Chief Information Security Officer Vugar Zeynalov - To Catch a [Cyber] Criminal

Podcast Transcript

Speaker 1: Welcome to Beyond Leadership, at the intersection of leadership and everything else. In this Cleveland Clinic podcast, we will commingle with extraordinary thinkers and explore the impact of their ideas and experiences on leadership and management.

Brian Bolwell, MD: And I am Brian Bolwell, your host. Today we're joined by a very special guest, Vugar Zeynalov, who's the Cleveland Clinic's Chief Information Security Officer, to talk about cybersecurity. Vuger is an accomplished IT executive with over two decades of leadership experience delivering business focused security services and cultivation of world-class security talent. His approach to cyber risk helps businesses and heavily regulated global markets through high-stakes acquisitions, business expansion, and the adoption of emerging technologies. Welcome, Vugar.

Vugar Zeynalov: Hello, Dr. Bolwell, thank you. Thank you for having me.

Brian Bolwell, MD: So can we start by having you give us a definition of what cybersecurity is? I think people probably have different views about what it actually means.

Vugar Zeynalov: Cybersecurity is a newly emerging discipline to protect our most valuable digital assets from cyber criminals.

Brian Bolwell, MD: And we're in healthcare. Why is healthcare such a big target?

Vugar Zeynalov: A few years ago cyber criminals figured it out how to monetize a healthcare record, and right now it's the most expensive record on the black market. It's about 50 times more expensive than a credit card. And the reason for that is because that record is permanently attached to a patient, unlike a credit card that you can easily change, and it's very rich. It can be used for identity theft, prescription drug, and Medicare fraud, and many, many, many other ways of criminalizing it. Plus the criminal business model is evolving. Now instead of stealing from hospitals and selling that data to someone else, they're also deploying ransomware and extorting victims for money to get their data and systems back online, because they know that care delivery is utmost importance for us.

Brian Bolwell, MD: So what type of attacks concern you the most?

Vugar Zeynalov: Well, just like with treating disease, we don't focus in only one aspect. So mature security, like healthcare, is about holistic approach. The threat landscape is changing constantly, so right now we're trending in phishing and ransomware attacks, because they're simple and can be very, very effective.

Brian Bolwell, MD: So can you define those for us, Vugar? What does that mean? What is phishing and what is ransomware attacks?

Vugar Zeynalov: Phishing is a way of luring individuals to click or do something that the criminals want them to do. Typically they send them an email with a sense of urgency, and using different techniques have them to click on a link that leads them to malicious software. Ransomware is an attack where the criminals encrypt your most valuable data, and then extort money in exchange for either not releasing that data, or conversely, giving you a key so you can unencrypt it.

Brian Bolwell, MD: So this happens a lot with our phones, too, right? I mean, I think all of us are receiving spam telephone calls and spam messages, and is that all part of the same bucket?

Vugar Zeynalov: Continuously. As we evolve our defenses against email phishing attacks, they move, they evolve, they change, they adapt. These cyber criminals, unlike nation states like China and Russia, they don't have better tools and techniques than we do, but what's interesting about them is that they, like insurgents, they constantly adapt their techniques and tactics. So they've seen that our email protections improved, now they're focusing on mobile.

Brian Bolwell, MD: So how do we combat this stuff?

Vugar Zeynalov: Good business decisions. We prevent everything that's reasonably preventable, and whatever we can't prevent, we hope to detect them early, respond swiftly, and recover with a minimum impact to our business.

Brian Bolwell, MD: So you started here, what, about three-and-a-half years ago?

Vugar Zeynalov: Yeah.

Brian Bolwell, MD: What was the first thing you did?

Vugar Zeynalov: Well, before coming I put together my hundred day plan, everything was structured. But when I first came in, we had a series of unfortunate events that led me to, in one hand, to quickly ramp up our defenses. On the other, interestingly enough, it allowed me to meet a lot of wonderful people across the enterprise. And it became apparent why the Cleveland Clinic is number two hospital in the nation is because that culture of excellence we have.

