On this week’s episode of Security Nation, we had the pleasure of speaking with Richard Kaufmann, the information security officer at Amedisys, a national provider of home health, hospice, and personal care. Our podcast highlights guests who have taken on a challenge that has advanced security in some way, and Richard’s work in transforming Amedisys’ cybersecurity strategy in the healthcare space is a perfect example of this.
Here are our takeaways from the podcast:
1. How a personal connection to your work can improve your success
We were humbled and inspired by Richard’s story about what ultimately led him to join Amedisys and see the success he has had in his role there. Six years ago, his father was diagnosed with colon cancer. He underwent a medical procedure, and his doctors discovered that he actually had cancer throughout his entire body. His health declined rapidly, and within 23 days, he passed away—a hospice nurse by his side.
As Richard reflected on those last few days, he recalled thinking that the day his father passed was just a Thursday for that person. But she likely needed to communicate with other caretakers throughout the day, and in hindsight, Richard wondered whether the company had any security controls that prevented her from being able to do that, making it more difficult to do her job and provide others with care.
Five years later, he was sitting in an interview with Amedisys. Richard said he was drawn to the company because CEO Paul Kusserow had made it their mission to help provide the right type of care at the right time to improve the quality of life of the organization’s patients and clients. At the core of it, they recognize that nobody likes to go to hospitals, so they wanted to empower patients to remain in their home and personalize their own care. Richard said he takes pride in the fact that the security posture his team has implemented directly affects the quality of care their patients receive.
2. Amedisys’ digital cybersecurity transformation process
As if healthcare security wasn’t complex enough, implementing it across IoT and networks inside of homes has its own level of complexity. Amedisys’ CIO, Mike North, set out to take a more holistic approach to what their technology could offer, and at the core of that was security, as patient privacy is integral to the mission of the company.
As Richard explained, some healthcare companies invest very little time and resources into security, with detrimental results. So, Amedisys decided to do things a little differently by implementing what they call an “asymmetric security posture.” This involved assessing the operating area to determine what their quickest wins could be. They found a few quick wins within vulnerability management and some opportunities to improve their SIEM capabilities. Through this, they were able to gain a lot more visibility, and as Richard explained on the podcast, Rapid7 played a big part in providing that visibility to them. From there, they were able to continue growing and improving the organization’s security posture.
3. The need for better cybersecurity in healthcare
Even the most basic healthcare data can be incredibly valuable to adversaries these days. In order to access that data, you need a username and password (an identity), a device to access that data (such as a tablet, mobile phone, laptop, server, etc.), and some type of connectivity, namely a network. These are the three areas Richard and his team have focused on over the past year. Turn to any breach headline, and you’ll see that this data can be incredibly easy to access if the right cybersecurity controls are not in place or are outdated.
Next to password management, credential security is one of the biggest issues in healthcare cybersecurity. On the provider side, when you’re dealing with an emergency or urgent issue, you don’t want to be messing around with logging in to things. This is why med-tech often gets a bad reputation when it comes to authentication and encryption, because when that fails, personnel can’t implement life-saving or live-improving procedures.
Amedisys has been modernizing how they manage identities, and with Richard’s understanding of compensating controls and risk management under his belt, he was able to help the company not only identify where their gaps were, but also how to implement defense-in-depth. This enables them to see that if there is an asset authentication issue during a specific scenario, one now has more of a reliance on other controls in that timeframe than they would otherwise. This is where automation will soon come in whereby under specific conditions, it can implement specific actions automatically, rather than manually.
Because healthcare is such a regulated industry, you don’t always know what the next regulation is going to bring. It’s the job of teams like Richard’s to figure out how to pivot when a new one is coming. Determining what to work on and prioritize and then aligning resources and technology to key problems can help stay on top of important regulations that will help them help their employees do their jobs and provide top-notch care.
4. Richard’s top tips on building and managing a security organization
As the podcast interview came to a close, Richard left us with three golden nuggets of advice.
The first is to make security work in such a way that it’s not seen, it just works. This is something his team has kept top-of-mind as they’ve implemented changes within their organization and technology infrastructure. They want to avoid creating an environment in which a caregiver cannot do something as simple as sending an email, writing up notes, or connecting with a peer because of a security control.
His second piece of advice is to invest in hiring the best people you can find. It’s key to have people on your team who understand the vision not only at the security level, but at the company level, and know how they fit into the bigger picture.
Adding onto that is being able to effectively manage a security team. As a leader, you need to understand when people need help and check in with them regularly to assess where they’re at. Being able to have a conversation about what that person can accomplish and showing them you’re there to support them to get to the finish line builds camaraderie and a strong, collaborative team.
Listen to the full interview
We’d like to thank Richard for sharing how he’s helped transform security over the last year at Amedisys and inspiring others to take on security challenges like this one that can positively impact the world.
To hear Richard’s interview in full, be sure to check out our latest episode of Security Nation, and if you like what you hear, please subscribe! We release episodes every other Friday, each featuring someone who is advancing security in their own way.