Podcasts
Afternoon Cyber Tea with Ann Johnson
Ep 124
Afternoon Cyber Tea with Ann Johnson 2.3.26
Ep 124 | 2.3.26

Trust Is Patient Well-being: Rob Suárez on Cybersecurity in Healthcare

Show Notes
Transcript

Ann Johnson: Welcome to "Afternoon Cyber Tea," where we explore the intersection of innovation and cybersecurity. I'm your host, Ann Johnson. From the frontlines of digital defense to groundbreaking advancements shaping our digital future, we will bring you the latest insights, expert interviews, and captivating stories to stay one step ahead. [ Music ] Today, I am thrilled to welcome Rob Suárez, Vice-President and Chief Information Security Officer at CareFirst BlueCross BlueShield. Rob, welcome to "Afternoon Cyber Tea."

Rob Suárez: Ann, thank you so much for having me.

Ann Johnson: So, Rob let's start with your career. Your career path from software engineer, to medical device security, and now leading in enterprise protection for millions of health care members; it reflects both technical mastery, but also mission-driven leadership. What personal philosophy drives your approach to cybersecurity in a field where trust is definitely life critical?

Rob Suárez: Ann, it's so-it's so humbling to hear you describe my career that way. My background, as you mentioned, is in technology, but my passion is in health care. And when most people think about cybersecurity, they think of technology. My personal philosophy is that under the layers of technology, there is a human element to everything that we do in cybersecurity. And there's a moral responsibility that guides decisions. It's not just about protecting systems. It's about protecting people. And in health care cybersecurity, it is inseparable from patient safety and digital integrity. This applies to anyone, not just the cybersecurity professionals, but also business leaders and individuals across many functions. Every decision to prioritize the costs and effort of cybersecurity is guided by the principle of safeguarding technology, is also safeguarding health.

Ann Johnson: I do think that, you know, you live in a different world than we do and at Microsoft we often say that security is the foundation of trust, that earning and maintaining trust requires our transparency, accountability, resilience, and everything Microsoft builds and delivers. I've heard that you've echoed a simpler belief in saying the quote "Everyone deserves trustworthy health care." How would you define trustworthy in a digital health context and what does it take to embed the value across all systems teams and partners that make up a care-first ecosystem?

Rob Suárez: Well, Ann you're absolutely right. I have characterized trust in that way when it comes to health care and cybersecurity, because when you're sick and you need health care and you show up to a hospital for example, sometimes and often times, we don't get to choose the health care technology that we interact with as patients. We have to assume the trust of the health care institution that's providing these services for us. Resilience in health care goes beyond technical recovery and metrics. It means the continuity of care and the confidence in the systems that we rely on during destruction, during a cyberattack, and when there is a significant attack on health care systems, those are attacks on individuals and their well-being. In health care, we focus on business continuity, crisis management, and cyber incidence to ensure that the care can be received with minimal, if no delay, and adapting rapidly without compromising patient trust. To put it simply, exercises and all of the KPIs that we measure not only pertain to systems and their recovery, but also the ability to maintain essential health services when essential health services such as payment systems are down.

Ann Johnson: That's incredible context, because I think we often think about your patient care systems, the actual provider systems that you deliver care on, but there are also not just clinical systems, there's financial systems and it is a very interconnected ecosystem between payers, providers, device manufacturers and, of course, you're in a heavily regulated industry with the actual patient care experience and life safety at the end. So, how do you protect this type of system where there is this deep interconnected ecosystem from the payers, the providers, clinicals, financials, everything that's involved and also, you know, I know you have a lot of experience in devices too, how do you protect it when there is no true owner of the entire surface area?

Rob Suárez: I am a firm believer that in order to match the pace of cyberattacks and what criminals and threat actors are doing to exploit health care, we also have to practice absolute transparency and collaboration in protecting those health care systems. And so, this means being transparent about security risks, vulnerabilities that exist in health care technologies; it means working across various types of organizations on the shared responsibilities that we have to design for security in mind, but then also put it in practice and provide defense in-depth. This applies to our third parties as well that we use in health care; many different third parties that we use in health care, Microsoft being one of them as well, that may not necessarily be a health care company. And there are things like governance structures that are helpful in providing that type of oversight and continuous monitoring and accountability for organizations and our third parties. But I think the other part that's really important where we have no true singular owner of an attack surface, it's also promoting a culture where innovation in health care never comes at the expense of trust.

