Soma Bhaduri, CISO at NYC Health + Hospitals, says security executives serve their organizations well by having a deep understanding of their technical environment, aligning with the business through sound governance, and communicating a clear risk picture to inform decision making that adheres to the guidance provided by the CISO.
“… it’s really about understanding everything from a technical perspective and then conveying that to the business and making sure that you’re tying everything together.”
“ … executive leadership has to understand the importance of cybersecurity and the patient care perspective and find the middle ground, right? So sometimes it’s not about one or the other, it’s about balancing both … ”
“ … the key right there is to make sure that there is a level of security risk management embedded as part of enterprise risk management.”
Anthony: Welcome to healthsystemCIO’s interview with Soma Bhaduri, chief information security officer with New York City Health and Hospitals. I’m Anthony Guerra, founder and editor-in-chief. Soma, thanks for joining me.
Soma: Thanks for having me. Appreciate it.
Anthony: Very good. Let’s start off, why don’t you tell me a little bit about your organization and your role.
Soma: I am the chief information security officer for the largest public hospital system in the country, New York City Health and Hospitals.
Anthony: That’s a pretty big deal, largest in the country.
Soma: Municipal, largest in the country – yes, especially in the cybersecurity world in healthcare.
Anthony: Yeah, for sure. I love to find out how CISOs in healthcare got to where they are. There are all kinds of different journeys that people take. I know you spent some time in financial services, which is always interesting to find out how the transition goes and how that came about. So tell me a little bit about your career path.
Soma: I really started with a technical background; I had a bachelor’s in computer information systems. From there, I think a lot of security professionals start their career in infrastructure so in financial services I really got to understand infrastructure very well in terms of how everything functions from the network to the endpoint, etc. So from there in financial services I was introduced to security. And at that time back in the early 2000s, though financial services was not necessarily just getting started but from an implementation perspective, they were just getting started from a centralized perspective. So that’s how I got into cybersecurity initially in terms of dealing with day-to-day operations. The initial security operation center was started up in Citi at the time when I was there. I was supporting two businesses; and I was responsible for a lot of the security products and just trying to understand how everything works together. I did that for a good decade or so.
And then I got into healthcare really quite by chance. It was an opportunity that came knocking on my door and I figured, “Well, I’ll give it a shot” and it was here at Health and Hospitals. There really wasn’t a security department or anything like that formed, but through tremendous support from Health and Hospitals and the growth that we’ve encountered from an IT perspective, we centralized and from there I was a part of the security team. And then it developed and grew into a five-person team to pretty much what it is now. About 30 individuals are a part of my department now as the CISO here at Health and Hospitals which I took on in 2020. So it was a tremendous growth experience here at Health and Hospitals and I really do think my background in financial services and security infrastructure helped me get to that point.
Anthony: Do you think there was a point when you said to yourself, “Okay, I’m going to go down the security road. I could go down the CIO road but I’m going to focus on security?”
Soma: Yes. I think what really happened is I was just always interested in security more than in infrastructure. I was interested in understanding how to protect systems, I think I just lean towards that with my background. And there were certain opportunities in financial services where I always like to interact with the business instead of being part of a standard infrastructure job. Sometimes you don’t really have that communication in those positions.
So I think part of the reason I was interested in security is because you had to liaise a lot with various groups and various leadership individuals, so I think I just went in that direction because of what cybersecurity was about – it’s really about understanding everything from a technical perspective and then conveying that to the business and making sure that you’re tying everything together. And I also had some support along the way with certain individuals throughout my career who helped me understand that process as well. So, yes, I think it was just a natural inclination for me in terms of what I wanted to do.
Anthony: So you said one of the things you like is to interact with the business. Before cyber became tied to patient care, the business didn’t necessarily like hearing from the CISO, correct?
Soma: Absolutely. That’s a great question. I would say when it all started was really when ransomware took off several years ago; this is prior to the pandemic. This is probably around the 2015-2016 era when we were just getting an idea of what ransomware could do and how it could wreak havoc on a system.
So I would say over the last two to three years, cybersecurity has been a concern by the business, and now it’s more of a partnership with the business rather than us making sure that whatever is needed, let’s say for a provider etc. is just done. It’s more about, “Well, is it secure? Is it going to work for the entire system? If it’s going to be secure for the system, then we’re okay with it. But now if that doesn’t happen, then we have to make sure that we align it appropriately.” And that has, in my view, come from the top down which really is very critical to having a solid cybersecurity program. If your leadership doesn’t understand that, then I really think that it’s a bit harder for a CISO – or any security professional really – to kind of convey the concern you have.
Anthony: I think every position, every job, you need the support of your direct manager, your boss – whatever you want to call it. But as you mentioned, as a CISO, there’s probably no way to be successful unless you’re being supported because you will get push back here and there. So I’m wondering if you’re interviewing for a CISO role, what do you want to hear from a CEO?