So the first thing I did after we survived these unfortunate events, I went on a listening tour. I met with every leader we have. And in the most humble way I try to understand what's important to them, because if I understand this was a new program, we could focused on the areas that matter. Also if I understand, and God forbid something happens, we can make good decisions, the same way if you know your patient, you can rush them to the operating room.

And the final thing I told them, if there is one thing I can guarantee is that we're going to make mistakes. And when we do, I want to have that relationship in place so we can pick up the phone, course correct, and move forward. And it was one of the most wonderful experiences for me, that listening tour and visiting our medical facilities, because: A, I learned how to speak to clinicians. And these are the people who have lives of people on their hands. I was coming here I was thinking, "How I'm going to talk bits and bytes to the people who have lives of people in their hands?" And they helped me to frame the messages in a way that it made sense to clinicians.

And also I learned that doing anything with the clinician, versus to the clinicians, is going to have far better impact in the fact. And the third thing I learned is that we're dealing with very, very busy professionals, and any minute I take away from the clinicians to connect with the patient, that's one less minute that gets spent with a patient. So we try to instill that culture of frictionless. Whatever we do, build it in a way that's as frictionless as possible for our clinical workforce.

Brian Bolwell, MD: So what did they tell you?

Vugar Zeynalov: The clinicians?

Brian Bolwell, MD: Yeah, so you interviewed all these folks, including me. I remembered our meeting very well. What did you hear? What did they tell you?

Vugar Zeynalov: So, first I learned about your business, and how important it is for the Clinic from giving your perspective. Second, I learned about all the pain points that you had with the technology. I learned how important it is to [have] technology for delivering high quality care. At the same time, I learned that any friction, any service interruption, any cyber event, that all impacts our care delivery, and impacts in a profound way. Prior to coming to the Clinic, I worked for the government, financial institutions, payers, and these are all wonderful institutions and they have all the important things in the world, like financials, brand reputation, we have all that, too. But on top of that, we have live patients connected to 150,000 medical devices. And all of them are tiny computers in a beautiful package.

And also identity theft, for example. Losing somebody's data, it's very hard to go back to a cancer patient or a family of a deceased and tell them, on top of everything else, we also lost their data. It's not a conversation that anybody wants to have. And something like a computer virus that can make our systems then unusable. For financial institutions can mean that they can't process transactions, they can't process claims. For us it means babies in NICUs, people in coma, and loved ones storming the hospitals trying to find out what's going on because the phone system's down. It was an incredible learning for me because this industry is as close to the people that you're protecting in any other industry I've been to.

Brian Bolwell, MD: Did you hear about things beyond the electronic medical record, and if so, what were they?

Vugar Zeynalov: Well, certainly. So we talked a lot about medical devices and security of medical devices, because they directly impact patient safety. We talked about ability to communicate, because this is also a research facility. A lot of our clinicians, they're renowned, world-renowned researchers and world-renowned scientists. So on one end, we need protect the data. On the other we should allow our researchers and scientists to be able to deliver their care and research. So it's an interesting dilemma between protection and enablement.

Brian Bolwell, MD: So one of the things about research, of course, is the importance of big data, of handling huge amounts of data. For people like me, and the Cancer Center, the human genome has billions and billions of bits of data. So does that pose any special challenges?

Vugar Zeynalov: Oh, certainly. The larger the data sets are, the more lucrative they become. It's a one place accumulation of massive amount of data. If the criminals find a way to get there, then it's like a heyday for them. Protecting big data presents a special challenge. It also presents an opportunity because the big data capabilities are relatively new, and a lot of them have been built with security in mind. It's just getting engaged on the appropriate time and building the appropriate controls up front, and educating our caregiver can make all the difference in the world.

Brian Bolwell, MD: So with big data, a lot of times it's stored in the cloud. How do we interface with the cloud?