Ann Johnson: I think that sounds really like the right philosophy, right? Innovation doesn't come at the expense of trust. There is a lot of trust factors and a lot of them are external, you know, I sit on the board of a health care data company, so we're downstream of care, but we spend a lot of time thinking about privacy, security of patient data, making sure that we're anonymizing, or tokenizing the right data, because one of the things we think about or one of things I know you think about is that the health care sector is facing, escalating ransomware attacks, escalating data breaches. When you think about those vulnerabilities, do you think that technical or cultural are the most important and how do you across the company, right, across the org, how do you get leaders to really focus on both the technical and cultural aspects?

Rob Suárez: Great question Ann. I believe that the cultural gap is often underestimated, complacency and lack of cyber literacy amongst nontechnical teams, not everyone can be a cybersecurity expert. In fact, I would argue, who is truly a cybersecurity expert? But, training and education, and empowering people with information is one of the most powerful things that organizations can do to address vulnerabilities. If it's a software engineer who is writing software, its understanding secure coding principles. If it's a CISO administrator configuring cloud infrastructure, than its understanding system hardening standards as well. And even for those nontechnical professionals across an organization, like accounts payable, and understanding how to spot phishing emails, or perhaps it's now human resources and our account acquisition partners being able to identify deep fakes, impersonating candidates applying to remote worker positions. These are the many ways that we try to close the cultural gap and appreciating understanding the importance of cybersecurity and what to do in the cross-section of those types of issues.

Ann Johnson: I think that's a great approach, and I do think that you're finding and striking the right balance in what is a very difficult environment. We talk a lot in cyber, as you know, about user trust, yet in your world its patient trust. And that certainly carries a lot of moral weight; how do you continue to deliver services and drive patient trust? How do you, you know, tagging onto the last question of how you build this culture across the org, how are you building culture over privacy and safety, or as treated as inseparable?

Rob Suárez: So, the importance of security doesn't exist without privacy. To be clear, we could have the most secure health care technology; however, if those secure communications, if those secure data shares the personal information of individuals, than it compromises the value of that health care technology. In fact, it will probably deter people from actually using that technology. And the same thing applies to patient safety; we can have the most secure health care technology; however, if it undermines the privacy and safety of individuals than it's very likely that people won't use that technology. And so, that is why, I believe, privacy and patient safety are inseparable from security, security is a means, one of the many means of achieving those objectives.

Ann Johnson: I think that's good and I know that you live in this world every day. I don't envy you, right, the position of standing there and having to think about how you balance all these things. The other thing you have to balance is transparency, right? We often talk here about how it's difficult to balance transparency after an incident; what have you learned about communicating risk and recovery in a way that preserves trust, also preserves confidentiality and safety, and privacy?

Rob Suárez: Transparency and clarity are key. CareFirst has a crisis communications playbook; we emphasize early and honest updates framing actions as proactive and member-focused. Our communications avoid technical jargon. They focus instead on what matters to stakeholders, and that in our work is the continuity of care and the safety of individuals, perhaps at the most vulnerable times of the life when they're sick and they need health care. And so, I think that's been very important in communicating risk and recovery for our technologies and in the event of cyberattacks.

Ann Johnson: I think that also goes hand in hand with something that you've championed, which is secure by design. So, one of the ways to absolutely reduce your chance of an incident, right, is to have a philosophy of securing everything by design, securing everything by default; it's certainly not just technology, its behavior. So, what does that look like in practice for you and how can others CISOs who listen to the podcast adopt that mindset?

Rob Suárez: So, again, there are absolutely practices that most cybersecurity professionals can iterate through whether it is applying secure coding standards, whether it's using static code analysis as part of our development processes, running vulnerability scans on infrastructure, applying system hardening standards, or even just having design requirements for security at the start of a project. I think what's really important though is understanding how cybersecurity applies to the value your technology is trying to achieve; the value and purpose of this technology to the benefit of patients. And so, if this technology is intended to, for example, manage diabetes for patients whether it's an infusion pump connected to a patient providing lifesaving medication, or it's a medication supply cabinet that provides lifesaving pharmaceutical drugs to patients. It's understanding the unique scenarios in a health care context where these technologies are applied and prioritizing that value, because often times in cybersecurity, we can try to protect many things and then not protect what matters most.

Ann Johnson: That is so incredibly insightful, because I do think that we spend a lot of time, we talk about it, right? We spend a lot time planning what we call "whackable" trying to defend against whatever the latest threat is or latest projected threat, while we're leaving literally the keys to the kingdom unguarded and we have to get better about guarding the keys to the kingdom in a lot of different ways. And certainly, AI can be one of those defenses with deployment, it's going to have to be, right? As we're evolving into the future we have to contemplate how we deploy AI in a responsible and pragmatic way. When you think about AI and health care, there's also this focus on efficiency and insight and getting better insights of the data that improve health all, all up. How do you balance though this promise of AI, particularly in health care with the ethical responsibility to protect data integrity and also to protect patient privacy and autonomy?

