Highmark Health CISO. PHOTO: Cybercrime Magazine

Healthcare CISO On Hospitals As Ransomware Targets And Securing Medical Devices

Omar Khawaja, Highmark Health’s Chief Information Security Officer, talks cybersecurity

– Kayla Matthews

Pittsburgh, Pa. — Jan. 6, 2020

When many people describe how they get to C-suite positions, they detail years of goal-setting and progression. Omar Khawaja, Highmark Health’s chief information security officer (CISO), sat down to speak with Cybercrime Magazine’s guest host Laura Deaner, and he admitted not seeing that position in his future.

Khawaja was the head of product marketing for Verizon Security Solutions for more than seven years before accepting his current role at a company that is a nonprofit health insurer operating numerous for-profit subsidiaries. Even when contacted about the job by a headhunter, he thought it was too good to be true. Khawaja jokingly said he used his wife as sort of a human “Report Phishing” button to verify the legitimacy of the email.

The headhunter’s client wanted an unorthodox candidate, so Khawaja’s background made him an ideal fit. At Highmark Health, his responsibility is to do whatever it takes to protect information and assets, whether it relates to data centers or medical devices. The company’s cybersecurity team consists of 160 full-time employees and another 50-70 people in contract positions.

When Khawaja started at the company, his team’s attrition rate for people who had been at the organization for less than a year was 42 percent. The company spent two years focusing on culture and leadership to improve that metric, and it paid off. When Khawaja looked at the attrition rate last, no employees had left within a year of joining the organization.

Hospitals as Ransomware Targets

Khawaja was asked why he thought hospitals are disproportionately targeted in ransomware attacks. He said the need for the compromised information has a high level of urgency. Unlike other businesses that may be able to persist for days without some files, threat actors understand that hospitals depend on information like blood type details or patient records for basic operations.

Khawaja also clarified that healthcare organizations have not put adequate time, effort and investment into cybersecurity over the years. Cybercriminals see them as “low-hanging fruit,”  making those entities more prone to opportunistic attacks. Plus, hospitals have sensitive information and technologies in public spaces, which is not always the case with corporate organizations.

Cybersecurity Is Not as Complex as People Think

Khawaja believes that one of the weaknesses of many employee cybersecurity training programs is that they tell people what to do, but not why they should do it. He gave the example of how health care professionals say if all their patients ate healthily, exercised enough and got enough sleep, they would have very few people left to treat. 

There’s a parallel in the cybersecurity world because people only need to do a few things to stay safe online. Khawaja brought up actions like keeping systems patched, choosing strong passwords, and being careful which sites people visit or to whom they send information as some of the essentials. 

The Power of Change Management

Highmark Health is interested in “change management,” which encompasses how to get people to act differently to align with organizational needs. The company’s ultimate goal concerning cybersecurity is to change behavior in sustainable ways. 

That’s because merely telling someone to do something is not sufficient. Khawaja recommended first telling people why they need to change their cybersecurity behaviors, then giving consequences if they don’t.  “Everything just boils down to we need people to do the right thing, and that means we need them to change their behavior and sustain it,” he explained.

Challenges Surrounding Securing Medical Devices

Many cybersecurity professionals aim to find all their vulnerabilities first before starting to fix them. Highmark Health uses an agile approach for medical device security to identify the most severe issues, which allows them to start fixing them immediately.

Cybersecurity for medical devices also requires going outside of the company’s four walls and partnering with medical device vendors. It’s taking too long to come up with a regulatory solution for cybersecurity, so a market-based approach is a way forward for now. Khawaja suggested working with vendors in non-imposing ways to come up with a set of reasonable cybersecurity requirements for manufacturers.

Advice for Aspiring CISOs

Although Khawaja didn’t always see himself as a CISO, he has words of wisdom for future CISOs that could also apply to anyone in business. He lives by the “better is always better” mantra. “I don’t know how to do ‘perfect,'” he confessed. “I just need to embrace ‘imperfect.” 

He continued, “The goal is, can we just be a little bit better?” Highmark Health abides by a “relentless incrementalism” practice. It involves creating and executing an imperfect plan and realizing that making mistakes along the way promotes learning. Conversely, making the same mistakes repeatedly may mean a company isn’t growing. 

Learning is also crucial.”You have to be someone who loves learning,” said Khawaja. He also recommended coupling that passion for learning with the humility to recognize you don’t know most things, but know who to ask for assistance. 

An Inspiring Conversation

No matter a person’s experience in the cybersecurity sector, Khawaja has fascinating and valuable viewpoints. Consider watching the whole interview to get the full perspective.

– Kayla Matthews is a technology journalist and cybersecurity writer based in Pittsburgh, PA. To read more from Kayla, visit her website.

Ask The CISO Archives


From the start, the Fortinet vision has been to deliver broad, truly integrated, high-performance security across the IT infrastructure.

We provide top-rated network and content security, as well as secure access products that share intelligence and work together to form a cooperative fabric. Our unique security fabric combines Security Processors, an intuitive operating system, and applied threat intelligence to give you proven security, exceptional performance, and better visibility and control–while providing easier administration.

Our flagship enterprise firewall platform, FortiGate, is available in a wide range of sizes and form factors to fit any environment and provides a broad array of next-generation security and networking functions.

The Fortinet corporate brochure explains how we deliver comprehensive network, endpoint, application, and access security.

Learn more at Fortinet.com.