←
Back to Blog
Security best practices
9/29/2023
-
XX
Minute Read
Data Security Innovator: Dan Walsh, CISO at VillageMD
Welcome to our Data Security Innovators series where we talk to CISOs who are navigating the frontiers of security with novel processes and technologies. In this episode, we speak to Dan Walsh, the CISO of VillageMD, a primary care provider network that works with physician groups, independent practice associations, and health systems to provide affordable healthcare.
In this episode we speak to Dan about:
- The unique security challenges faced by a healthcare organization of VillageMD’s growth rate and size.
- How novel security technologies like data lineage are allowing Dan’s team to tackle these challenges head on.
- How Dan has built out his program to face insider risk and data loss, including the stakeholders his team partners with.
- And more!
How does a company growing as quickly as VillageMD think about security?
As a disruptor in the healthcare provider space, VillageMD is often considered one of the fastest growing companies in medicine. Because of that, the role of security within the organization is to help manage the risks that might come from acquiring hardware and technologies from other practices. Listen to Dan discuss and outline how he thinks about this risk.
What does the healthcare insider threat landscape look like?
In this clip Dan speaks to the risk from insiders within a healthcare organization exposing data, resulting from both accidental and intentional violations of policy, and how important it is for his team to consider these types of risks.
How has cloud migration impacted security enforcement in healthcare
Dan speaks to how SaaS and cloud applications introduced new environments for data egress within healthcare organizations and how difficult it can be to address this. For example, preventing users from using personal versions of corporate apps (like a personal Dropbox vs a company managed Dropbox) can be extremely difficult to enforce as many tools block egress at the domain level.
Have legacy solutions like CASBs and insider risk management failed to adapt to hybrid environments?
Dan discusses legacy tools like CASBs for data loss prevention and insider risk management, which is another data protection function historically addressed by a separate tool. Both data loss prevention and insider risk, however, are becoming increasingly intertwined in a remote and cloud-first world, which is one key reason why VillageMD has moved away from legacy tools that haven’t considered the transition to cloud very well.
A key limitation that Dan identifies with CASBs, is that they require you to build your infrastructure around them. For example, CASBs often rely on admin or users tagging content to help the solution identify sensitive findings. This introduces extra dependencies that can make managing a security program more time consuming and difficult.
Regarding insider risk management, Dan says that a key limitation is that while they may detect data exfiltration they don’t prevent it, meaning that even when accurate they don’t take action to actually protect data when it’s at risk.
"I think that these tools are dependent on environments or approaches being pretty uniform. I also think that these tools historically have not considered the shift from on-prem to cloud very well."
– Dan Walsh, CISO, VillageMD
How did VillageMD build its DLP program?
Dan talks about the key ingredients that he put in place to build an effective data loss prevention program at VillageMD and how investing in tools that leverage data lineage to provide visibility into how data egresses and is used across your entire organization and using that information to iterate on your policies.
“Are we able to categorize what was the source of the issue, what was the root cause of the issue, and have those feedback loops in place so we can constantly tune it? Because again, our threat landscape is constantly changing.”
– Dan Walsh, CISO, VillageMD
How does data lineage allow you to identify and manage risk?
With VillageMD being a regulated company, Dan’s team must quickly and effectively respond to data exposure risk. Data lineage, a technology that correlates data classifications with file metadata, is an effective way to see real time risks to data. This much needed context allows Dan’s team to understand where data originated from, who should have access to it, and other critical determinations that help provide value to the business.
“Data lineage is understanding how the data came into your environment and when it came in, and then how it changed, and where it traveled once it was inside your environment. And then ultimately, and I think where companies struggle the most is how do you think about destroying that data, getting rid of it when it’s no longer needed?”
– Dan Walsh, CISO, VillageMD
How does data lineage improve investigations?
In this clip Dan speaks to the ability for data lineage to improve investigations into known incidents. For Dan and his team, data lineage not only helps identify risks faster, but provide value in reporting and explaining risks outside of the security team which allows other stakeholders to get involved in helping mitigate risk.
“There’s a shift away from simply reporting to enabling transparency. We want to know everything. We want you to be transparent. We don’t want you to hide anything back. Data lineage is a tool in the toolbox that enables organizations to do that.”
– Dan Walsh, CISO, VillageMD
How are the stakeholders involved in VillageMD’s security program?
In this final clip, Dan shares the stakeholders that his team works closely with to address data security and privacy risk and how he coordinates with these groups.
“You have risk executives and reward or revenue executives, which would be like your CEO, your chief revenue officer, things like that. You really wanna make sure that you align with them and that you stick close with them. Because ultimately the role of the CISO is to be a risk advisor to the business.”
– Dan Walsh, CISO, VillageMD
Learn from the industry’s top-notch security innovators
If you enjoyed this recap, make sure you join us for our next installment of the Data Security Innovator series by subscribing to our blog.