The first and most important question for CISOs to ask is, “Am I risk aligned with the place where I work?” If not, they might be swimming upstream as they promote a culture of security that the organization doesn’t embrace, says Aaron Weismann, CISO with Main Line Health in Philadelphia.

In this interview with healthsystemCIO Founder and Editor-in-Chief Anthony Guerra, Weismann shares a number of valuable insights with CISOs on how to keep a health system secure in this post-pandemic era. It takes dedicated effort to build the team of security champions among staff and vendors, and it’s “absolutely critical” to build rapport through one-on-one time with major stakeholders to get them on the same page with the organization’s security goals, Weismann says.

LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE. 

“ … burnout is a thing that we care greatly about. And security contributes greatly to clinician burnout. So we want to make sure that what we’re doing is both meaningful on the security side, but also limits the impact on our clinicians.”

“When you move everybody remote, your threat landscape increases significantly. Everybody’s house is now an attack vector, every computer that’s at their house is an attack vector.”

“It is difficult on a day-to-day basis to deal with an organization, I think, where you don’t align on a risk posture with them. You know, one option is certainly finding a place that does … ”

Guerra: Do you want to start out by telling me a little bit about your organization and your role, please?

Weismann: Our organization is a health system in the Philadelphia suburbs. We’re about 12,000 staff, nurses, clinicians, etc. We have five hospitals, a number of different ambulatory and clinician sites. And few corporate offices. As far as my background, I have been at Main Line Health for a couple of years. I was at Massachusetts Health and Human Services as their CISO for approximately three and a half, four years prior to that. And then before doing that I was an attorney with Health and Human Services for about five or six years as an assistant general counsel there doing IT contracting, information security law, IP licensing, etc. I can go further back than that if you need but I figured that’s a pretty good overview.

Guerra: That’s a good start. Let’s talk a little bit more about the attorney experience. That’s very interesting. So, when did you decide to become an attorney? And then it sounds like you were doing IT contracting as an attorney. Just tell me how the IT and the security and the healthcare evolved from wanting to be an attorney. Just take me through that a little bit.

Weismann: Sure. Yes. So I originally wanted to be an attorney, you know, specializing in technology. My undergrad, I didn’t have a technical background. But when I was in law school, I very heavily got into intellectual property law, contracting, IT licensing, etc. After law school, I went to Suffolk University in Boston to get an LLM, which is a master’s in law in technology and intellectual property. My first job out of law school actually was at State Street Bank and Trust Company, I did finance work. I was in their investment services office, working in their general counsel’s office there.

After a couple of years, the position over at Health and Human Services of Massachusetts opened up as a technology attorney. I decided I wanted to do that.