How Jefferson Health enhanced cybersecurity via its cloud transformation

The cybersecurity mantra at Jefferson Health is “if we can’t do it well, we’re not going to do it” says Mark Odom, CISO of the Philadelphia-based healthcare organization. Such an approach has proved integral to Jefferson Health’s fast-tracked transition to a cloud-first, remote model to meet the demands of the COVID-19 pandemic.

In fact, by putting cybersecurity at the fore of its cloud innovations, Odom believes the hospital has installed a more efficient, agile, and risk-focused security approach to protect is 34,000 employees. “Our strategy has been cloud-focused for a few years, but a lot of our platforms are very large and normally you don’t move them over a period of months, you move them over years. The pandemic accelerated things of course.” Indeed, the hospital’s vast databases span healthcare, education, and research operations with some reliant on legacy, end-of-life systems that needed shifting to the cloud for greater flexibility, cost-effectiveness, and security.

Cybersecurity culture key to cloud adoption

Odom champions a culture of cybersecurity in traversing this journey effectively, something that is driven down by his boss, a former CISO himself. “He gets the security message, which really makes it easy for me to focus on executing instead of selling him on why we need to do things securely,” he says. “We had the security runway to bring things up to speed in a way that was right from the beginning – not coming in behind the curve like we have done with traditional on-premises infrastructure.”

Having the correct security tooling in place upfront prevented people from spinning things up insecurely, Odom explains, removing “tough, uncomfortable” conversations around changing systems in production and operation to meet security standards. “A very methodical, planned approach which understood security from day one has paid us dividends.”

Business alignment is another cultural element central to Jefferson Health’s cloud move, Odom says, with governance integral to positioning cybersecurity inline with wider organizational dynamics. “We have diverse operations all with very different missions and requirements from a regulatory standpoint. It was very much about understanding the business use cases for all those areas and their needs in the cloud space, and then spending an enormous amount of time with our cloud architects to get the cloud builds right.”

To ensure he maintained this business-focused mindset, Odom says he regularly sat on research steering committees with fellow stakeholders and peers to encourage open dialogue across different touch points across the organization.

Remote working amid cloud expansion

Jefferson Health’s move toward a cloud-first model was hastened by the need for agile, remote working amid the COVID-19 pandemic. “We were already working toward having more remote days for employees, so it was actually a very smooth transition to pandemic mode,” he says, adding that he was surprised by how few security challenges were encountered.

While Odom recognizes the pandemic-related threats posed to Jefferson Health such as spikes in attacks targeting its vaccine endeavors, a striking cybersecurity benefit soon became evident as his own team spent more time working from home. “If you consider any security operations center, most of us are already following the sun 24/7. When we went remote, a lot of our incident response activities became more effective because we didn’t have staff sat on trains, cars, or buses to/from the office. They now had full setups at home. Let’s face it, the bad guys like to run their attacks on Friday evening, Saturday morning, etc. when you’re not in the office.”

Odom cites a 25% decrease in response time through remote work, with a 20% overall team productivity increase. “We’ve really reaped the benefits of remote work, and we have been able to apply the extra productivity to the other challenges the pandemic brought about.”

However, control, policy, and educational issues needed addressing to ensure remote working did not hinder the security of Jefferson Health’s wider day-to-day operations, Odom says. “Network-based security tools were shifted to endpoint controls, and if you think about a cloud-first strategy, that’s the direction you’re going in anyway. If you’re truly aiming for a cloud model, you’re not focusing on network-level controls – your controls either have to be at the application level or the endpoint level.”

Acceptable use policies were also reinforced as corporate devices displaced the personal devices of employees working from home, Odom says. “We figured over time there would be some blurring of work/personal use on corporate devices, and so we were required to block a lot of non-authorized work sites such as Google Drive.”

Not all non-work essential services were blocked, Odom adds, but he and his team worked pragmatically to assess those with the greatest potential for harm. “That obviously wasn’t always a great satisfier for the end-user population, but again, coming back to the culture they got it, understood it, and adapted.” No doubt an influential factor here was an increased focus on cybersecurity awareness training to encompass new remote working risks. “We doubled the amount of security awareness training as a direct response to workers being further away from the mothership.”

Enhanced risk management through a cloud-first approach

Reflecting on how cloud transformation and the introduction of a more fluid, remote working model has impacted Jefferson Health’s cybersecurity position, Odom points to a diversified approach to risk management. “We’ve gotten rid of a lot of risk by going to cloud-first, remote working because it forces you to segment your environment. If you’re not on the network, it’s less likely that anything [malicious] on a local endpoint is going to bounce to an endpoint sitting next to it,” he says.

Cloud-enhanced risk metrics have proven key to a new risk management approach, Odom says. “If you want results, you have to measure those results. However, there comes a point where the labor of measuring results diminishes the overall value, and you spend more time measuring that remediating. Zscaler gave us an opportunity to get automated metrics and measures in from day one, so I’m not spending FTE time or quality information security professionals’ time on measuring something – the tool is measuring and the team is reacting.”

Through improved metrics, Odom has been able to quantify a shift in risk from an annual loss exposure perspective, for example, with regards to the threat of ransomware. “When we were all on-premises, a ransomware attack was (and I’m making these numbers up somewhat) say around $250 million worth of impact, and there was a 2 to 3% chance that it would happen. As we moved more to the cloud, that curve lowers significantly, because a ransomware attack doesn’t infect the entire environment, it may just affect a single service line, in some cases. That means maybe only $4 million to $5 million worth of impact, but the likelihood goes up because you have that many more fronts now. The cyclical rate in which we’re dealing with these events is higher, but the impact is lower.”

As for fellow CISOs seeking to adopt a cloud focused, non-network reliant approach to security, Odom advocates taking the bull by the horns as early as possible. “Everyone used to say that the cloud is not secure – but that’s not an accurate statement at all. With cloud, we’re not inheriting some of the legacy practices that on-premises brought us, and it gives us the opportunity to do it right. It can be more secure; it just takes the proper planning. You’ve got to be in front of it – don’t let it get in front of you, otherwise you’ll be fighting against some bad hygiene practices. The sooner you get in front of it, the better you’re going to be.”