CIOs have a lot of weight on their shoulders, says Steven Ramirez, vice president and chief information security officer (CISO) at Renown Health. If there is a breach, the CEO will be calling the CIO first, and he or she will have to be able to talk the talk. That’s something the CISO should always keep in mind. And that’s also why a mutual relationship of trust between CIOs and CISOs is the best defense nowadays, he says. “All things that go beep are owned by the CIO,” he says. “So my job is to protect all things that go beep.” In this interview with healthsystemCIO’s Founder and Editor-in-Chief Anthony Guerra, Ramirez shares his views of the challenges health systems face with their big, fluid attack surfaces. Driving home the reality of a possible ransomware attack with the C-suite and tightening down on identity access management are some of the approaches he uses.

LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE. 

Bold Statements

A lot of people aren’t used to downtime if you have to go to paper. That’s why we’re seeing ransomware and whatnot being so impactful to organizations, just because of people being so dependent on technology and never having to do it the old-fashioned way.

So I’ve really put a focus on 10 to 15 minute detection times with containment, and then being able to have that seamless incident response. Because stopping the spread, stopping the impact, is really how we can have a more seamless and expedited recovery, versus all systems are off, we’re out for multiple weeks.

… that’s why healthcare is such an easier target than some of these other systems, because they’re able to harden their systems, harden their perimeter, but our attack surface is just so much wider and more expansive.

Guerra: Steve, thanks for joining me.

Ramirez: Glad to be here.

Guerra: All right, very good. Do you want to start off telling me a little bit about your organization and your role?

Ramirez: Yes. My name is Steven Ramirez again, and I’m the vice president and chief information security officer of Renown Health. I’ve been at Renown for about 10 months; today, actually. It is a system up in Reno, Nevada. It’s the area’s trauma center, so any of you bad skiers that have been out there, definitely come see us. So it does have a dedicated Children’s Cancer Center and a new affiliation with the University of Nevada, Reno, UNR. So that partnership’s really going to enable us to start getting cutting-edge research, innovation, etc. And they have been the biggest player in the market for quite some time, serving Northern Nevada for quite a while.

Guerra: Very good. Can you tell us a little bit about your career journey? I like to find out how CISOs in healthcare wind up where they are.

Ramirez: Yes, it actually started up in Georgetown, up in Washington, DC. And right as a lot of the digital transformation components were going on I was the “millennial,” so they threw a lot of the IT risk management and some of that at me, since I had the only Facebook account in the office. And really the rest is history. I went from there to CHI. CHI was really in acquisition mode. CHI is now CommonSpirit, so it was part of the merger and acquisition team. So I really saw that footprint grow to 19 states, over 100 hospitals into what it is today with CommonSpirit and that merger with Dignity. Then, I went over to a short stint at Baptist Health in Louisville, Kentucky,