This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
UnHack the Podcast: Building a Security-First Culture in Healthcare IT with Steven Ramirez
[00:00:00]
Drex DeFord: I'm Drex Deford, president of Cybersecurity and Risk at this Week, health in the 2 29 Project. Our mission is healthcare transformation powered by community. Welcome to UnHack, where we navigate healthcare security challenges together because cyber safety is patient safety.
Let's get started. Hey everyone, I'm Drex. Welcome to unh Hack the podcast.
I have Steven Ramirez with me today. Hey, Steven.
Steven Ramirez: Hey, Drex. Good to be with you.
Drex DeFord: Tell us a little bit about, uh, about your job and where you work and, uh, all the good things.
Steven Ramirez: Well, good to be with you again. Kicking off 2026 with a, a ton of stuff going on here at Renown. So. Renowned health up in Northern Nevada.
We four hospitals in the area. We have a health plan that we recently, um, did a partnership with Kaiser, which we back into a little bit further on to create Kaiser, uh, Nevada. So some exciting stuff on that. [00:01:00] Lot of fun work with that going on as well. And a lot of other cool stuff going on.
I am our CS o so chief Information Security and Technology Officer, although I'm saying my tee's getting smaller by the day. Um, because we do have some other leaders because I used to own everything across the board and um, now we just have. Service Desk, Microsoft, ServiceNow, it, governance and of course security and all those components.
So still, yeah,
Drex DeFord: interesting.
Steven Ramirez: Still a little bit of other technology, but
Drex DeFord: , As we do the, the CISO summits and we do, uh, other events together, um. I see more and more of that kind of stuff happening. Uh, the CISO, the CTO come together, also the C-I-S-O-C-T-O, um, ascending to the CIO job.
So, um, that's kind of an interesting trend. The question I have for you is like, when you see tension between, uh, because this is a topic that comes up with us all the time too, when you see tension between speed and innovation and [00:02:00] security and. Tech architecture, like who wins? How do you make the call when, when that's a situation that you're seeing?
Steven Ramirez: Well, it's a lot easier when it was just me fighting my internal demons.
Drex DeFord: Ah-huh.
Steven Ramirez: But we set up a, we just created an enterprise architecture vertical. Um, and we also have some other functions, um, because we're going through a big databricks build out in the cloud, which I know we'll probably touch on a lot of the components to that.
So creating a. Basically cloud security program overnight. But um, I think that goes to your CIO and your overall organizational risk tolerance and appetite that here at renowned security wins. So we just have the mindset of security by design. So, um, what's really good about me having a lot of the team till we started to, reposition it into like the rightful towers that it should have, is that everybody still has that mindset.
So we don't come up a lot of times with just, the rock paper, scissors. Um, but I am very good at that. But, um, um, we, we don't have a lot of friction, which is really good that we don't have politics. We [00:03:00] don't have a lot of that. Um, I like to say that's why it's really fun to work in kind of the. The medium large versus, some of the, the bigger sometimes that we're able to move the needle a lot quicker.
Um, but yeah, we, um, again, I think that just goes to our overall just risk view as an organization that security always does take precedence, but instead of being the department of no, um, it's how like we've gotta be at the table, be able to negotiate, do a lot of different components to you. Not, not be obstructors, but.
A lot of that could just be done with good governance. So I think that we do a good job of that, that makes those awkward conversations down the road a little less frequent. So
Drex DeFord: that was the, so I know you've got a good boss there too. And so talk a little bit about kind of the power of a good boss and how having somebody like that who has your back, who helps drive the prioritization, turns out to be a really big deal.
Steven Ramirez: Yeah. Chuck, uh, I know a lot of you guys know Chuck, he's, uh. Amazing boss. I always say that I'm sometimes the deputy ciso, like he's very passionate about [00:04:00] security, so that makes my job very easy when I have a leader that's very security conscious. Um, but other leaders that are very security conscious, like with our recent, um, conflict going on with Iran.
I sent a, update out from, a lot of the various sources, A lot from our friends and our group chats, um, to legal compliance. Chuck, Marketing communications and all that, and of course getting some great feedback. We ended up sending out, an organizational wide message on some, different hygiene.
