Tarunjeet “T.J.” Mann – Children’s Mercy Kansas City

Anybody still doubt the need for a hospital’s defenses against data theft? Then access the dark web via an anonymizing browser and see what’s for sale.

Among the items most in demand: electronic medical records of babies and small children, some of whom have died. As a bonus to the buyer, chances are at least one parent’s sensitive information will be included.

Small wonder such a package can be quickly sold online for $1,000 to a nefarious sort intent on a years-long spree of submitting false insurance claims, forging prescriptions and racking up expenses on someone’s credit card.

And it might be a bigger wonder why the healthcare industry has traditionally been behind the curve when it comes to information security. Some hospitals still put cybersecurity under the responsibility of infotech leadership, which—according to Mann—may create a conflict of interest. A segregation of duties must be maintained.

“Information security is not a CIO’s job,” says Mann, who recently celebrated his third anniversary as the first chief information security officer at Children’s Mercy Kansas City. “Infotech’s primary goal is to keep systems running for all users. Infosecurity’s goal is to reduce risk to the business and its customers. There’s a conflict if one person wears both hats.”

For that reason and more, he’s content to retain just a CISO hat while being answerable to CIO Chad Mills. It’s a day and night job, Mann says about overseeing online security with a team of 36—a sixfold increase that he inherited—at one of the Midwest’s foremost nonprofit pediatric medical centers and its satellites throughout Missouri and Kansas.

Mission always unaccomplished

The mission never ends, the personable and passionate CISO emphasizes to Toggle this past autumn from the flagship hospital.

Without going into too much detail, Mann explains he’s moving Children’s Mercy from its traditional CISO model to one that’s both user-friendly and fast without compromising cybersecurity. He’s well-immersed in a three- to five-year project, and in 2021 anticipates the foundational stage completed.

“The threat landscape changes every day,” he says, reminding that the cybercriminals inevitably find access to the same next-generation technology harnessed by the good guys. “But we are continuing to make progress every day.”

For breach detection and protective capacity, Mann is leveraging artificial intelligence and behavioral analytics, a fairly new process for revealing insights into the habits of users on e-commerce platforms, web and mobile applications, and the Internet of Things. Thus Children’s Mercy can stay ahead of any vulnerabilities its patients and their families may be exposing themselves to while interacting online. Any suspicious behavior on a user’s computer triggers an automated response—in Mann’s words, “one of our saving graces.”

Then there’s the need to safeguard information garnered by increasingly sophisticated medical devices that can be something of a double-edged sword: While their means to record and store an individual patient’s data is invaluable in diagnosing and treating medical conditions, these devices too, can be hacked.

To mitigate that risk, Children’s Mercy has partnered with Medigate, a Brooklyn company that was among the industry’s first to recognize the need for device security. Medigate having the means to protect and monitor every connected device in a hospital, Mann says it’s been a necessary investment.

He has overseen investments in SOAR software capabilities—Security Orchestration, Automation and Response—to manage and respond to endless security alarms at machine speeds. Risk-based alerting predicated upon MITRE ATT&CK framework also allows the hospital to develop threat models based on threat profiles while reducing false alarms.

“We’re always looking into disruptive technologies,” he says. “This way we don’t just protect data, we help provide better patient care by putting more analytics in the hands of our doctors and nurses.”

An aging HIPAA

It’s also mind-boggling, Mann goes on to say, that the primary law for ensuring the sanctity of medical records is the Health Insurance Portability and Accountability Act—HIPAA—which dates to 1996. The internet still new a quarter-century ago, most record-keeping was on paper. Given how HIPAA hasn’t been revised much, compliance is routine though Mann feels it shouldn’t be.

“Ask any cyberpro and they’ll tell you, you can’t have your security program driven by compliance,” he says. “That’s just checking the boxes.”

Some hospitals just beginning to digitize their data, breaches have been alarmingly common in the healthcare industry, with Mann lamenting how sometimes that’s what it takes to open an administrator’s eyes.

As to how Mann’s eyes opened to the wonders of a digital world, he tells an amusing story of how as a boy growing up in India, he saw “The Terminator.” In one scene, a precocious boy tricks an ATM into spitting out money, causing Mann to think, “I’ve got to learn how to do this!”

So he downloaded some ATM manuals, got a basic understanding of how the machines worked and might have even made failed attempts to tap into some. His better angels eventually prevailing, he turned to computer science for legitimate purposes, earning a degree in infotech from Guru Nanak Dev University in 2004, prior to moving to Michigan after an immigrant uncle there sponsored Mann and his parents.

But a tech position didn’t come right away, Mann instead taking graduate courses at Wright State University while waiting on tables at a restaurant in Dayton, Ohio, where the family had moved and lived in dire poverty. One day, a customer inquired of his status and upon hearing of his tech skills and ambition, asked that he send her his resume.

Months later he interviewed and got his first IT job as a security analyst at LexisNexis. A decade and several jobs later—the last two with Bank of America and PricewaterhouseCoopers—he was recruited to be the first CISO at what is one of the nation’s top 10 children’s hospitals.

“A true immigrant success story,” the now 37-year-old Mann says with pride.