Vugar Zeynalov: Well, cloud is not a new technology. It's just a different way of delivering computational resources. So the risks that we have here internally, they're the same risks on the cloud. They're just amplified by the fact that you lose physical control of an asset. So in the type of the cloud that you're dealing with, the most important thing is building trust, and trusting the party you're dealing with. Any relationship, personal or a business, is about trust, and trust is established through a series of assurances. So if we get engaged early, we can make sure that the cloud service provider had the appropriate protections in place, just like the legal side, or any other, to not only protect it up front, but also maintain that trust through the life of the relationship. And have the appropriate provisionings for you to get your data back if that relationship saturates. So building all these protections in place on your behalf is a recipe for success in dealing with cloud.

Brian Bolwell, MD: Tell me about your team, and how you approach your team and coming up with functional teams, and what you as the leader do to enhance your team's ability to execute.

Vugar Zeynalov: Well, I try to instill that culture of excellence that we have on the clinical side, which makes the Cleveland Clinic number two hospital in the nation; instill it into the way we design and develop our team. And it starts with attracting strong talent.

Brian Bolwell, MD: Yes.

Vugar Zeynalov: My philosophy for leadership is attracting people that are smarter than me, giving them what they need, and getting out of their way. The second component of this is a culture of compassion and caring within healthcare. We need to instill that culture because they, as I was saying, this is the closest to the people you're protecting. They need to feel the same pain as a patient would, or the clinician would, if something is not done right. And the third is creating a culture of innovation where the people feel comfortable speaking up their voices. It starts with, again, just like we talked about with the vendors, it starts with trust. Trust is a foundation of everything. So having that personal touch and personal connection allows people to feel comfortable, and that comfort enables people to speak up and sometimes disagree respectfully. In that disagreement, the best ideas are formed.

Brian Bolwell, MD: Yes.

Vugar Zeynalov: And ability to hear voices. But then, once we come up with the ideas, we should be able to commit and don't look back, and that commitment leads to accountability and results. And finally, what we're learning from the clinical side is building that culture of continuous improvement, and instilling quality into what we do continuously. Whatever we put forward, we want to make sure, I use the word frictionless, but quality is another component of frictionless. Whatever we deliver to you, because it becomes part of your workflow from that point onward, has to be highest quality, that fundamentally may impact care delivery.

Brian Bolwell, MD: So that was great. You said a lot of stuff that we can touch on, but a couple of things that I'd like to touch on is, you mentioned the importance of attracting great talent. How do you do it? How do you recruit? How do you recruit in general? In medicine, one of our challenges, I think, is sometimes we recruit a little too much for academic pedigree, and not enough for some other attributes that may be important. How do you recruit?

Vugar Zeynalov: Well, attracting cybersecurity talent is really hard nowadays. It's a negative unemployment market. Right now there are 400,000 open jobs on the market.

Brian Bolwell, MD: Wow.

Vugar Zeynalov: And although COVID impacted many other professions, because of the telemedicine, because of the remote workforce impact, the cyber talent is even in a higher demand. So realizing that attracting the top talent is going to be a challenge for us, we took a little bit different approach. All my teams transformed into what we call teams of teams, and agile models where individuals don't have very specified roles and responsibilities. Instead it's a team where the senior members of the team can distill and educate new talent that we bring to bear. So because we don't have that very, very specific, specialized way of doing things, we can inject new talent, quickly train, and in the collaboration with the senior members of the team, raise the overall quality of the team in a much faster pace.

Brian Bolwell, MD: So it sounds like you're attracting some relatively younger talent and then educating them about different opportunities and different ways to execute.

Vugar Zeynalov: Correct. That's been our army. And I have to say, in a very short period of time. Now the challenge is, they quickly ramp up, and now their marketability increases, now retaining them becomes a challenge as well.

Brian Bolwell, MD: Yes.

Vugar Zeynalov: After we made that investment into them.

Brian Bolwell, MD: Yes, and hopefully our culture is a way to retain people. You know, one of my favorite quotes is that great teams are a magnet for great talent, and hopefully if you've got great teams, it's a little harder for them to go.

Vugar Zeynalov: You know, someone told me in my listening tours is that people come here for the brand, but stay for the people.

Brian Bolwell, MD: I think that's a great quote.