But it's just, just having those relationships that, we've built over the years that, just makes Chuck's job easier when I'm. Have those other partners, like my chief compliance officers, um, become one of my good friends and partner that's in crime on that because again, it's easier to have them.
We now have, um, an enterprise risk management vertical. So have that being built out as part of our thing, a dedicated leader to that because we're doing a lot more self-insurance internally. So again, having more skin in the game. So like if we're looking at like things like, um, for example non IT supported applications, I brought it up to my.
[00:05:00] Friends and colleagues said, I don't need my application vp, hounding people. This is an enterprise risk management problem. So I take that outside of it and then collectively we just work, um, as a three-headed monster to tackle this stuff. So it's a lot easier when you have friends and instead of security or it trying to hound you to kind of have that, that support outside of it.
So, um,
Drex DeFord: yeah.
Steven Ramirez: So, um,
Drex DeFord: yeah. The, the, when you, so, uh, kind of thinking about all of this, great connections, great relationships, building those bridges across different departments. Uh, there have been a lot of major breaches, a lot of crazy things have happened in the last few years.
Uh, tell me about how that. Those events and the work that you're doing, how does all that arrange into conversations with the board? What are conversations with the board like at Renown?
Steven Ramirez: So we just did our, we do quarterly updates, um, that roll up to our audit and compliance of the board. So we have our board steering committee that oversees all audit and compliance matters.
So I do that. [00:06:00] With my partner in crime, um, our Chief Compliance officer. Yeah. So again, we go through, we update key initiatives, key risks, key areas going on in the industry. Like for example, we know for a long time social engineering's been huge on people calling the service desk. We have an HR service line.
Um, so a bad guy was able to get that number and try to call around to then call our service desk. But, we have controls in place that we're able to tort that. But it's just showing you really the importance of that we have call recordings, that we can then show how calm and collected these people are trying to talk to service desk agents.
Mm-hmm. And that really helped drive our, um, investment and initiative with Clear. So saying that, we have a great process at verification now, but it's really getting to the necessity of having that next step for, um, ID verification. Um. God bless my friend Jim Bowie. He's, we say he is the founding father of a lot of those processes.
Yeah. Yeah. We love that
Drex DeFord: guy.
Steven Ramirez: Great partner. Um, him and his team have been amazing to really. Really be one of the first out of the gate that, my team synced up with him [00:07:00] before we inked the deal to, get some good lessons learned, um, and everything like that. So really just articulating real events to them are what's really most meaningful.
Um, and then just again, keeping it real. Um, and then really just showing them where our investments, keeping them out of the paper so
Drex DeFord: that, that call recording tidbit. Um, I've heard you talk about that before. Um, taking those calls, using those calls as training for people to listen to and then kind of have that like, this sounds like a real doctor.
This sounds like a real person who's really in trouble and needs for us to set, reset their password. Like those things are really useful for post postt-game training activities.
Steven Ramirez: That's why we, uh, again, from talking to Chuck that, some other leaders might think Service Desk is a core tech, but we see that as a security initiative that again, you're trying to enter our organization, you have questions that we're gonna go through verification process.
Always use the airport example, you gotta go up to tsa. Um, so you use Clear there. So we're like, things have gone through, but you have to show your id. [00:08:00] You get your face. Signed or you show your boarding pass or Id, it's like you're getting two factored along as you go.
Drex DeFord: Yeah.
Steven Ramirez: And you go through security and then you have to show your boarding pass to get on the plane.
So it's like, it's no different from, concepts that we're using in our real lives to really how we want to handle identity is an organization. So having real tidbits, um, we always say the, the close encounters. Um, I think those are great to really show not only your investments, but just again, that this is what guys are doing out there.
So we need to make sure that, we're. We're focusing in on those areas, especially with, 80% of, um, attacks being identity based, so.
Drex DeFord: Yeah. I wanna, I wanna ask about, um, resilience too. Uh, tell me, tell me a little bit about what you're doing. Um, the, the phrase sort of minimum viable hospital comes up on a regular basis when we're all together.
Uh, talk a little bit about your resilience planning and the work you're doing.
