Q&A with Yale New Haven Health Deputy CISO Trevor Brown: “Risk is a Language Clinicians Understand”

There’s an old adage that people won’t comply with the “what” if they don’t understand the “why.” For information security professionals, communicating the ‘why’ around the need for compliance with security policies has always been a challenge. Trevor Brown, Deputy CISO with Yale New Haven Health, says one of the best ways to get the point across is embedding the messaging in a risk context, which clinicians – who deal in it daily – well understand. In this interview with healthsystemCIO Founder & Editor-in-Chief Anthony Guerra, Brown discusses this issue along with the importance of leveraging phishing exercises to keep users sharp; why it’s a huge benefit to hire folks who know clinician operations; vetting new applications to mitigate third-party risk; and much more.

LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE. 

Bold Statements

when the early phishing emails came out, they were very recognizable; bad spelling and the sentences just didn’t make sense. Now the phishing is so realistic that you get them and you’re like, ‘Well, I am expecting an Amazon package today, is this it?’

… our approach when we’re discussing information security – since we deal with a lot of physicians, nurses, a lot of patient-centered individuals – is to really portray it and put it in a risk perspective, because those individuals are dealing with risk every day with their patients.

I’ve been here over 10 years and earlier in that timeframe, people didn’t want security involved. They wanted to just get their projects done because they knew there could be some time holdups or certain type of requirements, extra requirements to delivering the end product. Later in that period of time, it’s completely flipped where now no one wants to do anything without ensuring that it’s gone by security for that check. 

Anthony: Welcome to healthsystemCIO’s interview with Trevor Brown, Deputy Chief Information Security Officer at Yale New Haven Health. I’m Anthony Guerra, Founder and Editor-In-Chief. Trevor, thanks for joining me.

Trevor: Nice to be here, Anthony.

Anthony: All right, very good. Can you tell me a little bit about the organization and your role there?

Trevor: Sure. So I’m currently with Yale New Haven Health, we are about right around 30,000 employees, primarily focused in Connecticut as Connecticut’s largest healthcare system. We have five main hospitals and probably around 350 off-site locations. We’ve also expanded into Rhode Island and New York and always – like companies our size in healthcare space – we’re looking at to pick up acquisitions where we can. And in terms of the security group, we have about 40-45 people in security, primarily focused on risk and audit, identity access management, cybersecurity, and security architecture.

Anthony: All right, very good. I want to start with an open-ended question, just see what’s on your mind. What are you thinking about these days, any big trends you’re looking at, big projects you’re working on. So, what top of mind for you?

Trevor: There’s a few tracks. I mean, one on the actual tool side we look to use best of breed tools. We do shift from time to time and there’s usually a project ongoing in that space. One initiative that I’ve really been pushing this year is end-user training. So, a lot of organizations, they talk about end-user training, but we’re really pushing it to the point of going to locations, meeting with department staff before their shift starts, providing that user training on the spot,