From the "Department of No" to a "Culture of Yes": A Healthcare CISO's Journey to Enabling Modern Care
May 30, 2025The Hacker NewsHealthcare / Zero Trust
Breaking Out of the Security Mosh Pit
When Jason Elrod, CISO of MultiCare Health System, describes legacy healthcare IT environments, he doesn't mince words: "Healthcare loves to walk backwards into the future. And this is how we got here, because there are a lot of things that we could have prepared for that we didn't, because we were so concentrated on where we were."
This chaotic approach has characterized healthcare IT for decades. In a sector where lives depend on technology working flawlessly 24/7/365, security teams have traditionally functioned as gatekeepers—the "Department of No"—focused on protection at the expense of innovation and care delivery.
But as healthcare continues its digital transformation journey, this approach is no longer sustainable. With 14 hospitals, hundreds of urgent care clinics, and nearly 30,000 employees serving millions of patients, MultiCare needed a different path forward – one that didn't sacrifice innovation for safety. That shift began with a mindset change at the top that was driven by years of experience navigating these exact tensions.
Jason Elrod's View: The Healthcare Security Conundrum
After 15+ years as a healthcare CISO, Elrod has a unique perspective on the security challenges facing healthcare organizations. According to him, healthcare's specific operational realities create security dilemmas unlike any other industry:
Always-on operations: "When can you take it down? When can you stop everything and upgrade it?" asks Elrod. Unlike other industries, healthcare operates 24/7/365 with little room for downtime.
Life-or-death access requirements: "We have to make sure all the information they need is available when they need it, with the minimum amount of friction possible. Because it's me, it's you, it's our communities, it's our loved ones, it's life or death."
Expanding attack surface: With the shift to telemedicine, remote work, and connected medical devices, the threat landscape has expanded dramatically. "It's like a bowl of spaghetti where each strand needs to be able to talk to one end or the other, but just to the strands it needs to."
Misaligned incentives: "IT historically has been concentrated on availability and speed and access, ubiquitous access… And security says, 'That's a fantastic Lego car you built. Before you can go outside and play with it, I'm going to stick a bunch more Legos on top of it called security, privacy, and compliance.'"
It's a recipe for burnout, blame, and breakdowns. But what if security could enable care instead of obstructing it?
Watch how MultiCare turned that possibility into practice in the Elisity Microsegmentation Platform case study with Jason Elrod, CISO, MultiCare Health System.
Identity: The Key to Modern Healthcare Security
The breakthrough for MultiCare came with the implementation of identity-based microsegmentation through Elisity.
"The biggest attack surface is the identity of every individual," notes Elrod. "Why are the attacks always on identity? Because in healthcare, we must make sure all the information is available when they need it, with the minimum amount of friction possible."
Traditional network segmentation approaches relied on complex VLANs, firewalls, and endpoint agents. The result? "A Byzantine spaghetti mess" that became increasingly difficult to manage and update.
Elisity's approach changed this paradigm by focusing on identity rather than network location:
Dynamic security policies that follow users, workloads, and devices wherever they appear on the network
Granular access controls that create security perimeters around individual assets
Policy enforcement points that leverage existing infrastructure to implement microsegmentation without requiring new hardware, agents, or complex network reconfigurations
From Skepticism to Transformation
When Elrod first introduced Elisity to his team, they responded with healthy skepticism. "They're like, 'Did you hit your head? Are you sure you read what you were saying? I thought you stopped drinking,'" Elrod recalls.
The technical teams were doubtful that such a microsegmentation solution could work with their existing infrastructure. "They said, 'That doesn't sound like something that can be done,'" shares Elrod.
But seeing was believing. "When you see people who are deeply technical, people who just know their craft really well, and they see something and go 'Wow'… it shakes the pillars of their opinions about what can be done," explains Elrod.
The Elisity solution delivered on its promises:
Rapid implementation without disruptive network changes
Real-time automated or manual policy adjustments that previously took weeks to implement
Comprehensive visibility across previously siloed environments
Enhanced security posture without compromising availability
...all without forcing a tradeoff between protection and performance.
But what surprised Elrod most wasn't just what the technology did, but how it changed the people using it.Breaking Down Walls Between Teams
Perhaps the most unexpected benefit was how the solution transformed relationships between teams.
"There's been a friction point. Put this control and constraint around the network. Who's the first person to call? They're going to call IT. 'I can't do this thing.' And I'm saying, 'Well, you can't open everything, because everybody can't have everything. Because the bad guys will have everything then,'" Elrod explains.