Steven Ramirez: I think in a lot of these areas that we've made a bigger focus on our, just shoring up our downtime procedures. We just hit our recent, um, tabletop to really make sure that people [00:09:00] are. Able to, go through and, um, do what we need to look for single points of failure, see how we can fine tune that.
We know it's always very uncomfortable without technology.
Drex DeFord: Yeah.
Steven Ramirez: But again, it's doable. Um, and then that's gonna help us drive. Different investments in technology. We're doing a huge data center migration right now, so we're gonna have more of the high availability, um, and really focus on resiliency. So we've, um, made a big investment too on like data protection as well as data recoverability, um, with.
A good partner. I know, uh, rubric for, a lot of different tools on just having something in the, the black box to looking at the different layers. Layers from your 365 to your identity. And now that we've moved to CrowdStrike after all these years, there's some really cool integrations and plugins, um, that we're looking at this feature through rubric.
because you have rubric identity that you can actually do a identity rollback. So if Drex gets through all of these layers that we've talked about. Goes through it and is doing malicious activity that we can actually do a rollback to a point [00:10:00] in time with the integration with that. So that's, integrations have been huge to us.
That's really what's helped us move partners strategically to really see where we can do these various, integrations that, are a lot more favorable, um, to really trip up the bad guys sooner. So
Drex DeFord: , So I have to ask about this because we can't have a show without talking about artificial intelligence.
Um, so tell me what you're doing with AI in your security stack today. And maybe what I'm really asking is what's real and what's hype, what's, uh, what's happening with AI and security today?
Steven Ramirez: Again, our, our CIO's great on us not being the, trying the first out of the gate to chase right objects.
So now that we've progressed into ai, I think people understand true capability of AI and how we can actually operationalize it. So we're looking at copilot. Um, we have a lot of people on copilot, but really. How are we gonna be able to enhance and get more adoption of people using that, um, across the board.[00:11:00]
And we're also kicking off an initiative to build out Databricks in the cloud. So I think that's gonna set up the layer for us to actually have true AI hype. Um, we're, we're working with Dax for our doctors. We're looking at it for nurses. So I guess the ambient. Component is there, and I think that's very, a low hanging fruit from an AI perspective.
Yeah. But also looking at other areas. I know that our, um, new EDNA leader and Chuck are going to some various conferences to start to look at like the Claude and other healthcare versions of that to see how we can use, um, that technology. It's come a long way on that right now. I mean, I have. All of that block to your par, your point that we've set up guardrails.
So this is our approved, this is our non-approved. Um, so it looks like we're gonna have to be able to set that up. So we've made additional investments also in like DSPM. To really make sure that we know our data, that we're blocking the things that we should and shouldn't be. But to you really enable the business [00:12:00] to move into these new AI based ecosystems because we do have the technology now.
Um, CrowdStrike has an agent, we use Netskope that has, a lot of different controls that we can go through. Um, and really again, always say bumper bowling, we only want people to hit what they're supposed to hit.
Drex DeFord: Right.
Steven Ramirez: Um, but yeah, just, just having that out there with AI and us. Kind of being, I shouldn't say late adopter, but being more thoughtful and thorough on how we want to adopt AI as an organization that allows us to catch up from a security perspective.
That we're able to have security by design and a lot of these controls in place when we're looking at rolling this out. So
Drex DeFord: It's complicated. I mean, there's so many different, um, things that are coming at you. Is there, um, is there a framework that you use when you evaluate? End users coming to you with, I want AI this and AI that, and obviously the co-pilot stuff that you're doing.
How do you catch and prioritize and manage that? What's the framework look like?
Steven Ramirez: So we use an internal process [00:13:00] called Phase Gate. So it's like a governance process that people have to put in ideas and requests, and it's reviewed by our phase gate committee.
Drex DeFord: Mm-hmm.
Steven Ramirez: Um, so they'll look at really application rationalization.
That's where we do our security assessments. Look at the whole ball of wax of what this is and what value it's supposed to be bringing to the organization. Um, and before it gets out of idea phase, then we have to do an S four. So then that's presented at the President's council. They have to look at it from the, dollars and cents, but also like, what value is it bringing to the organization.
