Practice Good Cyber Hygiene

Inova Health System’s CISO Scott Larsen discusses how to protect against breaches in cybersecurity while the world works from home

As the working world moved from cubical to home office in spring 2020, many workplaces had to make quick adjustments to how their employees work. One of those places was Inova Health System, a nonprofit health organization based on Falls Church, Virginia, outside of Washington, DC.

In mid-March, all administrative Inova employees, as well as many caregivers, moved to working from home—a large portion of the company’s eighteen-thousand-member workforce, which is spread across five different hospitals in Northern Virginia. Like the rest of the world, the hospital system’s use of virtual collaboration tools ramped up as it adopted Zoom to take over as the conference room for every meeting and telemedicine technology to keep frontline workers safe during routine check-ups.

The problem with an increase in technology use also means the potential for a different type of virus: computer hackers and scams. That’s where Scott Larsen comes in. As Inova’s vice president and chief information security officer, Larsen’s main job is to protect the health system from any breaches in technology security and educate his team on how to practice good cyber hygiene.

With more than twenty years of experience working in healthcare cybersecurity, Larsen plays a vital role in ensuring that Inova employees can work from home safely and securely. After obtaining a bachelor’s in business administration, finance, and computer science from Northern Michigan University, he went on to obtain two master’s degrees: an MPA from his alma mater, and an MBA with a focus on cybersecurity from Spring Arbor University, where he now teaches as an adjunct professor.

After graduating with three degrees, Larsen put his skills to the test full force, joining teams at notable healthcare companies like Blue Cross Blue Shield of Michigan and Beaumont Health before moving to Inova full time as CISO in 2018.

“It’s like when your immune system is weak, and your defenses are down. We’re so distracted, and we’re getting caught looking one way, and they’re coming in the other way.”

While March 2020 was an unpredictable and confusing time for many people, Larsen was prepared to take on the challenge of moving the entire Inova team to their home bases. Initially, much of his advice was the same as usual, like the classic, “Watch out for scams inside unsolicited emails and attachments,” as he notes during an interview with WJR’s podcast Internet Advisor. But as time in quarantine wore on, he adjusted his advice to work more specifically with current issues.

Firstly, Larsen says to avoid using social media for information, and instead rely on government websites for accurate information. Secondly, never pass financial information over email, and keep an eye out for email solicitations about donating to COVID-related things—which will probably look a little phishy.

“I’ve seen people pose as charities asking for donations, but they’re asking for BitCoin,” Larsen says, laughing. “I don’t know any charities that ask for BitCoin.”

Without the luxury of corporate security on employee’s laptops, Larsen also provides advice on how to amp personal accounts to avoid hacking. “Always use long, strong passwords with uppercase and lowercase letters, as well as special characters,” he advises on the episode. “Also, make sure your company has enough licenses to share its VPN with all your employees.”

Larsen stressed how important this latter point is, explaining that having a healthy, shareable VPN is key allowing employees to work seamlessly. Of course, more access requires more security. All Inova employees are now required to complete a two-factor authentication before logging into its network, which requires the user to confirm their identity by submitting a one-time password sent to their smartphone or email.

Regardless of the way a company goes about strengthening its security, Larsen says it’s important for healthcare security professionals to keep cyberhealth at the forefront of their planning during a time when tech is needed more than ever—especially when a pandemic is at the forefront of many other employees’ brains.

“It’s like when your immune system is weak, and your defenses are down,” Larsen says in a Pew report. “We’re so distracted, and we’re getting caught looking one way, and they’re coming in the other way.”

BlackBerry Cylance develops artificial intelligence to deliver prevention-first, predictive security products and smart, simple, secure solutions that change how organizations approach endpoint security. BlackBerry Cylance provides full-spectrum predictive threat prevention and visibility across the enterprise to combat the most notorious and advanced cybersecurity attacks. Learn more at