Identity-based microsegmentation changed this dynamic:
"It changed from 'How do I get around you?' and 'How do you get around me?' to cooperation. Because now it's like, 'Oh, well, let's make that change together.' It shifted culturally, and this was not something I expected… We really are on the same team. This is a solution that works for all of us, makes all of our jobs better, Security and IT. It is a force multiplier across the organization," says Elrod.
With Elisity, security and IT teams now share incentives rather than competing priorities. "The same thing that allows me to make connectivity work between this area and here in a frictionless fashion is also the same exact thing that provides the rationalized security around it. Same tool, same dashboard, same team," Elrod notes.
Enabling a Culture of Yes
For healthcare providers, the impact is profound. "If they don't have to worry about access, don't have to worry about the controls, they can take the cognitive load of thinking and worrying about the compliance factors of it, the security, the privacy, the technology underlying the table that they're working on," says Elrod.
This shift enables a fundamental change in how security interacts with clinical staff:
Speed of delivery: "We can do that at the speed of need as opposed to the speed of bureaucracy, the speed of technology, the speed of legacy," explains Elrod.
Granular control: "How would you like your own segment on the network, wherever you may roam? I can base it on your identity, wherever you're at," Elrod shares.
Enhanced trust: "Being able to instill that confidence that, 'Hey, it's secure, it's stable, it's scalable, it's functional, we can support it. And we can move at the pace that you want to move at.'"
Breaking Down Silos: The Business Imperative of Security-IT Integration
The traditional separation between security and IT operations teams is rapidly becoming obsolete as organizations recognize the strategic advantages of integration. Recent research demonstrates compelling business benefits for enterprises that successfully bridge this divide, particularly for those in manufacturing, industrial, and healthcare sectors.
According to Skybox Security, 76% of organizations believe miscommunication between network and security teams has negatively impacted their security posture. This disconnect creates tangible security risks and operational inefficiencies. Conversely, organizations with unified security and IT operations reported 30% fewer significant security incidents compared to those with siloed teams.
For healthcare organizations, the stakes are even higher. Among healthcare institutions that experienced ransomware attacks, those with siloed security and IT operations reported a 28% increase in patient mortality rates in 2024, up from 23% in 2023. This stark reality underscores that cybersecurity integration isn't just an operational consideration—it's a patient safety imperative.
The financial case for integration is equally compelling. A Forrester Total Economic Impact study on ServiceNow Security Operations solutions demonstrated a 238% ROI and million in present value benefits, with a 6-month payback period when integrating security and IT operations.
Forward-thinking organizations are adopting sophisticated integration models like Cyber Fusion Centers. Gartner research confirms these represent a significant advancement over traditional security operations, predicting that by 2028, 20% of large enterprises will shift to cyber-fraud fusion teams to combat internal and external adversaries, up from less than 5% in 2023.
For enterprise leaders, the message is clear: breaking down operational silos between security and IT teams isn't just good practice—it's essential for comprehensive protection, operational efficiency, and competitive advantage in today's threat landscape. Few understand that better than Elrod, who's spent decades trying to bridge this gap both technologically and culturally.
The Bridge to Modern Healthcare
For Elrod, identity-based microsegmentation represents more than just a technology solution—it's a bridge between where healthcare has been and where it needs to go.
"Technology in the past wasn't bought because it was crappy… They were great. Good intention. They did what they needed to do at the time. But there's a lot of temporal distance between now and when that made sense," he explains.
Elisity helps MultiCare "build that bridge from where we have been to where we need to go… It's a ladder out of the pit. This is great. Let's stop throwing things in there. Let's actually do things in a rational fashion," says Elrod.
Looking Ahead
While no single solution can address all of healthcare's security challenges, identity-based microsegmentation is "one of the bricks on the yellow brick road to making healthcare security and technology the culture of Yes," according to Elrod.
As healthcare organizations continue to balance security requirements with the need for frictionless care delivery, solutions that align these competing priorities will become increasingly essential.
By implementing identity-based microsegmentation, MultiCare has transformed security from a barrier to an enabler of modern healthcare—proving that with the right approach, it's possible to create a culture where "yes" is the default response without compromising security or compliance.
Ready to escape your own security "mosh pit" and build a bridge to modern healthcare? Download Elisity's Microsegmentation Buyer's Guide 2025. This resource equips healthcare security leaders with evaluation criteria, implementation strategies, and ROI frameworks that have helped organizations like MultiCare transform from the "Department of No" to a "Culture of Yes." Begin your journey toward identity-based security today. To learn more about Elisity and how we help transform healthcare organizations like MultiCare, visit our website here.
Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.
