Randall Frietzsche – Denver Health Medical Center

The complexities of his high-stakes position notwithstanding, Randall Frietzsche has a refreshing way of reducing what he does to easily understood terms.

“I’ve got a sheepdog mentality,” says the man who insists on being addressed as Fritz, while overseeing cybersecurity for Denver Health Medical Center—a position he’s held since June, after serving in similar roles at Catholic Health Initiatives in Colorado and Kentucky.

“The sheep are there, with the dog to protect them. The dog understands the wolf because he has more in common with the wolf than he does with the sheep. I, too, have to understand my enemy, and that means having more in common with him, though certainly not being him.”

Courtesy of Denver Health

Fritz’s enemy may be far more malicious than any four-legged predator sniffing out vulnerable livestock in the ranches west of the Mile High City. For Fritz’s enemy preys on anyone with some sort of sensitive personal information in the digital world, and that may be most everyone these days.

And the motherlode of that data just might be in a hospital’s record-keeping.  Particularly that of Denver Health, a major teaching hospital and one of the region’s busiest Level I trauma centers, with 525 beds and a network of community and school-based health centers that care for nearly 220,000 patients annually.

Having earned the gold standard of CISSP (Certified Information Systems Security Professional), Fritz is about as well prepared as anyone to lead a seven-member pack in protecting Denver Health’s data.

Cyber-theft always in season

When Fritz spoke to Toggle, it was December and big-box stores were taking every precaution to ensure the sanctity of their databases, some of which had been compromised last year. While Fritz lauds their efforts, he reminds that whatever risk a shopping center faces, it’s exponentially higher in healthcare.

“The value of a health record is so much higher than anything else,” he explains. “If someone steals your credit card, there’s a short time-frame when it’s valuable. The issuer has ways of tracking suspicious charges and will disable the card when red flags pop up. The card’s value may be limited to $1,000 or whatever. But consider what’s in a health record.”

Date of birth and Social Security number for starters—the basic building blocks for identity theft. Also accessible are the patient’s medical history, access to his or her prescriptions, and to next of kin, who may also be targeted. Should the victim of this hacking not be in the best of physical or mental health, the identity theft may go undetected.

Courtesy of Denver Health

Meanwhile, the thieves and folks like Fritz are in a virtual arms race, with both becoming more sophisticated. Experience has taught him that the virtual miscreants can be broken down into four general categories:

• There’s the classic case of the kids in mom’s basement, low-skilled and “noisy” in the sense that when they try to break into a network, they’ll leave some sort of trail. In short, more nuisance than menace.
• A giant step above is the professional penetration tester, a more mature and older sort, trying to get into a network to make a little money, but not affiliated with any gang of cyberthieves.
• The cyberthieves themselves—aka the hacker mafia—well-funded and highly skilled, and making their livelihood through stolen data.
• The top of the cybertheft food chain, the actual agents of a government seeking to crack corporate secrets or garner intelligence on another state. China, with structured cyberbrigades employed by the military, dominates this league, perhaps with Russia just behind.

Scary as that fourth category is—“find one and there are 10 others you don’t know about”—Fritz says those types don’t often target healthcare, unless it’s to get a jump on clinical technology or if a prominent national or international figure is seeking treatment, in which case the hospital has already taken extra precautions. A hospital’s main cyberthreat is the hacker mafia, and neutralizing them takes a team.

Strength in Fritz’s pack

A former deputy sheriff in Indiana, Fritz says the very subject of security itself has always been his passion.

While Fritz’s academic credentials are impressive—high-tech degrees from Harrison College and Western Governors University, as well as completion of a course at the FBI Citizen’s Academy—he says there are two indispensables in his line of work that can be enhanced but not taught: aptitude and attitude. It’s that A&A combo that he looks for in his team, as well as in the students he’s teaching in a Harvard online course. He also taught digital forensics and ethical hacking for five years at Ivy Tech Community College in Indiana.

When told that ethical hacking sounds like an oxymoron, Fritz goes back to the sheepdog analogy.

“An ethical hacker learns the same tools, technology and skills of the hacker,” he explains. “Only he uses it to defend against those who would do harm. We’re better able to defend our organization if we’re able to stand between those who would do us harm. We must be as good in that area as the enemy, without becoming the enemy.”

Denver Health isn’t taking any protective measures that other organizations should be without, he says. The hospital’s data center has a perimeter with points of connections to the internet. Firewalls and intrusion detectors act as high-tech bug zappers in fending off most hacks, and additional defenses are in the network and on desktops to detect potentially malicious behavior.

Courtesy of Denver Health

Among Denver Health’s partners against cybercrime is Boulder-based LogRhythm, a vendor of the next generation of security information and event management (SIEM). Its platform provides the foundation for advanced measures against internal and external breaching.

“In today’s environment a motivated threat actor can circumvent perimeter technology,” explains Matt Winter, LogRhythm’s worldwide marketing director. “A system like LogRhythm can detect behavioral threats from all ends and stop them before they metastasize. Threats are like a cancer, you got to stop them before it’s too late and the data is out the door.”

Fritz won’t go so far as to say the Denver Health system is fail-safe—nothing can be—but is confident in his team of highly motivated, primarily young people, who have never known a non-wired world.

Proud as this alpha male of the Denver Health cyberdefense pack is, he’d like it to be running with more diversity. Hacking, be it ethical or malicious, tends to be male-dominated.

“We’ve a dire need for a woman’s intuition, intelligence and brilliance,” he says.

Provided, of course, they have that aptitude and attitude that knows no particular gender.