Risk Never Sleeps Podcast – Episode #101

Effective Risk Management in Clinical and Research Environments

Guest: Adam Rosen, CISO, Roswell Park Comprehensive Cancer Center
Host: Ed Gaudet
Date: October 10, 2024

Overview

In this episode, Ed Gaudet sits down with Adam Rosen, Chief Information Security Officer at Roswell Park Comprehensive Cancer Center, to explore the multidimensional challenges of risk management in a healthcare environment that is both clinically active and research-driven. Adam shares his career journey, strategies for involving business leaders in risk discussions, handling AI adoption and governance, and the critical lessons learned from real-world incidents that have shaped his approach to cybersecurity in healthcare.

Adam Rosen’s Background and Role (01:23–05:55)

• Early Exposure to Computers:
  Adam’s fascination with computers started young, influenced by his father, and evolved from programming on early devices like the Compucolor and Amiga to formal computer science education and an original ambition to create a game studio.

• Transition to Cybersecurity:
  His career path shifted in grad school with a project on user behavior analytics which, though less successful than expected, sparked his focus on security. This practical security journey continued through roles at the Naval Undersea Warfare Center and as an IT consultant focusing on small business and healthcare.

• Entry to Roswell Park:
  A chance succession led Adam to the CISO role at Roswell Park, progressing from security engineer to his current strategic leadership position.

Quote:

"I've always been into computers... got me into like basic programming and just fiddling and tinkering around. It was something I was always interested in."
— Adam Rosen (01:38)

Core Mission and Unique Challenges at Roswell Park (05:57–06:50)

• Integrated Mission:
  Roswell Park’s triple focus on clinical care, research, and education creates a landscape where diverse needs often compete, especially in IT security.

• Balancing Research and Clinical Security:
  Ensuring flexible access for researchers while maintaining strict control over patient health information (PHI) and securing the clinical environment is a unique challenge.

Quote:

"Balancing and enabling the researchers to be flexible and access the services they need while making sure that the phi is secure…the environment is secure, because patient care is number one."
— Adam Rosen (05:57)

Research Data Security and Third Party Risk (06:50–07:58)

• Stakeholder Collaboration:
  Security works closely with legal and privacy teams, vetting third parties and establishing strong contractual controls.

• Beyond Contracts:
  Adam emphasizes that BAAs and cyber insurance mitigate financial impacts but don’t address the core issue if patient privacy is breached.

Quote:

"From a patient privacy perspective, regardless of how much you're going to be reimbursed for it, the records are just as brief. You haven't protected the privacy."
— Adam Rosen (07:22)

Top Priorities: Embedding Risk Conversations into the Business (08:09–12:37)

• Reframing Risk:
  Adam shifted from technical descriptions of risk to collaborative, business-oriented risk conversations.

  • Business stakeholders now help define impact levels for various systems and events.
  • Improved governance with clear risk tolerances and thresholds.

• Mapping Technical to Business Risk:
  Technical findings are linked to about 40 high-level business risks; dashboards visualize how security projects mitigate those risks.

• Concrete Impact:
  Using events like the Change Healthcare and Blackbaud breaches as examples helps communicate risk severity and likelihood.

Quote:

"My team is proficient in determining the likelihood… but we're not the best at determining the impact. And where it scales… So we've been bringing in the business very heavily."
— Adam Rosen (08:25)

Memorable Analogy:

"Instead of us doing a thumb in the earth… we've been bringing in the business very heavily… So that we're all talking the same language when we come back with risk."
— Adam Rosen (08:39)

The Role and Risks of AI in Healthcare (12:37–14:22)

• Adoption and Caution:
  Roswell Park is actively building best practices for AI, covering security, data quality, bias, and legal concerns.

• Due Diligence and Unknowns:
  Policies are emerging, and there’s recognition that known security practices only go so far with AI (e.g., model poisoning resistance).

• Governance:
  Adam notes a formal governance process for AI is "almost" in place — aligning with an industry-wide effort.

