Sign up to save your podcasts
Or
Share Q&A with Michigan Medicine CISO Jack Kufahl: You Can’t Assign Risk Without Context
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Q&A with Michigan Medicine CISO Jack Kufahl: You Can’t Assign Risk Without Context
Published February 2023 –
It’s impossible to balance cyber risk with medical necessity without spending time “in the foxhole” with the clinicians to learn how and why they use the technology, according to Jack Kufahl, chief information security officer (CISO) at Michigan Medicine, the medical center affiliated with the University of Michigan. In this interview with Anthony Guerra, healthsystemCIO founder and editor-in-chief, Kufahl talks about the complexities of managing risk within an academic research institution and the big question of how to be open enough for research yet secure enough to prevent breaches. When doctors ask to install a new app, if you merely evaluate it in a yes/no way, that won’t be enough to determine what to do, Kufahl says. “You have to peel it back a little bit, make sure you understand it in context.” Sometimes risk is tolerable, but ultimately, “all risk tolerance is temporary,” he says.
LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE.
Bold Statements
“ … an academic medical center, we’re a little bit more like an airport, our job is data movement, we have to get the data that we create, that we ingest, that we curate, and get it to where it can do the most good.”
“ … we’re tilling up that soil, and we’re finding more every day. So it is very often that if people aren’t coming to security proactively, we’re flipping over enough rocks that we tend to run across it somewhere in the process.”
“And the nature of information security is we’re going to be risk averse. It’s unlikely we’re going to underdo it. If we don’t have context, we’re most likely, I would say like 95%, to way overdo it.”
Guerra: Jack, thanks for joining me.
Kufahl: Thanks so much for having me.
Guerra: All right, you want to start off by telling me a little bit about your organization and your role?
Kufahl: Oh, sure. Michigan Medicine is about a 1,000-bed hospital. But what’s interesting about it, in my opinion, is that it’s an academic medical center. So it has a substantial nation-leading research facility and learning program attached to it. I’m the CISO of all three of those missions. And that means I have a very interesting job, because I have to keep the flexibility of the research environment, but the sustainability and the survivability of the hospitals and health centers. So it’s a constant balancing act.
Guerra: A lot of government regulations out there require you not to have breaches, and a lot of bad things that happen if you do. And of course, there are other regulations that require you to be open and share data, and send it here, there and everywhere, which is similar to what you’re saying about having a research function. Talk a little bit more about dealing with the balance between openness and security.
Kufahl: What’s interesting for our facility, and I think our institution, and what’s probably true for a lot of academic medical centers throughout the nation and Canada, is our doctors are also our faculty. So at 8 a.m., they may be doing a procedure; at 8 p.m., they could be in their wet lab, doing discovery. So it is interesting, because we all have to adopt different roles and personas on behalf of the institution to figure out how to protect it, but also not just protect what its cybersecurity posture is or risk posture, but what it is more existentially — a free and open academic environment.
View all episodes
By Anthony Guerra
5
33 ratings
Published February 2023 –
It’s impossible to balance cyber risk with medical necessity without spending time “in the foxhole” with the clinicians to learn how and why they use the technology, according to Jack Kufahl, chief information security officer (CISO) at Michigan Medicine, the medical center affiliated with the University of Michigan. In this interview with Anthony Guerra, healthsystemCIO founder and editor-in-chief, Kufahl talks about the complexities of managing risk within an academic research institution and the big question of how to be open enough for research yet secure enough to prevent breaches. When doctors ask to install a new app, if you merely evaluate it in a yes/no way, that won’t be enough to determine what to do, Kufahl says. “You have to peel it back a little bit, make sure you understand it in context.” Sometimes risk is tolerable, but ultimately, “all risk tolerance is temporary,” he says.
LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE.
Bold Statements
“ … an academic medical center, we’re a little bit more like an airport, our job is data movement, we have to get the data that we create, that we ingest, that we curate, and get it to where it can do the most good.”
“ … we’re tilling up that soil, and we’re finding more every day. So it is very often that if people aren’t coming to security proactively, we’re flipping over enough rocks that we tend to run across it somewhere in the process.”
“And the nature of information security is we’re going to be risk averse. It’s unlikely we’re going to underdo it. If we don’t have context, we’re most likely, I would say like 95%, to way overdo it.”
Guerra: Jack, thanks for joining me.
Kufahl: Thanks so much for having me.
Guerra: All right, you want to start off by telling me a little bit about your organization and your role?
Kufahl: Oh, sure. Michigan Medicine is about a 1,000-bed hospital. But what’s interesting about it, in my opinion, is that it’s an academic medical center. So it has a substantial nation-leading research facility and learning program attached to it. I’m the CISO of all three of those missions. And that means I have a very interesting job, because I have to keep the flexibility of the research environment, but the sustainability and the survivability of the hospitals and health centers. So it’s a constant balancing act.
Guerra: A lot of government regulations out there require you not to have breaches, and a lot of bad things that happen if you do. And of course, there are other regulations that require you to be open and share data, and send it here, there and everywhere, which is similar to what you’re saying about having a research function. Talk a little bit more about dealing with the balance between openness and security.
Kufahl: What’s interesting for our facility, and I think our institution, and what’s probably true for a lot of academic medical centers throughout the nation and Canada, is our doctors are also our faculty. So at 8 a.m., they may be doing a procedure; at 8 p.m., they could be in their wet lab, doing discovery. So it is interesting, because we all have to adopt different roles and personas on behalf of the institution to figure out how to protect it, but also not just protect what its cybersecurity posture is or risk posture, but what it is more existentially — a free and open academic environment.
More shows like healthsystemCIO.com
View all
Acquired
3,946 Listeners
The Daily
111,562 Listeners
SmartLess
57,908 Listeners
This Week Health: Newsroom
26 Listeners