Kathy Hughes, CISO at Northwell Health. PHOTO: Cybercrime Magazine.

Northwell Health’s CISO: Insider Threat Is Number One Security Challenge For Hospitals

Ask The CISO: Q&A with Kathy Hughes, VP and CISO for Northwell Health

– Georgia Reid

Northport, N.Y. – Nov. 30, 2018

Last week, we met with Kathy Hughes, the VP and CISO at Northwell Health, which employs over 68,000 healthcare professionals, making the non-profit New York state’s largest private employer. A Long Island, N.Y. resident, Hughes is an exemplary cybersecurity expert with a true passion for protecting people and is a leader among other healthcare CISOs in the Greater New York City area. Hughes — who began her career in manufacturing as a financial analyst and quickly transitioned to the computer and technology field  — is the third interview in Cybercrime Magazine’s “Ask The CISO” series, sponsored by Fortinet, Inc.

Cybersecurity is a growing concern for the healthcare industries, with ransomware, cloud storage breaches, and phishing emails on the rise. Ransomware attacks on healthcare organizations are predicted to quadruple by 2020 according to Cybersecurity Ventures. As the healthcare industry continues digitizing all of its information, it continues to attract more attention from cybercriminals.  

We asked Hughes about the challenges that are faced by the healthcare industry as well as her predictions about the future of the industry in 2019. The insider threat and employee awareness is still the number one concern. Hughes also shares her own experiences as a victim of identity theft and goes over the advanced machine learning technologies she is investing in as a CISO.

Read below for highlights from the interview and watch the entire conversation in the video:

GR: I wanted to get some background information about yourself as a woman in cyber heading up the biggest employer in our state of New York. What’s your background and how did you get to be in this role?

KH: Most of my career was spent in infrastructure technology, managing server teams, network teams, data centers, and help desk desktop services. Security was always part of each of those areas that I managed; over time opportunities became available where I took on more focused roles in disaster recovery, and while doing that I was at Northwell. I was asked to take over the security team because the director of the group had resigned. I really got to learn a lot about some of the challenges we were facing — not only healthcare, but the world — when it came to security and how it was really becoming an area where a lot of focus was needed. I took a real interest in it and really tried to champion for more investments in it and staff. During that time I  actually became the victim of identity theft, and it really became very personal for me. I realized firsthand what it felt like to have your identity used for fraudulent purposes. When the opportunity became available for chief information security officer, it was really something that I pursued and have been doing now for the past three years.

GR: What are the key security challenges facing healthcare today?

KH: There are some of the challenges that really are the same in any industry, but in healthcare, because we’ve connected data and systems at such a rapid pace over the last few years, there has been little thought put into security and more thought put into how do we connect quickly. There’s also a lot of legacy equipment systems that are still in use, specifically medical devices, where they typically are meant to last 10, 15, 20 years. If you were to ask somebody in a BioMed area or a clinical area what a medical device is, they would describe it probably as some type of therapeutic or diagnostic machine that provides clinical care. If you ask me that question, I’m going to tell you it’s a computer with an operating system that is susceptible to all the same threats. That poses a lot of challenges now that we’re connecting all those devices to systems and data and it’s an Internet of Things problem.

GR: What are the key healthcare security focus areas for 2019?

KH: We are really focusing on a lot of different technologies, mostly on securing the patient at this point. In the past we have focused on securing a data center or securing the cloud, and now it has gotten to the point where we have to secure the patient. That involves a lot of different technologies and making sure that the people you’ve entrusted with the data, namely the insiders — and insiders can be employees, consultants, business associates — you need to protect that. You need to be able to detect if there’s any type of anomalous activity that’s taking place. That’s prompting investments in technologies — machine learning technologies, artificial intelligence technologies — where you can determine or monitor a particular user’s typical activity.

GR: It sounds like the insider threat is a major concern for you. How do you go about dealing with that and managing it and teaching your staff of over 68,000 employees?

KH: The insider threat is a very big issue, and as I mentioned we are looking at other technologies to supplement what we have today. Currently, we use data loss prevention technologies, which can identify or alert us to certain types of activity that take place, and if there are thresholds that are exceeded. For example, if we see somebody who might be faxing a list of patients that exceeds 200, that might set off a flag for investigation, and then we would determine is that normal behavior or is that something that might be malicious. There is also what’s called SIEM technology, which is security information event management. All of our key systems are collecting logs, and we are analyzing those logs to determine if there’s anything that’s anomalous that might be taking place that requires further investigation, and that’s usually done on the inside network as well as on the outside, with externally facing systems.

GR: You have something pretty unique. You hired a security awareness and training manager. When did you hire her, and how did you come about that idea?

KH: People are the weakest link in the security chain. You can have all the wonderful technologies in place but ultimately it comes down to the people. We developed a security and awareness training program, where we promote very heavily a culture of awareness, and we have a manager who leads that. She has a staff, and we have partnered very closely with our corporate communications team to identify all the communication methods that can be used to reach our workforce. That includes postings on intranet pages  to screensavers. We have a very robust phishing campaign program that we use where we actually monitor results from those campaigns and we’re able to track trends.  It also gives us the ability to target users and groups of users that are more susceptible to these campaigns, including new hires that come into the organization. We use a Northwell Health app to communicate. We run contests and campaigns. In fact, October was cybersecurity month and we had a contest and gave away a pair of tickets to a Rangers game, which seemed to be an effective way to get people’s attention.

GR: I hear from women, younger women and girls who are in high school or college, that they don’t want to pursue a career in cybersecurity because they think they’re going be stuck behind a computer all day, or coding all day, or in a security operation center or something like that. It sounds like that’s not the case. What would you say to girls who are listening?  I do consider you a real role model for women in cybersecurity.

KH: Well, yes, and it’s not that. Honestly, that was my perception too — you know, a bunch of geeks and computer guys that sit behind screens. Probably one of the areas that you get exposed to most in this field is interacting with other people. I think that’s very rewarding and that can be done through the security awareness and training program that we have — explaining what the risks are and why it’s so important. There’s nothing more rewarding to me when I get a doctor calling me and he wants to bring in a certain medical device or some type of technology and it’s going to provide all this clinical value to the organization and to patients. It’s always a great discussion when I learn about that, and I’m also explaining to the doctor about the importance of cybersecurity, because in order for that device to work and be relied upon, and for the data and the data integrity from that device to be something you can rely on to render care, you have to have security. It’s very rewarding in many ways. There’s a lot of self-fulfillment that you can get and there’s a lot that still needs to be done in this area, so we do need people to pursue this as a career.

Georgia Reid

Ask The CISO Archives


From the start, the Fortinet vision has been to deliver broad, truly integrated, high-performance security across the IT infrastructure.

We provide top-rated network and content security, as well as secure access products that share intelligence and work together to form a cooperative fabric. Our unique security fabric combines Security Processors, an intuitive operating system, and applied threat intelligence to give you proven security, exceptional performance, and better visibility and control–while providing easier administration.

Our flagship enterprise firewall platform, FortiGate, is available in a wide range of sizes and form factors to fit any environment and provides a broad array of next-generation security and networking functions.

The Fortinet corporate brochure explains how we deliver comprehensive network, endpoint, application, and access security.

Learn more at Fortinet.com.