Soma: I think it just goes to my point before where the executive leadership team has to have an understanding of what’s going on in the world essentially.
I can give a perfect example: when you’re dealing with a certain product or something that needs to be there for patient care purposes let’s say, executive leadership has to understand the importance of cybersecurity and the patient care perspective and find the middle ground, right? So sometimes it’s not about one or the other, it’s about balancing both, I think. So I think the most important thing is for executive leadership to understand that and that helps the CISO tremendously in progressing the program for cybersecurity. But I think it’s also important, from my perspective, to understand the business and what’s needed and to balance that as much as possible. So I would say the best way to put it is it’s a balancing act.
Anthony: Yeah, absolutely. It is a balancing act and it’s a very intricate balancing act, right? Because from a security point of view, there’s different ways to describe the level of risk anything presents, right? The business has its needs and wants, and you ascribe a certain risk to those. Someone has to make the decision. So talk to me more about that delicate balance and how ultimately decisions get made.
Soma: So I think the most important thing to say there is it’s part of the maturity process. You have to have some level of governance. And when you have that level of governance and understanding throughout a system or a company, then I think automatically the risk profile or the risk level of a certain application (or a certain department that’s trying to pull in a certain application that needs to get onboarded), it’s understood from that governance perspective and also to relay that as much as possible through awareness and training and to make sure that you’re conveying that message. Because as you just said, it’s a very difficult job because what happens is not every application is the same; and in healthcare when you especially have to be worried about patient care, you always have to have them at the back of your mind of how will I be impacting the business?
So I think the key right there is to make sure that there is a level of security risk management embedded as part of enterprise risk management. I think that’s very important and I think that’s what’s changed over the last couple of years is that understanding that security is not in a silo somewhere in a corner, it has to be embedded as part of the overall risk management process for a company, a system etc.
Anthony:. You assess and explain the risk, but the business makes the ultimate decision of how much risk it wants to accept. That may be more than you’d ideally like on occasion. I would image that can be a tough position for CISOs to be in.
Soma: Yes. Sometimes it’s a position where you have an opinion on the matter and you would hope that that is then taken and then put in as part of the decision-making process. I think as a CISO you’ve done what you need to do to ensure the security posture for the company.
Anthony: Right. And you said governance is so important. What does good governance look like?
Soma:. So security, basically, I think a lot of people start in infrastructure because they get a lay of the land in terms of what IT is and then you kind of go into security. So it’s similar with governance because in governance you have to tie in various parties. So you have to tie in from, let’s say a hospital system, you would have to tie in your supply chain, your councils for the various clinical departments. So all of that has to be aligned with the security program and that understanding has to be there. So it’s not just one group and it’s not just security with IT, it’s aligning all parts of the particular business at hand to make sure that all parties are aware. So you have the various silos, but as governance you’re pulling that all together in whatever way you feel it needs to be done, and you’re making sure the communication lines are open, and the requirements that are there from the security perspective are made clear to the business.
Anthony: So that might be another thing for a CISO to consider before taking a new job, in addition to finding out how the CEO views cybersecurity – take a look at the organization’s governance process because a bad one will make it hard to be successful.
Soma: Absolutely, yes. I think those are very good questions to ask when you’re trying to understand the security program for a particular organization.
Anthony: You talked a little bit about knowing the business; how much do CISOs need to know about the clinical world?
Soma: So I would say in terms of knowledge for the various clinical applications that are required, you have to have an understanding from a technological perspective how it would impact the overall network. From a clinical perspective, you would rely on the clinician to provide that information to you and explain why this is so important for X, Y, Z reasons. Then you essentially pull that together and you understand the risk level with that combination of all the information that was provided. But a part of that is then also to correctly relay that to executive leadership because when you’re dealing with the system (and it’s a large system, let’s say) then at that point you have to make sure that you’re connecting the dots and you’re relaying, “This is why we’re concerned from a security perspective and this is why this clinician really needs this to make sure his or her patients are covered from the support perspective.”
So I think you need a solid understanding of your technology and your network. As long as you have that understanding of how a clinical application is (or will be) connected and the level of connection (for example, is it contained to one location or is it going to pretty much affect the entire system) that kind of determines your risk level and your risk profile. Then you can take it from there to share the narrative and share the application’s security risk profile for itself but also in terms of the system, just to make sure that you’re not impacting any kind of patient care services from a hospital setting.
Anthony: And you’re in New York City. I’m just outside of in New Jersey. But I worked in the city for 10 years, I was in there when 9/11 happened, I was in there when the blackout happened.
Soma: Yeah, me too.
Anthony: Lots of things can happen in New York City so tell me about how you’re handing business continuity and disaster recovery planning.
