Q&A with UofL Health CISO Greg Peebles: For a Secure Foundation, Health Systems Must Address Technical Debt

Sure, health systems need attractive buildings, and the top physicians expect nice offices in which to work, but dollars must be found to address technical debt and the security risks that come along with it, or one’s IT house will be built on “a foundation of sand,” according to UofL CISO Greg Peebles. Of course, all risks aren’t created equal, he continues, noting that some are akin to a heart attack while others more closely resemble a slow growing cancer. In this interview with healthsystemCIO Founder and Editor-in-Chief Anthony Guerra, Peebles also talks about the importance of fully utilizing the IT security tools one has before hitting the market for new ones, and how he expects vendors to continually communicate the best practices needed to get the most out of their software.

LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE. 

Bold Statements  

… we’re all facing that challenge of capital and expense, “Hey, we want to build new buildings, refresh our buildings,” but we also need to update our technical stack.

It’s just like when you’re doing a project at your house but you really need to clean up your current project before you move on to the next one. “Hey, you didn’t finish that trim.” I might hear this stuff at home occasionally, but it’s the same with IT projects.

I talk about these risks in healthcare terms; so having malware on an endpoint is like a heart attack. This could curt you immediately. Whereas having 30 Windows 2003 boxes out there is more like a cancer in that if you just allow technical debt to keep growing, it’ll keep getting worse. 

Anthony: Welcome to healthsystemCIO’s interview with Greg Peebles, Chief Information Security Officer with UofL Health. I’m Anthony Guerra, Founder and Editor-In-Chief. Greg, thanks for joining me.

Greg: Thank you. Glad to be here.

Anthony: Awesome. Looking forward to having a fun chat. Greg, can you start out by telling me a little bit about your organization and your role.

Greg: Yes, sure. So, UofL Health came from the University of Louisville Medical Center. They had a doctor practice, and they had a medical center. About five years ago, they were approached by the state about buying out the KentuckyOne hospitals that were owned by CHI. So we essentially quadrupled in size then and obviously, that makes it a challenge for IT making things all work, but they pass that hurdle, and I joined in March of 2022 as the CISO. I have been trying to make progress since then.

Anthony: Very good. So you mentioned you joined in March of 2022, so not too long ago. How did you get up to speed? What were your initial priorities?

Greg: I look at it as you need to understand security, you need to understand IT and then you need to understand the business and, quite frankly, you’re doing those in parallel. And quite frankly, I like to start some of that before even my first official day. What are all the security tools you have or the charts for security, for IT, and for the leadership of the business? So meet your team. What are they doing, division of work? What are all the tools? Who manages each tool? Getting the impression of what’s working well, what’s not and then you start meeting with the IT leaders as soon as you can – “hey, I’m Greg from security. I’m here to help.” What are your top two or three things? How did you interact with security in the past and what issues do you see?

In my 10 years of consulting, I did a lot of security assessment engagements.