“We were about three people,” Furness says of the cybersecurity team at the time. “Since then, we’ve pulled a lot of people into the organization. We’ve also filled open reqs [requisitions], and we’re now at about thirty cybersecurity staff, which is significant growth over just three years.”
During that same period, Furness has grown into the role of deputy chief information security officer (CISO), all while maintaining risk management oversight and supporting his scaled-up team in executing an array of cyber initiatives. All the more impressive has been his ability to strike a careful balance: securing the business without hindering the top-tier clinical care that distinguishes Children’s as one of the leading pediatric hospitals in the country.
These efforts have not gone unnoticed by the CISO’s partners. “Zach Furness has led Children’s National Hospital [CNH] through an IT security organizational and technological transformation over the past few years. His ability to make informed decisions regarding security policy and governance has both optimized CNH’s ability to protect their patient data and better position them against the evolving threat landscape,” says Rick Hannah, account manager at Presidio.
Before landing at Children’s, Furness spent most of his career at MITRE, a research and development nonprofit. “I did a lot of work in networking, simulation, and systems engineering, and that eventually led into cyber,” he explains. “MITRE is where I learned my craft.”
In 2018, Furness left MITRE for Inova Health System, a healthcare provider based out of Northern Virginia. He then connected with Children’s through a contact who he had previously worked with who convinced him to come on board in his original capacity as a risk management leader. “I’ve grown from my initial work in risk management as my stature and my career has evolved at Children’s,” he says. “I now have a much greater command of the organization than just risk, which has been very fulfilling.”
The Importance of Cybersecurity Education
Cybersecurity is only as powerful as an organization’s understanding of its basic tenets. “This technology won’t help at all if the end user isn’t practicing what we call cyber hygiene,” Furness confirms. His team promotes good cyber hygiene at Children’s by publishing a monthly newsletter and meeting regularly with clinical leads through InfoSec “rounding.” There’s even a designated hospital emergency code, Code DARK, that instructs staff on how to respond to a cyberattack.
His expanded purview sees Furness handling strategy, budget, and policy matters, along with the collection and reporting of metrics up to hospital executives and the board. He toggles between data security, risk management, and identity and access management duties on a day-to-day basis as well.
“About a year and a half ago, we implemented an entirely new identity and access management system, which is one of the best-in-class systems out there to manage identities,” he says. “We’ve also stepped up our management of third-party risk and made significant strides in hardening our infrastructure. This required not only some spend on new projects, but also some tightening of processes and procedures related to implementing existing technology.”
To lead through those initiatives, Furness has prioritized developing trust with his team members and colleagues. “We’re asking a lot of our staff in terms of implementing change. That’s necessary if we want to grow as an organization, but it often means putting people in uncomfortable situations,” he acknowledges. “We’re trying to find a way to impress upon them these new challenges, while also giving them the safety of knowing that if they make a mistake, they’re not going to be reprimanded for it; they’re going to use it as a learning opportunity. And underlying all of that is trust.”
Beyond having his team’s back when challenges arise, Furness aims to provide best value to the business in everything he does. To that end, he makes a point of engaging with the clinical side of Children’s. He believes that understanding the needs of the business enables his team to arrive at solutions that enhance both operational security and functionality.
On the flip side, he has sought to heighten cyber awareness among clinicians through educational outreach efforts, to ensure that the clinical team is advancing security goals as much as the cyberteam is advancing goals around patient safety and overall care.
Although the cybersecurity team has already grown—and grown stronger—during his tenure, for Furness the work of reducing risk and increasing security at Children’s is never done. “Like any hospital system, we have new risks that pop up every day. We need to make sure that we’re being diligent in closing those out, without interrupting the business,” he says. “Instead of just waiting for an event or an incident to happen, we need to be proactive in recognizing what risks can occur that could lead to an incident, and let’s tamp those down.”
In addition to being more proactive than reactive, Furness plans to continue striving toward the ideal of frictionless information security moving forward. “We don’t want to encumber the business by putting so many hurdles in place that they can’t do their job,” he emphasizes. “We could become the most secure organization in the world, but if doctors can’t treat patients, we’re simply not going to be effective.”
Presidio is a global digital services and solutions provider accelerating business transformation through secured technology modernization. Extensive teams of engineers and solutions architects with deep expertise across cloud, security, networking and modern data center infrastructure help customers acquire, deploy and operate technology that delivers impactful business outcomes. Presidio is a trusted strategic advisor with a flexible full life cycle model of professional, managed, and support and staffing services to help execute, secure, operationalize and maintain technology solutions. For more information visit presidio.com.