The ultimate challenge for a CISO is to get all of an enterprise’s stakeholders to recognize that IT is not just in the security game to protect the data, it has the organization’s bottom line and care outcomes at heart, says Michael Carr, VP, CTO and CISO at Health First, an integrated healthcare delivery network on Florida’s Space Coast. According to Carr, this is done by finding a good way to articulate risk in the context of all the organizational risks. “And I think the ability to quantify, the ability to measure, and really to help people understand everything is a critical issue,” he says. In this interview with healthsystemCIO Founder & Editor-in-Chief Anthony Guerra, Carr discusses testing business continuity plans, getting buy-in on purchasing decisions, third-party risk, cyber insurance and more.

LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE. 

Bold Statements

“(Getting cyber-insurance) is a long, tedious, painful process. And I think part of it is because there is no industry standard around information security. I know a lot of organizations have adopted NIST CSF, not everyone. So everybody’s got a different playbook – even the insurers look at different information.”

“I think third-party vendor management is one of the hardest things that organizations have to deal with. It’s not just you and your business partners, it’s business partners of your business partners or business partners to the business partners of your business partners.”

“ … we’ve got to have commitment to actually test that. I think that’s the last piece. It’s great to have a documented plan. But if you’ve never tested, if you’ve never exercised it, good luck in the case of a real disaster.”

Guerra: Michael, thanks for joining me.

Carr: Thank you for having me.

Guerra: Why don’t we start off with you telling me a little bit about your organization and your role.

Carr: Sure. Well, Health First is an integrated delivery network that primarily serves Brevard County, Florida. So we’re about an hour east of Orlando, along the Space Coast. Our organization has a health plan, four hospitals and about a 500-member provider group. My role is chief technology and information security officer. In that role, I’m accountable for our core platforms, technology, development, architecture, our data and analytics and our information security program.

Guerra: Excellent. I always like to find out, especially for CISOs, how you wound up where you are. So, tell me a little bit about your career path that got you to the security side of healthcare technology.

Carr: Sure. Going back before healthcare, my background is in finance. That’s where I started my career. I spent about the last 15 years in healthcare — for about the last eight or so, it was more of a specialization focus on security. Honestly, I got into security by accident. And what I found is an affinity to my finance background in terms of not just around audit and compliance; a lot of people think that that’s a natural fit. It’s really more about, how do we take something that we know is important (like information security) and how do we make it actionable? How do we make it measurable? And once I understood the impact of security—on not just healthcare, but across all of our critical industries—it really drew me into it. So being able to take my finance background, my operations background,