Rob Suárez: Well Ann, the AI at its core, is technology and technology is much like the human body. It is not perfect. By design it's not perfect. And in fact, over time, it ages. But instead of disease and illness, software and technology produces vulnerabilities. And so, we must accept that anytime we incorporate technology into health care and we need to factor in those tradeoffs and ensure that overtime we maintain that software and we breathe new life into it; that we feed it and nurture it, the technology. And that we stay focuses on the value every single time that we make a decision to use technology; in this case, artificial intelligence. It's very important that we make a conscious decision to focus on what health care outcomes will be achieved through the use of artificial intelligence accepting the possible risk as well, that overtime, that AI will need to be nurtured, it will develop vulnerabilities, we will-we will observe and those vulnerabilities and new threats will emerge as well that we have to protect against and it's an investment to ensure that we continue to drive that value that achieved through the use of artificial intelligence. So, I think taking a step back Ann-there are also technical controls. I think for years, some organizations have debated that have now become table stakes in the day of AI. And at one time, it was whether or not organizations should adopt multifactor authentication. We know now that multifactor is a must do that, in fact, passwords are a source of vulnerability in themselves. And to go even further, that going password list is an imperative as well. And so, I think when we look across the different technologies that we have in cybersecurity, that is another thing that needs to change in this day and age of AI and in the future of quantum computing as well, which will impact encryption for many organizations.

Ann Johnson: I think all of that is correct. I do think that encryption, quantum, AI, the world of cybersecurity is rapidly changing from the days when I started when I was trying to think, you know, early days at RSA Security are trying to convince people to use a token for multifactor authentication or strong authentication. And here we are in the year-we're going to into the year 2026 and we're talking about how AI, and passwords lists, and passkeys are going to fundamentally harden the environment as we roll out things like quantum and quantum versus encryption,. So, Rob, this industry, one of the things I love about being in cyber is it moves just so fast. It just really does move incredibly fast.

Rob Suárez: Absolutely.

Ann Johnson: One of the things that stands out in your approach, is you-and I've met with you, I've heard you talk about the human element, both patients and also your team and the team within the organization and culture, can you talk a little about your people behind the mission that you've led the global cybersecurity team to cross multiple industries; what have you learned about building teams that not only defend, but also believe in the mission behind the work?

Rob Suárez: It goes back to what we were talking about when it comes to how rapid change takes place in cybersecurity. And all of the different types of cybersecurity threats that we need to focus on and protect against. It can be overwhelming. And in fact, health care-it's even more daunting, because there is a patient at the end of everything that we do. And I believe that a purpose-driven team always out performs, and it allows us to focus on where we need to pay attention and apply more pressure, apply more rigor in security. CareFirst emphasizes a human impact of cybersecurity in connecting technical tasks to patient safety and community health. As leaders, we cultivate this by sharing real-world stories, investing in professional development and creating a culture around a mission. At CareFirst, that's making health care affordable and accessible to everyone. And as we've seen cyberattacks in the past, have incredible impact on the financial performance of organizations. Those dollars in health care, when we-when there is a ransomware attack, those dollars are spent on recovering systems, can go towards achieving better health care outcomes for patients. And we can look at the cost of services in your local community for example, whether it's non-medical emergency transportation or transportation to the hospital, or it's a preventative colorectal cancer screening, or it it's diabetic testing strips and getting a 30-day supply; there is a cost tied to each of those health care services, and when cyberattacks happen, it detracts from those of being able to afford those different types of services. And so, I feel that is where you start to cultivate a sense of purpose in my world of health care cybersecurity. It's a conversation around how our work impacts patients and their well-being.

Ann Johnson: I love that. I love that you just tie it back to patients and their well-being. And one of the things that you also have responsibility for beyond patients and the day-to-day operations, and the program, and the team is the board. You have to influence the board. CISOs are more and more frequently having to influence their board. In health care, you're also influencing your clinicians, you know, doctors and nurses, and medical professionals that just want to deliver care and don't want to be inconvenienced, you're having to influence policymakers and, of course, you're having to convince patients to trust you. When you think about all of that in contexts to cyber risk, how do you translate cyber risk into language that inspires action and confidence rather than making people fearful?

