When it comes to getting a healthcare organization’s cybersecurity house in order, Joshua Roth, CISO at Children’s Hospital of Orange County (CHOC), says he starts with four things: the people, the processes, the technology stack, and managed services – and then looks to tackle the low-hanging fruit. In this interview with Anthony Guerra, healthsystemCIO founder and editor-in-chief, Roth talks about his new role at CHOC and what keeps him up at night. “If there’s one thing to pick,” he says, “it’s obviously any large-scale event. We train for it continuously. We’re constantly evolving to be in front of it.” Add to this a good bi-directional relationship and trust built with the business side of the organization, keeping the board educated, staff happy and not taking vendor security lightly. “My biggest risk area is the third parties and ensuring that they’re not compromised,” he says.

LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE. 

Bold Statements

“ … one of the challenges that healthcare organizations have is your clinical space is getting younger, and their reliance on technology – and in all fairness to them, it’s due to the fact that we have all the technology here – is huge. If we go to downtime procedures, they have less experience or almost no experience of going into that method of doing their jobs.”

“One of my worst nightmares would be going to them and saying, “Hey, we’ve got ransomware. And I have no clue.” I don’t want to be in a situation where we feel like we’ve just got to shut everything down. In a healthcare organization, that is scary.”

“ … your resources – especially in cybersecurity where it’s tough to find them – are very, very important assets to you; the most important asset to you. So really making sure that, as you’re fighting the battle with threats, you’re paying attention to your people.”

Guerra: Josh, thanks for joining me.

Roth: Thank you for having me.

Guerra: Great. Looking forward to a fun chat. Josh, can you start off by telling me a little bit about your organization and your role?

Roth: So my organization, CHOC, is Children’s Hospital of Orange County, one of the leading hospitals in Southern California for treating children. And my role, obviously, is to protect that organization as the chief information security officer. I think it’s been about 10 months I’ve been in this role at CHOC, so I’m still relatively new to the organization.

Guerra: Excellent, excellent. All right, you want to tell me a little bit about your career journey, how you wound up in healthcare IT security?

Roth: Sure, so I’ve been doing security for quite some time. It’s probably been 20 years. I actually started out in networking in my journey within IT, and back in 2005, I worked for a city. And IT security didn’t really exist back then. So I’m one of those people that came up in cybersecurity as it evolved as an actual entity in an organization. So for most of us in that time period, we got to be part of the journey of what cybersecurity ended up being. So I started out in a city doing networking, and then with that had to own firewalls. And that’s when things were getting really interesting and it just kicked off my journey. I was very interested in it. I ultimately ended up at Kaiser Permanente. I spent a great deal of time at Kaiser Permanente. I started in 2007, and I went until about 2011.