Interview: Richard Starnes, CISO, Kentucky Health Cooperative

Written by

Richard Starnes, CISO, Kentucky Health Cooperative
Richard Starnes, CISO, Kentucky Health Cooperative

The CISO’s role has never been more high-profile. Yet even as some CISOs bask in the glare of the new-found spotlight, there’s no doubt the job has become more complicated, and more mission-critical than ever. Moreover as rivals suffer from breaches, boards are calling on their CISOs for answers to one key question: how do we stop it happening to us?

The answer isn’t simple. In fact this one question leads to more pertinent ones. For example: Do we have the ability to stop it happening to us? Are we investing in the right things? Are we prepared to invest at all?

As we sit down for interview at Infosecurity Europe Richard Starnes, CISO at the Kentucky Health Cooperative, doesn’t look phased by such pressure. Starnes is a well-known figure within the community, and thoughtful individual who seems to maintain a balanced perspective on all things infosec at a time when some areas of the industry are entering panic mode.

Kentucky Health Cooperative came into being as a result of the 2009 Affordable Healthcare Act in the US. This $300m+, 100-employee company was set up in the space of 12 months, which from a security standpoint sounds like something of a big project to get off the ground.

“To a certain extent you can’t really set up security on something that doesn’t exist,” Starnes says. “You can define what you think it’s going to look like – but what you think it might look like at start-up is not necessarily what it’s going to look like tomorrow.”

Budgeting, as ever, presents another issue, he argues: “You fit your security for a certain level of enterprise, then it actually expands beyond that and you have to figure out, ‘am I going to let this grow a little bit past capacity so I can get to the next tier or not?’”

Starnes also has a background in, and continues to operate within, law enforcement, as deputy sheriff/investigator at the Franklin County’s Sherriff’s Office. He describes two different areas of security within his law enforcement role – aiding investigations, and establishing the agency’s own networks to prevent against malicious activity.

“The best things about the ISACs is that we’ll get feeds that we can immediately drop into our firewalls"

“When I came in we swapped out the network and put in new server and workstations and CJIS class laptops – those are the big clunky hardened laptops that have access to NCIC,” Starnes explains.

Is there a major difference in provisioning a law enforcement organization with appropriate infrastructure than in healthcare? “It’s the same standard network set up because you have certain protected data and data that’s less sensitive. The only big difference is that [in law enforcement] laptops have to follow CJIS certification for access to sensitive government data and that’s a different compliance regime.”

Another big difference between a private healthcare environment and law enforcement is that Starnes and his team have free access to MS-ISAC, a government intelligence network for cybersecurity, whereas with the Kentucky Health Cooperative, he has to pay for access to an ISAC.

“The best things about the ISACs,” Starnes adds, “is that we’ll get feeds that we can immediately drop into our firewalls that supplement the feeds from the manufacturer. That’s the most effective real time example of how it works. They’ll give you things to look for – indicators of compromise. That’s really where the rubber meets the road.”

But involvement in industry-focused intelligence sharing initiatives isn’t necessarily translating into better security across healthcare as an industry, with numerous high profile breaches of healthcare records occurring this year. Is Starnes surprised to see fellow organizations being breached?

“No because [breaches are] a standard course of business these days. Plus health records have a higher value on the black market than any kind of record because of the number of things you can do with them. Those health records will have all the information you need to exploit someone financially.”

But while it is unsurprising to see healthcare companies getting targeted, “What is interesting,” Starnes suggests, “is that these latest breaches appear to be nation-state targeted. So then you have to ask the question – is the goal for accessing health records for financial gain or is there another potential use for that?”

Another familiar process for healthcare industry security pros is compliance with the Healthcare Information Portability and Accountability Act (HIPAA). Compliance, while effective to an extent, is “not the beginning of wisdom,” Starnes says.

“Compliance is part of the path. Just because you are compliant does not mean you are secure by any stretch of the imagination. But I think compliance sets a reasonable baseline for companies to follow, but there are lots of examples of companies that have been breached that were compliant. And not just letter-of-the-law compliance, but they had a compliance program that was designed to be secure.”

The bar to information security compliance is always going to be getting raised across industries, Starnes believes, because hackers are always raising their game. 

“This is the arms race of our generation, there’s no doubt of that. The problem is that this is not something that we’re ever going to win."

“This is the arms race of our generation, there’s no doubt of that. The problem is that this is not something that we’re ever going to win. We’re not actually – because of political issues – going after the hackers. They’re sitting in countries where they can’t be touched. While I do believe industry needs to focus on upping its game, government needs to figure out how to take the fight to the enemy.”

But the US government, despite its resources, is not necessarily faring any better than the private sector in getting its head around the burgeoning cybersecurity problem.

“It’s still early days – they first started with Howard Schmidt first as cybersecurity tsar. He was hamstrung to begin with because 90%+ of his staff were seconded and he had no budget. There’s a lot in the press being made of boards and C-level execs starting to take notice of information security but there’s a large difference between interested and understanding. And there’s a further difference between understanding and action. I don’t know that we’re past that interested point because, you take a look at salary surveys and budgets and for CISOs, the salaries are going up but the budgets aren’t, so where do you go from there?”

The salaries situation is not limited to CISOs – security professionals of all kinds are experiencing growing remuneration for their services, something that is having an effect on employee churn. So how, I ask Starnes, do you go about keeping a team of security pros together?

“A lot of workers will actually accept a lower salary if they’re satisfied in their job,” he says. “You have to make sure you foster a good working environment. A lot of security pros like the intellectual challenge, they like the chase and the catch but they like being listened to and putting their ideas out on a table. If you get a security pro who is coming to you with ideas but you don’t have the time, resource or budget to help them actualize their skillset, they’ll go somewhere else. I’m not saying the industry is full of altruistic people who are going to take a really low salary, but that component of it – the work environment – is oftentimes very underappreciated by management.”

What’s hot on Infosecurity Magazine?