SHARE
#quotdepartment #noquot #quotculture #yesquot #healthcareFrom the "Department of No" to a "Culture of Yes": A Healthcare CISO's Journey to Enabling Modern Care
May 30, 2025The Hacker NewsHealthcare / Zero Trust
Breaking Out of the Security Mosh Pit
When Jason Elrod, CISO of MultiCare Health System, describes legacy healthcare IT environments, he doesn't mince words: "Healthcare loves to walk backwards into the future. And this is how we got here, because there are a lot of things that we could have prepared for that we didn't, because we were so concentrated on where we were."
This chaotic approach has characterized healthcare IT for decades. In a sector where lives depend on technology working flawlessly 24/7/365, security teams have traditionally functioned as gatekeepers—the "Department of No"—focused on protection at the expense of innovation and care delivery.
But as healthcare continues its digital transformation journey, this approach is no longer sustainable. With 14 hospitals, hundreds of urgent care clinics, and nearly 30,000 employees serving millions of patients, MultiCare needed a different path forward – one that didn't sacrifice innovation for safety. That shift began with a mindset change at the top that was driven by years of experience navigating these exact tensions.
Jason Elrod's View: The Healthcare Security Conundrum
After 15+ years as a healthcare CISO, Elrod has a unique perspective on the security challenges facing healthcare organizations. According to him, healthcare's specific operational realities create security dilemmas unlike any other industry:
Always-on operations: "When can you take it down? When can you stop everything and upgrade it?" asks Elrod. Unlike other industries, healthcare operates 24/7/365 with little room for downtime.
Life-or-death access requirements: "We have to make sure all the information they need is available when they need it, with the minimum amount of friction possible. Because it's me, it's you, it's our communities, it's our loved ones, it's life or death."
Expanding attack surface: With the shift to telemedicine, remote work, and connected medical devices, the threat landscape has expanded dramatically. "It's like a bowl of spaghetti where each strand needs to be able to talk to one end or the other, but just to the strands it needs to."
Misaligned incentives: "IT historically has been concentrated on availability and speed and access, ubiquitous access… And security says, 'That's a fantastic Lego car you built. Before you can go outside and play with it, I'm going to stick a bunch more Legos on top of it called security, privacy, and compliance.'"
It's a recipe for burnout, blame, and breakdowns. But what if security could enable care instead of obstructing it?
Watch how MultiCare turned that possibility into practice in the Elisity Microsegmentation Platform case study with Jason Elrod, CISO, MultiCare Health System.
Identity: The Key to Modern Healthcare Security
The breakthrough for MultiCare came with the implementation of identity-based microsegmentation through Elisity.
"The biggest attack surface is the identity of every individual," notes Elrod. "Why are the attacks always on identity? Because in healthcare, we must make sure all the information is available when they need it, with the minimum amount of friction possible."
Traditional network segmentation approaches relied on complex VLANs, firewalls, and endpoint agents. The result? "A Byzantine spaghetti mess" that became increasingly difficult to manage and update.
Elisity's approach changed this paradigm by focusing on identity rather than network location:
Dynamic security policies that follow users, workloads, and devices wherever they appear on the network
Granular access controls that create security perimeters around individual assets
Policy enforcement points that leverage existing infrastructure to implement microsegmentation without requiring new hardware, agents, or complex network reconfigurations
From Skepticism to Transformation
When Elrod first introduced Elisity to his team, they responded with healthy skepticism. "They're like, 'Did you hit your head? Are you sure you read what you were saying? I thought you stopped drinking,'" Elrod recalls.
The technical teams were doubtful that such a microsegmentation solution could work with their existing infrastructure. "They said, 'That doesn't sound like something that can be done,'" shares Elrod.
But seeing was believing. "When you see people who are deeply technical, people who just know their craft really well, and they see something and go 'Wow'… it shakes the pillars of their opinions about what can be done," explains Elrod.
The Elisity solution delivered on its promises:
Rapid implementation without disruptive network changes
Real-time automated or manual policy adjustments that previously took weeks to implement
Comprehensive visibility across previously siloed environments
Enhanced security posture without compromising availability
...all without forcing a tradeoff between protection and performance.
But what surprised Elrod most wasn't just what the technology did, but how it changed the people using it.Breaking Down Walls Between Teams
Perhaps the most unexpected benefit was how the solution transformed relationships between teams.
"There's been a friction point. Put this control and constraint around the network. Who's the first person to call? They're going to call IT. 'I can't do this thing.' And I'm saying, 'Well, you can't open everything, because everybody can't have everything. Because the bad guys will have everything then,'" Elrod explains.
Identity-based microsegmentation changed this dynamic:
"It changed from 'How do I get around you?' and 'How do you get around me?' to cooperation. Because now it's like, 'Oh, well, let's make that change together.' It shifted culturally, and this was not something I expected… We really are on the same team. This is a solution that works for all of us, makes all of our jobs better, Security and IT. It is a force multiplier across the organization," says Elrod.