Rob Suárez: Well, in health care, I believe we need to reframe risk as a shared opportunity for resilience, using plain language and relatable analogies. Instead of fear-based messaging, communications need to highlight empowerment, your action protects health. The metrics and dashboards designed to show progress, not just exposure. And so, there is this sense of confidence that we need to have when we're practicing cybersecurity. And that allows us to be even more transparent around cybersecurity risks and the vulnerabilities, because you can't protect what you don't know.

Ann Johnson: I think that's a great phrase that everyone has to actually keep remembering, "You can't protect what you don't know." When I talked to CISOs and I'll say to them, "What is your number one issue?" or "what is your number one problem?" And they all say, "Visibility." Doesn't matter in the world I am, doesn't matter the size of the company, doesn't matter with the industry, they are concerned about what they can't see. They are concerned about network devices, they are concerned about, you know, the rogue tenants that now they're concerned about rogue AI, right, the agentic world, shadow agents. So, thinking about that and thinking to the future, because we are going to see a proliferation of agents, we are going to see a proliferation of agentic to drive productivity, to drive research in your field, to drive better medical outcomes. If you could redesign the CISO role for the next decade, not the past decade, what would you change about how the role is measured, how the role is structured, and how the role is empowered?

Rob Suárez: Ann, I believe the future of the CISO should be measured on trust outcomes and resilience, not just compliance. The role must expand beyond technology to influence culture, ethics, and innovation even in as part of the overall strategy of an organization, even in the title, this job is no longer just about information security. And certainly empowerment comes from board-level visibility and authority to shape enterprise risk postures holistically. I think that reporting structure to the board is incredibly powerful. I think the other part is the ability to peer into our lines of businesses and influence, have a seat at the table, when it comes to decisions of how the company will change and provide different services into the future enabling technology, but also factoring in all these other forms of risk that may impact the value that we're providing to people, to patients.

Ann Johnson: I think that's really important. I think that's a really good construct for it. Well, Rob we're coming to the end. I call myself a cyber-optimist and I close every "Afternoon Cyber Tea" with a bit of optimism, because I know for everything that makes the news, we as an industry, have blocked thousands of attacks. So, despite the challenges, despite the innovations, despite what we're doing with talent or AI or quantum, I also believe in the spirit of collaboration and innovation, that's one of the things that I am most optimistic about. I would love to hear what you are optimistic about when it comes to the future of cybersecurity.

Rob Suárez: Ann, I'm optimistic as well. When I think back to 10-15 years ago, many individuals didn't know what cybersecurity was and we are in a much different state of affairs today. There is much more collaboration than I've ever seen before. And I do think there's incredible value in having a collaborative approach to defense. In this day and age of AI where we will see threat actors, they are using AI, I also have incredible confidence and optimism about how we're going to continue to use AI for our defenses, in being able to prevent catastrophic events and cybersecurity impacting public health. And I think the convergence of technology and ethics offers a path to systems that are not only secure, but equitable and human-centered. I see more conversations happening around the ethics of technology now more than ever before and, again, that makes me very optimistic.

Ann Johnson: Rob, I really appreciate you making the time to join us today. It's always a pleasure to talk to you. You give such great advice and experience, and I just appreciate it.

Rob Suárez: Ann, thank you so much. What an honor to be here speaking with you. I truly enjoyed this experience.

Ann Johnson: And many thanks to our audience for tuning in. Join us next time on "Afternoon Cyber Tea." [ Music ] I invited Rob Suárez on the podcast. I've known Rob actually a very longtime through a few companies and now he is at a health care organization. He's a very thoughtful and insightful leader and I really knew that he was going to be an excellent guest and provide good insights and depths to the conversation. I think the audience will very much listen to what he has to say and enjoy it. [ Music ]

Afternoon Cyber Tea with Ann Johnson
Podcast Info
HOST(S):
Ann Johnson
Ann Johnson, Corporate Vice President Cybersecurity at Microsoft, talks with cybersecurity thought leaders and influential industry experts about the trends shaping the cyber landscape and what should be top-of-mind for the C-suite and other key decision makers. Ann and her guests explore the risk and promise of emerging technologies, as well as the impact on how humans work, communicate, consume information, and live in this era of digital transformation. Please note, the opinions expressed by guests on this podcast are their own and are not endorsed by, nor do they necessarily reflect opinions of, Microsoft or Ann Johnson.
Schedule: Tuesdays
Credits: Executive Producer is Charlynn Settlage, Producers are Rob Petrillo and Greg Ormsby. Production Manager is Max Solomon, Scheduling and Administrative Support is Katie Zwart, and our Audio Engineer (and magician) is none other than The Great Rich Cerbini.
Creator: Microsoft