Gary Gooden – Seattle Children’s

Newly hired as CISO of Seattle Children’s in March 2019, Gary Gooden was asked to give the hospital board a 90-day assessment. Members had to be concerned with his observations.

There were shortcomings on the technology front, he reported, and serious catching up to do. He also told them that infotech security should be viewed with a broader lens—Gooden’s IT savvy having evolved from the infrastructure side, he perceived security as not separate from infrastructure. It is infrastructure.

He emphasized how in 2013 a big-box franchise operation was hacked through its heating and cooling systems. Accordingly, his to-do list as newly minted chief information security officer included not only investing in “just-in-time” technologies and firewalls but also assessing every aspect of a building from elevators to HVAC.

His case well stated, the board gave Gooden and his security staff the green light and they’ve used it to good advantage. About three years of progress has been made in around 18 months, he tells Toggle during an October interview, and over a dozen projects are proceeding.

Gooden’s early concerns seem to have been prescient enough because, as has been detailed in numerous news outlets, attempted hacks at medical institutions worldwide have intensified since the outbreak of COVID-19 this past March.

Alarmingly, children’s hospitals seem to have been especially targeted, cyberthieves attempting to exploit the benefits of a dead youngster’s electronic health record for as long as 18 years. The longer the pandemic continues, the more creative the hackers become, and as office workers return to their desks after months of working at home, the phishing attacks intensify.

Spanning the gamut

As is often the case for someone entrusted with the cybersecurity of a sensitive institution or business, Gooden chooses not to detail the safeguards he’s been implementing while overseeing a department of 37 and directly reporting to CIO Zafar Chaudry.

“I’ll just say it spans the gamut to the next generation and includes firewalls, email defense, medical device management, management systems, etc.,” he notes. “We’re constantly pivoting, staying ahead of the curve in terms of technology and practices.”

He’s been aided by vendors that include CrowdStrike and Highmetric.

The former, a cybersecurity technology company based in Sunnyvale, California, has long made a name for itself investigating such high-profile cyber cases as the hacks of Sony Pictures in 2014 and the Democratic National Committee in 2016. CrowdStrike has partnered with Seattle Children’s to take a holistic approach to endpoint security through one of its innovative options known as Falcon Complete.

Many healthcare organizations struggle to implement a comprehensive program due to lack of time, expertise and costs that are too high for most hospitals. Having resolved these issues for other hospitals, CrowdStrike added a team of security experts to handle every aspect of its endpoint security technology and day-to-day management of the platform. This combination of people, processes and technology will bring Children’s to the highest level of endpoint security maturity without the burden of building it themselves.

Based in greater Chicago, Highmetric is a Column Group company that for the past three years has provided strategic guidance and consulting expertise to Seattle Children’s, respective to its identity and access governance program that has leveraged SailPoint’s market-leading IAM software engine.

During this period, Column’s consulting team completed 23 separate SailPoint releases and 167 requests for enhancements and bug fixes. Column’s consulting expertise propelled a dramatic reduction in Seattle Children’s IAM ticket counts and issues, down 46 percent in 2019 and 60 percent in 2020 year to date.

In addition, Column executed a flawless go-live cutover during a highly visible integration to Epic, all while adjusting to multiple leadership level change requests while the process was in flight. Upon completion, Column’s delivery team received the following rave review from a key executive stakeholder: “Column’s work product has been better than what any prior engineer or system integrator has delivered, which has also resulted in faster, cheaper projects that have always been able to meet testing deadlines as scheduled.”

As a result, Column was selected to provide ongoing managed services support for the hospital’s SailPoint environment, as well as a strategic consulting engagement focused on tightening the data security controls within Seattle Children’s ServiceNow program.

Just tech attuned

“I don’t consider myself an expert in anything,” Gooden says. “I’m just technologically attuned.”

So attuned for over a quarter-century, the Jamaican-born Gooden took a shine to the wired world as a graduate student at Saint John’s University-Peter J. Tobin College of Business. Assigned to write a program to support an ongoing project, BASIC and COBOL just clicked for the young man with a chemistry degree from the University of the West Indies.

“One thing just led to another,” he says.

That chain started with Gooden ascending to vice president of studio IT over nearly 14 years with The Walt Disney Co., then a couple of years as director of global infrastructure at Mattel. After two years with Amgen he commenced with blending IT and health care during a 2014 to 2017 stretch at Children’s Hospital Los Angeles, where he rose to CISO and IT director for the Center for Personalized Medicine.

Now in a bigger role in Seattle, Gooden wants his hires to grow as he did. He’s no micromanager, though he recognizes a coachable moment.

“If you work with me, you’ll be stretched and pushed to go forward,” he assures those under his wing. “You’ll be held to a high standard. It’s really hard to compete with the pediatrics mission, the Hippocratic Oath of first doing no harm, and all your patients being kids. It’s a privilege to serve in this capacity.”

And a 24/7 responsibility, especially with so much sensitive information at stake. Gooden has established and continues to establish technology to ensure data protection and the processes are being consummated in a manner seamless to the end user. There’s more security behind the scenes now than the end users are aware of, though they needn’t know all the systems.

At a recent conference, Gooden recalls the question arising as to whether the CISO should report to the CIO or CEO. While most participants said the latter, Gooden felt the answer should be more nuanced.

“Having all the technology resources under one leadership makes more sense,” he told the gathering. “You’re at war with the bad actors.”