With Elisity, security and IT teams now share incentives rather than competing priorities. "The same thing that allows me to make connectivity work between this area and here in a frictionless fashion is also the same exact thing that provides the rationalized security around it. Same tool, same dashboard, same team," Elrod notes.
Enabling a Culture of Yes
For healthcare providers, the impact is profound. "If they don't have to worry about access, don't have to worry about the controls, they can take the cognitive load of thinking and worrying about the compliance factors of it, the security, the privacy, the technology underlying the table that they're working on," says Elrod.
This shift enables a fundamental change in how security interacts with clinical staff:
Speed of delivery: "We can do that at the speed of need as opposed to the speed of bureaucracy, the speed of technology, the speed of legacy," explains Elrod.
Granular control: "How would you like your own segment on the network, wherever you may roam? I can base it on your identity, wherever you're at," Elrod shares.
Enhanced trust: "Being able to instill that confidence that, 'Hey, it's secure, it's stable, it's scalable, it's functional, we can support it. And we can move at the pace that you want to move at.'"
Breaking Down Silos: The Business Imperative of Security-IT Integration
The traditional separation between security and IT operations teams is rapidly becoming obsolete as organizations recognize the strategic advantages of integration. Recent research demonstrates compelling business benefits for enterprises that successfully bridge this divide, particularly for those in manufacturing, industrial, and healthcare sectors.
According to Skybox Security, 76% of organizations believe miscommunication between network and security teams has negatively impacted their security posture. This disconnect creates tangible security risks and operational inefficiencies. Conversely, organizations with unified security and IT operations reported 30% fewer significant security incidents compared to those with siloed teams.
For healthcare organizations, the stakes are even higher. Among healthcare institutions that experienced ransomware attacks, those with siloed security and IT operations reported a 28% increase in patient mortality rates in 2024, up from 23% in 2023. This stark reality underscores that cybersecurity integration isn't just an operational consideration—it's a patient safety imperative.
The financial case for integration is equally compelling. A Forrester Total Economic Impact study on ServiceNow Security Operations solutions demonstrated a 238% ROI and million in present value benefits, with a 6-month payback period when integrating security and IT operations.
Forward-thinking organizations are adopting sophisticated integration models like Cyber Fusion Centers. Gartner research confirms these represent a significant advancement over traditional security operations, predicting that by 2028, 20% of large enterprises will shift to cyber-fraud fusion teams to combat internal and external adversaries, up from less than 5% in 2023.
For enterprise leaders, the message is clear: breaking down operational silos between security and IT teams isn't just good practice—it's essential for comprehensive protection, operational efficiency, and competitive advantage in today's threat landscape. Few understand that better than Elrod, who's spent decades trying to bridge this gap both technologically and culturally.
The Bridge to Modern Healthcare
For Elrod, identity-based microsegmentation represents more than just a technology solution—it's a bridge between where healthcare has been and where it needs to go.
"Technology in the past wasn't bought because it was crappy… They were great. Good intention. They did what they needed to do at the time. But there's a lot of temporal distance between now and when that made sense," he explains.
Elisity helps MultiCare "build that bridge from where we have been to where we need to go… It's a ladder out of the pit. This is great. Let's stop throwing things in there. Let's actually do things in a rational fashion," says Elrod.
Looking Ahead
While no single solution can address all of healthcare's security challenges, identity-based microsegmentation is "one of the bricks on the yellow brick road to making healthcare security and technology the culture of Yes," according to Elrod.
As healthcare organizations continue to balance security requirements with the need for frictionless care delivery, solutions that align these competing priorities will become increasingly essential.
By implementing identity-based microsegmentation, MultiCare has transformed security from a barrier to an enabler of modern healthcare—proving that with the right approach, it's possible to create a culture where "yes" is the default response without compromising security or compliance.
Ready to escape your own security "mosh pit" and build a bridge to modern healthcare? Download Elisity's Microsegmentation Buyer's Guide 2025. This resource equips healthcare security leaders with evaluation criteria, implementation strategies, and ROI frameworks that have helped organizations like MultiCare transform from the "Department of No" to a "Culture of Yes." Begin your journey toward identity-based security today. To learn more about Elisity and how we help transform healthcare organizations like MultiCare, visit our website here.
Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.
SHARE
#quotdepartment #noquot #quotculture #yesquot #healthcare
English
Arabic
French
Spanish
Portuguese
Deutsch
Turkish
Dutch
Italiano
Russian
Romaian
Portuguese (Brazil)
Greek