So I think good governance really helps us just set us up for success on looking at that. And, everything has, some kind of AI to that. So our, we initially set up an AI policy on. Using nist, using a lot of just other best practice on what we should and shouldn't be looking at in partnership with our quality and safety as well as our compliance and privacy team.
So we have that set up. And now our new data and analytics leader, she's really setting our AI policy for the organization and a lot of those [00:14:00] various other guardrails on what we wanna look at with our focus on platform ai.
Drex DeFord: Hmm.
Steven Ramirez: So we're gonna really look at. The Epics, the Microsofts, uh, I'll just make up another name like the Yeah.
The CrowdStrike of the world, like partners that we have relationships with versus us having to go out and. Build it ourselves. So the whole build versus buy discussion that we've just really married up to that idea that we're gonna really focus on platform based ai. So
Drex DeFord: We could do another whole show talking about build versus buy, but this idea too, we hear a lot of folks talking about the, for the, for the.
Partners we already trust when they're rolling out AI components, we spend a little less time kind of worrying about those, or beating ourself up around doing those investigations compared to something brand new that's coming in that we kind of have to take it through the whole process. It sounds like your governance process applies.
[00:15:00] It's the same governance process for an AI thing as it is for anything else that would come through the pipeline. You don't have any special ai. Um,
Steven Ramirez: just another set of eyes is the way we look at it. So we have our Enter Enterprise analytics. Leader that will look at it and or set the framework. So yeah, we're not gonna create a special because if it's AI today, it's quantum computing tomorrow, and we'll just be trying to ever like cybersecurity the same focus that we want to kind of have an all risk approach, so more of an all holistic technology approach that we just have strong governance and intake that we'll be able to really just shape.
What we're doing. So,
Drex DeFord: um, you, you talk about the value of these projects as they go through the phase gates and, what, what's the business plan, what's the value? So when you walk into the CFO's office, when you and your internal, uh, co-executive, internal partner on one of these projects walk into the CFO office, how do you, how do you frame those conversations and how do you talk about risk as part of those conversations?
Steven Ramirez: Our CFO [00:16:00] before they sign off on everything. The great thing is like they have to have the security review on all DocuSign. So it's like we have strong enough governance that it's the assumption that if you see my name on that, that we know we've put it through and we've looked at it from a risk perspective.
But I think that's really the importance of this intake process, that we're looking at all of these things, having these discussions. Then they're having that from the SBAR level as well to have the value based discussions as well. And we have enough different layers. We're all friends here. That's a, great organization here that we're able to talk through a lot of what is your strategic plan?
Um, what are we doing with these different components? For example, Databricks, we're bringing that out. We're building an Azure, so. Um, I really didn't feel like I had the program I needed from a cloud perspective. So I got investment in funding to hire a cloud security architect. That starts in a few weeks where, you know, buying a NETSCOPE plugin for data protection.
We're getting the CrowdStrike cloud pieces, like all of these different layers that you would think, I know you should be treating on-prem and [00:17:00] cloud. Very similar, but they're really not. So making sure that we have our, hybrid environment. Fully scalable from our secured landing zones to those pieces.
So by able being able to have those discussions when the ROI and SBAR that are presented to President's Council and our leadership team, they know that we have those discussions from a security perspective. We have our tools, we have the people. We have our partners that are ensure that we're successful in that.
So, um, that's just how you do there. It's about having partnerships, especially on these bigger projects. Um, and I think our intake process is a very good job of making sure that we just ask that blunt question on how's this gonna be supported? Have we looked at it from a security perspective? How's this gonna integrate and what's the importance of data?
And specifically with ai, like defining what AI isn't, isn't. Uh, because there's obviously the ai, like co-pilot versus machine learning. Machine learning. If we don't have good data, hence why we're doing our data bricks project, like a lot of different organizations, then we're never gonna fully be able to do machine learning, decision [00:18:00] support and a lot of that bigger projects.
Yeah. So we get that perspective that it's crawl, run, walk, fly. But you need to be able to do that well before we can do all these. Fancy things, but the other low hanging fruit stuff, the chat GPTs, the copilots, that of the world, um, we feel comfortable with our controls and of course getting the HIPAA and healthcare versions.