Soma: I think it’s important to have a plan in terms of a cybersecurity incident response plan. Once you have that, then from there you build out certain exercises that you can relay to the business and you can have tabletops. It doesn’t necessarily have to be one big tabletop, you can do it within your IT services and then you can do it with your leadership team, combine all of that, and then understand where you might need to work on certain things. So, for example, do you need to communicate your plan more; do people not know about this plan? If they don’t know about the plan, then how are you going to be able to go ahead and try to implement that in the event of a cyber-incident?
Tabletops are important, but the only way to get to the tabletop is to understand your environment and to assess; and once you assess and you know your risk, then you can have the tabletop because then you can figure out where are the gaps, where are the weak points. So once something happens, everyone kind of knows what they need to do. And I really think that it’s important to have those conversations outside of a tabletop with whoever manages DR or the backups or emergency management. There’s so many various groups involved and if a cyber-incident were to happen you’re pretty much down, so all parties have to understand what their role is there.
Anthony: A few times today you mentioned the importance of understanding your IT environment. It’s not as easy as one might thing, especially in a large health systems, right?
Soma: Absolutely. Sometimes if you don’t know what you have, then it’s hard to protect that obviously. But that is one of the key areas I think for maturing your program from a cybersecurity perspective. And frankly in any area, even if you’re the CIO of a system, you have to know what you have. If you don’t know what you have, then it’s hard to manage that. It’s hard to make sure, in terms of support decisions, how you make those decisions, your return on investment; how do you understand what that would be? So taking that and just looking at it from a cyber-perspective and a security perspective, it’s key for us to understand what are the systems, how are they connected, what do they do, what do they hold in terms of data, then you could kind of take it and group it and then understand, “This is pretty much our golden egg here and we have to protect this at all cost.”
And whereas there might be other areas where it’s not restricted data, it’s more public information, well that’s okay. You can have certain controls there. But when you’re protecting your prime area, you want to make sure you have all necessary controls over there. So I think that’s how you can kind of tackle it in pieces especially for a large system and then that gives you an understanding of your environment. But absolutely any asset inventory is key to understanding your overall risk level, and then you can take it from there and you can assess and then you can have a management plan to then go ahead and make sure that you’re at your desired risk level.
Anthony: It’s important to know what you have, but I’ve heard shadow IT purchases – which take place outside the governance process and sometimes never get run by security before being purchased – are still an issue for many health systems, and it seems like it’s not an easy issue to solve.
Soma: No, it’s not. And sometimes you get wind of it after it’s already been purchased and then you have to kind of go backwards and figure out what the risk level is. It is there and it’s still an area of concern for me and I think it will remain an area of concern just because of the level of connected devices now, right?
Anthony: Yes, definitely suboptimal because you have less leverage with the vendor after the contract is signed.
Soma: Absolutely suboptimal. But I think what is changing a little bit is vendors understanding of how important security is. I’m not saying it’s there yet, but I think with some of the things that we’re seeing from the federal government, especially with the FDA from a healthcare perspective, is they are pretty much saying that we need to up our game with medical device security, I think those types of discussions that are being had are important in trying to prevent something like some application getting onboarded. Whether it was just because someone needed it and they’re not really thinking about anything other than I need this, I think it’s important to have that discussion prior because, of course, you have more leeway. But I think it is slowly changing the game specifically in terms of medical device companies and vendors. I think that discussion has to happen to make sure that we are going in the right direction. But that still remains a concern, I agree with that.
Anthony: Do you have any advice for women who work in healthcare IT security or want to work in this field?
Soma: Yes, that’s a great question. I’ve had great support through the years. I think that’s one of the key things I will say is that you have to be open to learning and to understanding your environment and be involved in various groups. So, for example, I was always involved in some kind of women’s leadership group since I started my career. I would always interact in terms of committees etc. just to have that involvement. And then you also have to have your knowledge base. So your knowledge base can come in very different ways. I truly do believe in cybersecurity as a great career option – the backgrounds of those getting into it are so varied. It could be the military; it could be just from your experience; it could be through certification and pretty much education.
I think for women, especially, it’s a great career option, because it’s not just about technology. It’s also conveying how it all ties together. But I think that sometimes women feel that it’s something that they cannot do because it’s technology based and that’s really where I think STEM education starting at pretty much the elementary school level is very important for girls. And I think it should really be an equal playing field. So I would say be involved, be interested, and convey your messaging, have the background, and I think you will succeed.
Anthony: Very good. Just a final question before I let you go, is there anything you are looking at that your colleagues may also want to check out?
Soma: I think Zero Trust is really the big thing we’re all talking about, but I don’t think that’s anything new. But in my world, I would say medical device security is the big thing, and I really think it’s important to understand the environment that exists within your organization. And I really do think that IoT, as a whole, is really going to be the next phase. And understanding everything that’s connected is important and not necessarily just your IT infrastructure, right?
Anthony: Well, that’s wonderful, Soma. I look forward to catching up in the future. Thank you.
Soma: All right. Thank you so much. I appreciate it.