Vugar Zeynalov: It is, it is a great quote. It's a humbling experience, you get to work with the best of the best in the world.

Brian Bolwell, MD: So another thing you touched on was the importance of trust, which I think all of us would agree is fundamental to any leadership, and really any relationship. But then you talked about the importance of healthy dialogue and respectful conflict. The second most important attribute in a high functioning team is to have respectful conflict and open dialogue. How do you generate that?

Vugar Zeynalov: By giving everyone a voice. So our team meetings, it starts with a everyone gets a one minute just to share what's relevant and important to others. And then on the intersection of that, we don't come up with a pre-defined agenda. On the intersection of that we decide as a team what we want to talk about. But I want to make sure that everyone continuously gets a voice.

Brian Bolwell, MD: I really like that one-minute idea, I think that's a wonderful idea so thank you for that. You also mentioned very briefly, which I'd like to expand on, are the challenges of the COVID pandemic, and the increased use of telehealth and telemedicine. What are the increased risks from a cyber security perspective?

Vugar Zeynalov: Well, unsurprisingly, cybercriminals, both foreign and domestic, are trying to take advantage of the global pandemic situation, as they never let any crisis go to waste. And then also nation states, such as China and Russia, have stepped up their espionage efforts aimed at coronavirus vaccine research. So you see a proliferation of fake COVID-19 themed phishing emails, phone and text messages, you mentioned, and they are being all used to lure victims to visit the websites with payment scams or malicious software, exploiting the human traits like concern and curiosity.

Every industry almost have been impacted, but healthcare is a primary targets as nefarious actors see healthcare professionals who are exhausted physically and emotionally, and entire health IT systems that are changing overnight to accommodate these new working styles. Also people are continuously searching for the latest information. So any threat masquerading as a trusted COVID-19 news has a huge pool to fish in. And to that end, I want to say that Cleveland Clinic's communication team has done an excellent job curating these news and information, and I encourage everyone to check out Cleveland Clinic's newsroom and Twitter feeds as a reliable source of information.

Brian Bolwell, MD: So how do we combat these threats? Another threat that I can think of off the top of my head, Vugar, is, well we call MyChart, and that patients can have direct access to their medical record, which five years ago really didn't happen very often. How can we manage this stuff?

Vugar Zeynalov: You asked me in the beginning of our conversation about learning from our clinicians, what I learned is that there's a lot of similarities between the world of medicine and the world of cyber. We even used the same terminology, viruses. If we see a vulnerability of some sort, or weakness of some sort, we start with the stop the bleeding, tactically addressing some of the challenges we have. And then we do a diagnosis to understand what our gaps and weaknesses are. And then finally we build a treatment plan to define our path to the future.

So on the caregivers side, this changing working styles, such as work from home and telehealth expansion, obviously adding new ways--and this is not new technologies, they existed for a while--but then we're living through one of the greatest experiments in remote work and virtual health. As you may know, the Clinic is now doing 26 times the number of virtual visits that we did just a few months ago.

Brian Bolwell, MD: So what did you find when you first came here, and how did you prioritize the challenges that you found?

Vugar Zeynalov: Most of the people want to do the right thing. If they have the appropriate tools, and those tools are easy to use. My number one priority right from the beginning was giving our clinicians that trusted and resilient digital platform so they can continue doing education and research. Ultimately, if I can build security absolutely frictionless for you. And we have, we have built a lot of capabilities that were with a minimum friction, or invisible almost to our clinicians. Or if I give our clinicians a platform that's easy to use, this is approved, structured, secure platform that's easy to use, most of the people want to do the right thing, and most of the people will. And then we also build some capabilities to detect any violations and react to them. Most of the reaction is going to be education, but in some cases we have to take more stringent measures.

Brian Bolwell, MD: One of the stories that you shared with me was during your listening tour, you went to an inpatient nursing floor and you found that there was a whiteboard with all the different passwords that the nurses needed to use for different programs, just different stuff. And how did you react to that?

