Paul VanAmerongen – UW Health

In his 20 years as a chief petty officer in the U.S. Navy—and as the first IT leader for the Pacific Trident submarine fleet—Paul VanAmerongen did everything from troubleshooting the mainframe computers to updating the unit’s networking equipment.

But none of the challenges quite compare to the one in 1999, when he literally wrote the book on security policies for a class of specialized nuclear subs armed with intercontinental ballistic missiles.

Paul VanAmerongen | Chief Information Security Officer | UW Health

After stumbling upon five manuals known as “the green books,” VanAmerongen noticed there were no detailed security policies for the Trident submarines. So he wrote them, condensing content in six-inch thick binders into a 20-page policy.

“Nobody thought it was necessary, but I took the time. Writing everything down, I brought it to my commanding officer, telling him, ‘here are the requirements we need to abide by,’” VanAmerongen recalls. “I took the initiative, had the time, and surprised a few people.”

Making IT work

Now VanAmerongen is in the civilian world, working as a vice president and chief information security officer for UW Health. Working in the Pacific Northwest, he’s also been a manager of information systems and security engineering for Premera Blue Cross; a manager of information security services for MultiCare Heath System; and a director of IT for Harrison Medical Center.

He’s been an expert in cyberlaw at Western Governor’s University, as well, and joined the global consultancy Deloitte as an enterprise risk-services specialist in 2013. As he explains, “it’s all about making sure technical systems are usable and protectable yet can still be accessed by the right people at the right time.”

According to him, the biggest challenge in the security industry is keeping pace with bad actors looking to wreak havoc, as well as staying abreast of technologies evolving at a rapid clip. “Cybersecurity isn’t a project, it’s a program,” VanAmerongen says. “It requires updates and attention to make sure it is fresh and ready when needed.”

Beyond the firewall

To keep up, VanAmerongen says data protection must go beyond encryption and firewalls. For instance, safeguards can’t just be built for computers. They also need to be adapted to phones, tablets, even appliances that are increasingly internet connected.

“How do you make sure you know who you are talking to? It’s hard, especially when people want to access data from anywhere,” VanAmerongen says. “Somehow, somewhere in Russia someone without proper identification is able to access your network. The more you’re on your phone or computer, the more vulnerable you are to being attacked.”

To help organizations under his care, VanAmerongen has established protocols to safeguard data.

He starts with a security assessment of the company’s IT operations by identifying people who can access the network, and which devices are connected. He also notes who has access to sensitive information. The competency of the existing security team, and how well the data stores are protected, are also reviewed.

“We develop a plan based upon what’s working or what isn’t,” VanAmerongen says.

Once a plan is developed, VanAmerongen introduces technologies and protocols, such as cloud-based solutions and auditing procedures.

“We need to understand the security needs and make sure that it works for the people—giving them the access they want with the protections they need,” he says. “The downfall of doing things too quickly is that you might not be able to support what you desire if you haven’t taken the time to consider all angles of each situation.”

Insider’s view

To say VanAmerongen has had plenty of practice with computers would be an understatement. When he was 16, he purchased his first PC—a TRS 80 from Radio Shack.

While in high school, the Albany, New York, native started tinkering with BASIC programming and COBOL, some of the earliest programming languages. His aunt Barbara, a dean of IT at Portland Community College in Oregon, further opened his eyes to the possibilities in the field, which prompted him to earn a degree in computer science from Chapman University in 1994.

“I always liked computers—especially when I saw what they could do,” he says.

As a college student, VanAmerongen took his interest in security further by experimenting with hacking to get into people’s accounts to find usernames and passwords.

“People usually leave a security back door open—which is how you figure out what attackers can find,” he says. “You have to think deviously and defensively like the people that hack into systems so you can stop them.”

Taking it to the next level

Experimenting with computer languages in high school and gaining experience in IT applications in the Navy spurred VanAmerongen to gain a better understanding of systems and applications. Never one to get a degree just for the sake of it, he later earned an MBA from the University of Washington in 2010, preparing him for his next job as director of IT at Harrison Medical Center in 2011.

“There’s always something new to do. The key to my career was learning to evolve and adapt,” he says.

VanAmerongen says there’s no limit for what comes next—there’s always new technology to consider. In health care, technology touches everything from monitoring devices for blood pressure to data and records.

“People would love to have access to your information. It’s up to us to make sure each patient’s data is protected,” he says.

With patient data logged in digitally—from behavioral health records to test results—there’s a risk for it being downloaded and sold in the black market. Having amassed experience and insight into regulatory work, VanAmerongen’s eager to help people across a variety of industries stay protected.

“There will always be a job for me,” he says. “I love learning and care about helping people.

View this feature in the Toggle Summer III 2021 Edition here.