“It just takes one person to click on a link in order for systems to become unavailable. Disciplinary action can lead up to and include termination.”

­

Guerra: Hi Kathy, thanks for joining me.

Hughes: Thanks for having me, Anthony.

Guerra: Great, looking forward to having a nice chat. I love to start these out, it’s an interesting role, you’re not just in healthcare, you’re not just in IT, you’re in healthcare IT security. So I like to find out how people wound up where they are. Take me back and tell me how you wound up in this little niche of the world.

Hughes: Okay, w­ell I think like most of my peers and other people I know that you’ve interviewed, we tend to start out on the infrastructure side of the house and the operations and the engineering, even the architecture side. Which is where I started many years ago. I’ve always had an interest in security. It was part of what we did on the infrastructure team. Typically, people associate things like patching and malware protection with security, but it became much bigger as time progressed. A lot of organizations, like Northwell, felt the need to break it out separately and to really focus time, effort and people on really building out a program to ensure the appropriate defenses were in place.

When I joined Northwell initially I was on the outsourcing side of the house and in charge of all the traditional infrastructure teams. Then an opportunity became available at Northshore LIJ, which is now Northwell, to really lead up and head the disaster recovery program. I really started focusing on that about eight or nine years ago. Built out that program to where it is today and we’re still going through a number of changes as things evolve and such. During that time, I was asked to temporarily take on the security function because the director in charge of the group had decided to leave. I took over the team on an interim basis and quickly learned just how much needed to be done in that area.

When they did eventually hire the director to take over, I specifically requested that I hold onto the risk management group because I really found that interesting and knew that a lot needed to be done specifically in that area. So I held onto that and really matured that program, as well. Really built our HIPAA compliance and security program (along with my peers in corporate compliance) built out the PCI security program and other programs, as well.