Quote:

"We're trying to create best practices around how to use it, and not just from a cyber perspective… data quality perspective, bias perspective, copyright and legal aspects…"
— Adam Rosen (12:47)

Adam’s Early Passion: Gaming and Programming (14:42–17:08)

• Alternative Path:
  If not in security, Adam would pursue game programming, citing a love for solving technical puzzles and creative problem-solving.

• Gaming Nostalgia:
  Favorite games include Zelda 2, Duke Nukem, Descent, and early arcade classics like Tempest and Defender. Also a dedicated D&D wizard.

Quote:

"I missed some of the programming days from my earlier experiences. That was always very rewarding to face a puzzle and get to work it through to completion…"
— Adam Rosen (14:59)

Lessons Learned: Culture and Technical Fragility (17:15–20:54)

On Change Management

• Technical ≠ Organizational Simplicity:
  Culture change required when implementing things like multi-factor authentication; technical ease doesn’t translate to organizational acceptance.

Quote:

"Technically it's easy, but it's culture change… you're just… used to just being in control of it. You turn it on and make it work… but when you're dealing with that large organization… you gotta make sure that the supporting infrastructure is there."
— Adam Rosen (17:27)

On Ecosystem Fragility

• Third Party Dependency:
  Incidents like Kronos, Change Healthcare, and CrowdStrike underscore the interconnected vulnerability of healthcare IT.

• Lesson:
  It’s not enough to review only the obvious risks; even tools meant to protect (like CrowdStrike) can become sources of disruption.

Quote:

"The tool that you have to prevent outages, is the tool that created the outage… you just start having to look at everything with a different lens…"
— Adam Rosen (19:04)

Risk Never Sleeps: Personal Risk Stories (21:02–23:27)

• On Taking Risks:
  Adam shares a humorous story of getting drunk onstage in a theater production, highlighting his more measured approach to risk in professional life.

• Almost Adventurous:
  Details on nearly being airlifted to troubleshoot a submarine — averted, but illustrative of unique, odd risks faced in prior roles.

Personal Picks: Music, Books, and Desert Island Choices (23:45–24:46)

• Books:

  • Ender’s Game
  • Zen and the Art of Motorcycle Maintenance
  • The Matrix (film)

• Music:

  • Jimmy Buffett, Best Of
  • John Butler, "Ocean" (for zen and focus)

Advice for Aspiring Cybersecurity Professionals (24:54–26:32)

• Well-Rounded Experience:
  Adam advocates for broad exposure—programming, networking, administration, and more—to build a foundational understanding of the entire IT and security ecosystem.

• Be Multiclassed:
  Understanding the business and communicating risk effectively is as important as technical depth.

Quote:

"Dabble in a lot of things … That broad view is very valuable."
— Adam Rosen (24:54)

• Host’s Closing Insight:
  "Be a multiclass technical infrastructure and cybersecurity… and understand the business."
  — Ed Gaudet (26:07)

Notable Quotes at a Glance

• "Risk is the intersection of impact and likelihood… We've been bringing in the business very heavily." (Adam Rosen, 08:25)
• "Culture change… that's the hard part—not the technical change, but the buy-in." (Adam Rosen, 17:27)
• "The tool you have to prevent outages is the tool that created the outage." (Adam Rosen, 19:04)
• "Dabble in a lot of things… that broad view is very valuable." (Adam Rosen, 24:54)

Important Timestamps

• 01:23 – Adam’s background and early inspiration
• 05:57 – Unique challenges at Roswell Park
• 06:50 – Managing research data and third-party risk
• 08:09 – Business-driven risk assessment approach
• 12:37 – AI adoption, risk, and governance
• 14:42 – Adam’s passion for gaming; alternate career
• 17:15 – Lessons on technical vs. organizational challenges
• 18:58 – Impact of ecosystem fragility (Kronos, CrowdStrike)
• 21:02 – Personal risky moments
• 23:45 – Desert island books, movies, and music
• 24:54 – Advice for cybersecurity newcomers
• 26:32 – Closing thoughts on well-rounded career skills

This episode is a must-listen for anyone navigating healthcare cybersecurity or aiming to understand why risk—and the strategies to manage it—never truly sleep.