Vugar Zeynalov: My team and I, we visit every facility we have, and we went through what we call a journey of the patient, from admission to discharge. And you're right, it was a very painful sight to see how clinicians and nurses specifically were combating some of the inefficiencies of our technology platforms. There were dozens of passwords, which are hard to remember, and they are continuously changing. So I saw nurses carrying sheets of passwords on their badges, and then they were writing them down on the white board, because the next shift is coming. So one of the priorities was eliminating those passwords. And so far we eliminated close to 70-plus passwords, and we continue on that journey.

Our vision is get to one password, but ultimately no password at all. If we can get to that, if we can get to the setting where the systems recognize you, based on multiple factors, you come in and it knows who you are and gives you what you need to be effective, that would be quite a day for us.

Brian Bolwell, MD: So how far away is that, Vugar, whether it's facial recognition or voice recognition, or other tools or techniques?

Vugar Zeynalov: It's interesting, they're not that far away, the problem is in the clinical setting. Clinical settings present unique challenges. For example, fingerprints, in any other industry, we could have found this solution. Fingerprinting is not possible because our clinicians wear gloves, and facial recognition won't work because our clinicians wear masks. Proximity sensors don't work either because a lot of clinicians work as teams. So whoever has the strongest proximity sensor is going to register. So in a clinical setting, all these technologies that work very well in other industries, unfortunately they don't work as much.

Brian Bolwell, MD: I mean, certainly one of the challenges of the COVID pandemic is the gear that we have to wear. And so, yeah, facial recognition is out the window.

Vugar Zeynalov: Precisely.

Brian Bolwell, MD: I mean not only do we have to wear masks, we have to wear face shields or goggles, it's certainly a challenge. I had a conversation a few days ago with a leader of another industry, and we talked about some of the challenges of leadership, and he mentioned giving feedback, and giving honest feedback. So managing your team from that perspective, from evaluating their performance and accountability, how do you approach that?

Vugar Zeynalov: I believe in continuous feedback; continuous feedback. And it starts, again, we explore this concept of trust, it starts with personal trust. I believe in building connection, personal connection with my leaders at every level, even with families, because if you have a personal trust between the people, at the very least you would expect benefit of the doubt, if you will. And when you're having a discussion, when you're having a conversation, when you're having that crucial conversation and delivering very honest and open feedback, hopefully a caregiver will also see that it's being done in the best interest of the organization, and in the best interest of that individual. So I think trust is foundation. And then continuous feedback is foundation for successfully developing people.

Brian Bolwell, MD: So thematic in your approach is the importance of leadership. How do you maintain those relationships with clinical leadership in a healthcare setting?

Vugar Zeynalov: Those first interactions we had were crucial. And having that humble and open approach and desire to listen, and understand, and be there, and most importantly, be responsive, understanding that the clinical setting, when seconds matter. I think that builds that credibility on trust. The second component of it is, every time we do something, we build what we call clinical impact team with our prominent clinicians. And constantly every communication we make, I run it through our clinical impact team to view it through the eyes of the clinician, to see how it will be received and to see if we're missing anything.

And then designing everything, designing everything upfront with the clinicians at the table. I think that also improve the credibility. And then delivering, delivering on the promises made, clearly articulating this is our plan, this is our milestones, this is what we're doing, and then showing that we're delivering it, and we're delivering it in a way that it's not adversely impacting clinical care. And if it does, we are there, we're listening, we're very, very responsive to adjust and address them as quickly as possible. I think I've been great for building that relationship.

Brian Bolwell, MD: Well, I can tell you that the Cleveland Clinic is very fortunate to have you as our leader for cybersecurity. And I can also personally attest to the importance of relationships, and Vugar has done exactly what he's talked about with the clinical leadership. And it's been a lot of fun for me to learn from everything he's done. Vugar, thank you so much for your time. We really appreciate it. There'll be more coming, so thanks to everybody for listening.

Speaker 1: Thank you for joining us for this episode of Beyond Leadership. We welcome any topic ideas, comments, or questions about this, or any past episodes. Email us at executiveeducation@ccf.org, or by clicking on the link in the show notes.