So
Drex DeFord: yeah, that's good that the crawl, run, walk, fly, fly is the part I've not heard people sort of talk about. Where'd that come from?
Steven Ramirez: I heard that at a, I love that. I heard that somebody else, I'm giving credit to somebody out there and the, but it's like, because we all talk about run, but it's like run. It's just like you're, we all wanna fly, we want Excel.
Drex DeFord: Yeah, no, I like that. Plagiarism is the most sincere form of flattery, and so somebody gets credit for coming up with that. I don't invent any of the things that I say. I'm sure I steal almost all of them from somebody else. So you're in good company. How do you avoid one [00:19:00] of the topics that comes up over and over again when I talk to.
I mean, everyone in healthcare, CISOs especially, how do you avoid burnout? What are you doing with you and your team? What's the, what's your approach to that? How do you keep yourself from, there's always more work. How do you, how do you stay on top of it but not go crazy? No,
Steven Ramirez: that's a very timely question.
because we've been having some of those. Internally because if you have a leader like me that my foot just stays on the gas, I'm sending emails, I'm sending teams messages, and sometimes I don't realize the downstream impact that that has on my team on just what they generally have on their plate. So just setting up more discussions, um, being more flexible on making sure that people do work life balance, and then just making sure that people push back because I'm.
like Oh, did you see, I just went to ViVE last week. Did you know that, uh, we can do this, this, and this. And it's like, we don't want to just be, because this is my own philosophy and I'm not trying to, go against my own principles that we don't want to [00:20:00] just over buy technology. That we're gonna only be able to implement 80%.
Like I'm all, we're gonna go with this tool. We're all in. We're gonna get to the finish. Make sure it integrates with everything. So I need to be mindful because again, everything's changing so quickly. Of course. I'm like boom, boom, boom. We need to do this just to be very strategic, not be overbearing.
And then remember to, um, push your team to take time off as much as you push them to go out and do, get the job done. So like we're doing. After our chat here, I'm taking my whole team out to, to lunch. We're making sure that, we're just having a lot more personable time having communications because I think we live in a crazy world.
Um, and adding in just, go, go, go, um, all the time we're gonna see burnout. it's just, yeah, just as a leader, making sure that you don't add that, extra fire on what else is going on in the world. So,
Drex DeFord: is there one. Leadership lesson right now [00:21:00] that healthcare CISOs and CTOs are learning the hard way.
What, what, what's one thing you see people doing that you were like, oh, I wish you weren't doing that. Like, I don't, let me help you not do that. What would that be?
Steven Ramirez: Well, I think buying too much without like a end goal. Um, like, and then like what we had talked about with integrations, a lot of what we were buying was.
To just build up, to be able to, drive maturity and didn't really have the vision till we were halfway along on, now we wanna make sure all these talks talk. If we're able to do a lot of these components want to do from an automation standpoint, we're gonna have to pivot. So I think just having flexibility, um, not trying to go too far into the future.
Um, like I always do three year roadmaps, which I almost think we almost need to go to like. Year and a half, two years now. It's unbelievable how
Drex DeFord: fast things change. Yeah,
Steven Ramirez: yeah. Like sometimes you just get lucky, like I budgeted for cloud and all of this. I'm like, see, I'm Nostradamus. I knew we were gonna be lucky.
Um, so sometimes you [00:22:00] just have to get lucky, but it's about, yeah, building a foundational element that regardless of what the new hype is, AI to quantum computing, to the next thing we get that it's really just an all hazard approach, kind of like emergency management that we're able to just pivot.
Um, and then if we do the fundamentals very well, we'll do very well. And now the fundamentals to me are identity. I'm going crazy in the identity space on a lot of different components that, we're looking at, we're implementing. Um, because again, it's 80%, that's, a lot of the grades I got in college.
So if I could just. Consistently get that college B nice BI feel like we're doing, we're doing well. And then the other areas are just good hygiene and, vulnerability management, different automations, but everything's root cause is always, oh, the compromised account or this, this, or this.
So if we can get our more complex and our, a lot of our other pieces into the identity piece that I feel like we'll be doing very well as a health system.
