Q&A with WellSpan Health Director of Information Security Mike Shrader: “Empathy & Collaboration Go a Long Way”

It may be a cliché, but for security leaders, knowledge is definitely power. And that knowledge must come from a number of directions. First off, CISOs and their teams must be ingesting the latest threat intelligence to know what the bad guys are up to, but that information can only be acted upon in a timely manner if they also have knowledge of their systems, according to WellSpan Health Director of Information Security Mike Shrader. Shrader, who essentially functions as the organization’s CISO, says the needed knowledge doesn’t stop there. To run a tight identity and access management program (often cited as an absolute key to any security program) cyber teams need to be kept in the know as roles change so permissions can flex up and down with them; the down part being key. In this interview with healthsystemCIO Founder & Editor-in-Chief Anthony Guerra, Shrader discusses these issues and many more.



LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE. 



Bold Statements  

.. we also have to have the knowledge of our systems. We have to know where is that (threat) applicable in our environment, what is truly exposed, what can be taken advantage of quickly …

As soon as HR finds out someone is terminated, we need to make sure that that is automatically fed into our system to deactivate those accounts as quickly as possible because otherwise accounts linger on. We’ve all heard stories like so and so left two years ago, the account is still active and they’re logging in or someone else is logging in with those accounts. Lifecycle management is absolutely huge to stay safe.

How do we make sure we can operate as a system if or when the (electronic) systems are down? We’re actually doing tabletops on these now – business impact analyses with third parties to help us really identify where those gaps are and make sure we address them.

Anthony: Welcome to healthsystemsCIO’s interview with Mike Shrader, Director of Information Security with WellSpan Health. I’m Anthony Guerra, Founder and Editor-in-Chief. Mike, thanks for joining me.

Mike: Thanks for having me, Anthony.

Anthony: Great. Looking forward to having a fun chat. Mike, let me start off by asking you a little bit about your organization and your role.

Mike: As you said, I’m Mike Shrader. I’m Director of Information Security for WellSpan Health. We are an integrated delivery network in south central Pennsylvania as well as the northern part of Maryland. We have 20,000 employees. Of that 20,000, 2,000 are employee providers. We have 220 locations across south central Pennsylvania and Maryland. We are an 8 hospital systems along with home care services as well as behavioral health.

Anthony: Very good, Mike. Do you report to a CISO or do you function as the CISO?

Mike: At this point, we do not have a CISO but I would be the highest functioning leader with security as my focus.

Anthony: Is that an open position or they’re going to fill it or they’re going to create it or they’re just going to stick with you as the director?

Mike: At this point, we haven’t decided if we’re going to have a CISO or if one is necessary. But I do report to our Chief Technology Officer who reports to our CIO. We all have a heavy focus and paranoia around security but at this point, no, we do not have a CISO.

Anthony: Excellent. Tell me, I’d like to start with an open-ended question, see what’s on people’s minds. What are some of the things you’re thinking about, looking at,