Client in lead: Bert Moorlag
Client's role: CISO
How is the information security of a hospital with more than 12,000 employees and thousands of patients arranged? And why does UMCG work with Zerocopter? We asked this - and more - from UMCG CISO Bert Moorlag.
“More than 12,000 people currently work for the UMCG, and they are engaged in one of UMCG’s core tasks: care, research, education and training.”
“It’s all the way at the top since it’s part of UMCG’s strategy, just as the strategic risks that are involved with information security.”
“As CISO I play the role of an independent consultant within the UMCG. The responsibility for information security as a whole lies with the CIO, and together we form the management layer below the Executive Board. In addition, the UMCG has an IT security team with an IT security manager and a Privacy Organization that deals with the privacy side of the information security spectrum.”
Bert Moorlag, CISO at UMCG
“My name is Bert Moorlag. I’m the CISO for UMCG (Universitair Medisch Centrum Groningen). It’s my job to manage information security at UMCG at a strategic and tactical level, in the broadest sense of the word. I started working for UMCG in 2007 and before that, I worked for the Dutch government, for the province of Groningen, as Information Security Manager and manager of several IT teams.”
“Well, what I quickly discovered at UMCG is that everyone here is very much involved in problem-solving and information security in general. This ‘attitude’ was already embedded in the UMCG DNA when I started in 2007 and luckily that hasn’t changed. The only thing I still have to keep an eye on is that everything we do in the field of information security is centrally managed within the organization.”
“If we don’t use IT in a good and safe way, working at home would be out of the question.”
“So far it is going well and working together is pleasant, to say the least.”
“It means a lot, and as said before, that makes it very important. First of all, because it’s an integral part of patient care - without data, taking care of patients would be impossible - and we have to be compliant. Secondly, because it helps us realize our targets. For instance, if we don’t use IT in a good and safe way, working at home would be out of the question.
“Very far, because as you can imagine, there are a lot of digital devices in a hospital and there’s a lot of data to be handled and secured. This means that every (new) data stream, every digital connection must be assessed in order to determine its impact on security and to determine how to use it properly within the organization.”
“Because our field of information security changes quite often, we did a pilot with Zerocopter last year to find out if their methods for continuous online security testing yielded the same or better results than pentesting. After that, at the beginning of this year, we decided to partner up with Zerocopter and we’re now looking into how we can get the most out of the cooperation.”
“So far it is going well and working together is pleasant, to say the least. What I like about Zerocopter is that if something is found and a report is made about one of our systems, they assess the report, they check on, for instance, false positives, and they only share the report with us when it’s really necessary. This prevents us from having to respond to everything.”
Make sure that all security risks have been identified
“Although I’m stating the obvious here, it’s very important nonetheless.”
Make sure that it’s not your risk perspective that is leading, but the perspective of your organization
“From the perspective of information security, we look at information security risks, but if you look at business risks there’s a chance a completely different perspective becomes clear. For example, as a CISO I can say that all the computers in the operating rooms must have a screen saver with a password. From an information security (confidentiality) perspective, this is a good idea, but not from the (availability) perspective of a surgeon, because what happens when those screensavers pop up during surgery? That’s also a business risk, to say the least.”
Leave the responsibility for information security where it belongs, not with the CISO
“This may sound strange from the mouth of a CISO, but information security is a line responsibility, just like Personnel and Finance. So, if a security risk has to be accepted, you have to look at who the risk holder should be. It’s not the CISO, but it could be a Director of Patient Care or a CIO, for example."
Get to know everything about Zerocopter