Drex DeFord: Last question, uh, because every time you say [00:23:00] something, it could turn into another whole show that we do. But so identity, uh, non-human identities, human identities, AI agents, um, and I mean the list, equipment, service accounts, there's so many of those things.
Uh, just really quickly, like is there some clue that you have for everyone, everyone who's struggling with. How do we do identity better? How do we do better identity hygiene better? What's one tip you would give folks who are trying to figure that out right now?
Steven Ramirez: Well, identity's very complex. Like it's its almost own program and that's where we're trying to compartmentalize it under like cyber operations just because there's so many layers from Pam to.
MFA to, um, like you had said, the non-human identities and there's a different tool, a different process, a lot of different components that. Just because you have MFA doesn't mean you have strong MFA.
Just
Because you have strong identity verification doesn't mean, so that's again, like [00:24:00] we had talked about our process of the service desk, like I feel like we're still in the top, 5% on some of the practices we do.
But by us going with clear, putting a big investment into that, can that get us into that two to 3% of knowing this is gonna better protect us? The human identity piece. Um. We partnered with Silver Fort, which I heard from my buddy Nate made up at,
Drex DeFord: Oh, right.
Steven Ramirez: Yeah. So he's, and anything he, he's great on the needle.
I think he does a, I heard him speak at Vibe. He's, he's amazing for what he does for the, um, industry and
Drex DeFord: Totally.
Steven Ramirez: If he's using it, I'm, I'm very interested. So that's something that we've been looking at for the non-human identity side of the house with. To kind of layer into your privilege access management, your MFA to your, your CrowdStrike identities to, like the identity rollback.
So as you see, there's so many different layers that I guess my tidbit of advice is looking at the, all of these different events that we've had. Look at really the anatomy of the attack. So we [00:25:00] know we've done a great job of shoring up our defenses and phishing. Say there is a compromise in a phishing, like do you block local admin access?
Then can you go and does that account have, wide open access? So know, just looking at all of those different components and risk-based authentication then is another safeguard to that.
Drex DeFord: So don't try to solve world hunger. Yeah.
Steven Ramirez: So there's
Drex DeFord: like, the more you know, the more you realize that there are other problems you just kinda have to prioritize.
And
Steven Ramirez: the kill chain's just crazy in identity versus some of these other
Drex DeFord: Yeah.
Steven Ramirez: Areas like, zero days. We know vulnerability management and is it external facing? And then kind of stops there a little bit and then you go down to these layers we talked about. But identity is just, it's, I just envision that big mirror of dominoes, like if you don't think about this, this, and this.
So we try to have the discussions of this is the end goal of what we have seen from all these various attacks. How can we put a trip in that'll stop a Domino's so that they're not going all the way into [00:26:00] unfettered access going. All through, all through our world. So it's, yeah, it's very, can get very complex, can get very, um, problematic too because that's where you have to have a lot of care and feeding with, working with infrastructure to go back to what we had talked about earlier,
Drex DeFord: right?
Steven Ramirez: It's a huge, huge project. That's where relationships, transparency, um, and use cases. Are really, really important. And then integration that we're setting up all these little niche components from an identity perspective, you sure as heck better know from an alerting and monitoring perspective.
Mm-hmm. What is what? And then just because this tool can block this, you need to have it talking and or integrated and this to stop that kill chain. So it's,
Drex DeFord: it is a, everything's connected to everything else. And that is, that complication is part of the part of the problem too.
Steven Ramirez: Yeah. So understand the anatomy of the attack and.
Just how you can Sure. Up defenses on specific identity is just fascinating. That's one of the thing I'm very passionate about. And something that I [00:27:00] feel like we're doing top notch here, so,
Drex DeFord: yeah. That's great. Um, hey, thanks for being on the show today, Steve and I appreciate it.
Steven Ramirez: Of course. Thanks for having me.
Drex DeFord: Thanks for joining on UnHack. Remember, we're not alone in this. Every healthcare leader needs a community to lean on and learn from. Join our community at this week, health.com/subscribe and share this not only with your security crew, but with your entire leadership team and staff.
Together we are stronger.