When it comes to IT security at hospitals, the third and even fourth-party risk involved has expanded the front line from a moated castle to everywhere. And that’s not easy to protect, says Jason Elrod, chief information security officer (CISO) for MultiCare Health System. But protecting patient data vulnerability is the mission — and zero trust is going to reveal itself as the standard approach. In this interview with healthsystemCIO Founder & Editor-in-Chief Anthony Guerra, Elrod talks about how he has defended MultiCare Health System for the past 12 years. He starts by closing the perimeter with identity and digging in stakes with a solid zero trust journey. Elrod knows there’s no silver bullet out there, but he is aligning with federal regulators on zero trust by using NIST CSF. He then beefs up his IT talent by getting deeply involved in the recruiting process, and builds relationships with cyberinsurers.

LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE. 

Bold Statements

“As you get to a second- or third-party and that supply chain of a solution, the importance of that third-party risk management grows.”

“In order for the perimeter to scale, you have to shrink it all the way down, you have to be more atomic with your perimeter, the individual identity, in order to scale it, wherever it may roam.”

“For me, zero trust is a strategy attitude methodology that relies on a trail of techniques and technology.”

“I think the best way to do (cyber-insurance) is not to think of it as an adversarial relationship, because it’s not at all.”

Guerra: Jason, thanks for joining me.

Elrod: Thank you very much, Anthony. Happy to be here.

Guerra: Why don’t you tell me a little bit about your organization and your role?

Elrod: Excellent. I am the vice president and chief information security officer for MultiCare Health System. We’re an 11-hospital system based out of Tacoma, Washington, and our area of service is primarily the Pacific Northwest.

Guerra: I find CISOs have sometimes very interesting career journeys. Why don’t you tell me how you wound up in not only technology, but healthcare and security? How did you wind up in that very specific place?

Elrod: So I wrote my first computer program back in 1979, and that was on a system called a Commodore PET.

Guerra: Okay, I had a Commodore 64. I didn’t do anything with it. But I had it. Go ahead.

Elrod: My dad was a programmer for the Department of Justice at the time, and we had access to it. So I was very lucky, from that standpoint, to have early access to technology and computers. Today, I tell my kids, you know, “Back when I was your age, I had to type my video game in by hand, it took me four hours uphill in the snow both ways, no shoes, and then it wasn’t fun. We couldn’t save it and we had to do it again.”

So long time in IT, a longtime technologist, longtime love of technology. I would say that, professionally, I’ve been in IT since probably the mid-80s. And I began my career in finance. I managed data centers for financial organizations at the time, back in the “You’ve Got Mail” era, and had an ISP back in the mid-90s to the year 2000 crossover. And it was during that time, when you were running an ISP early on, that you find out there’s nobody you can call when somebody hacks your system. Nobody out there.