Omada Health CISO Bill Dougherty reveals how enterprise browsers simplify IT, enhance security, and reduce costs in healthcare. Discover how data-driven insights and strategic consolidation optimize operations and improve user experience.
Healthcare organizations face unique challenges in protecting sensitive patient data while delivering efficient and accessible care. In CXOTalk episode 839, we explore these challenges with Bill Dougherty, Chief Information Security Officer of Omada Health, a virtual-first healthcare company specializing in chronic disease prevention and management.
Dougherty discusses Omada Health's approach to security, emphasizing the importance of building trust with patients and integrating security into the company's brand identity. He also shares insights into how the organization leverages technology to enhance security, optimize operations, and reduce costs by 50 percent by using the Island enterprise browser to simplify IT management and provide a consistent user experience.
Episode Highlights
Embrace Security as a Brand Differentiator
- Prioritize trust: Building trust with customers and partners is crucial in healthcare due to the sensitive nature of data. Integrate security into your brand identity to demonstrate commitment to data protection.
- Make security a core value: Foster a culture of security awareness throughout the organization, from leadership to individual contributors. Encourage open communication about security risks and best practices.
Navigate the Complexities of Healthcare Regulations
- Invest in compliance expertise: Healthcare regulations are intricate and constantly evolving. Build a team with deep knowledge of HIPAA, GDPR, and other relevant regulations to ensure compliance and avoid costly penalties.
- Streamline vendor management: Implement robust third-party risk management processes to assess the security posture of vendors handling sensitive data. Negotiate strong data protection agreements and conduct regular audits.
Leverage Threat Modeling for Proactive Risk Management
- Adopt a tailored threat model: Develop or adapt a threat model specific to your organization's unique needs and regulatory environment. Consider factors like data sensitivity, system criticality, and potential attack vectors.
- Integrate threat modeling into workflows: Incorporate threat modeling into the development lifecycle, vendor selection process, and ongoing risk assessments. This proactive approach helps identify and mitigate potential threats before they materialize.
Optimize Security and User Experience with Enterprise Browsers
- Consolidate and control: Transition from managing multiple consumer browsers to a single, purpose-built enterprise browser. This simplifies IT administration, reduces security risks associated with browser extensions, and provides a consistent user experience.
- Centralize policy enforcement: Leverage the enterprise browser as a central point of control for security policies and access management. Integrate with your identity provider (IDP) to enforce multi-factor authentication and ensure secure access to applications.
Drive Efficiency and Cost Savings Through Consolidation
- Identify redundant tools: Regularly assess your software portfolio and identify opportunities to consolidate overlapping tools and eliminate underutilized applications. Leverage usage data from your enterprise browser and other sources to inform decisions.
- Evaluate cost-saving alternatives: Explore solutions that offer multiple functionalities within a single platform. This reduces licensing costs, streamlines vendor management, and simplifies operations, leading to greater efficiency and cost savings.
Key Takeaways
Security as a Brand Differentiator in Healthcare
Bill Dougherty highlights the unique challenge of building trust in digital healthcare, where patient data privacy is paramount. He emphasizes that Omada Health views security not just as a technical necessity but as a core element of its brand identity. This approach is particularly important in healthcare because trust directly impacts patient engagement and health outcomes. Building a strong security posture and communicating it effectively can therefore be a key differentiator in the market.
Enterprise Browsers: Simplifying Security and User Experience
Dougherty advocates for the adoption of enterprise browsers as a means to simplify IT management and enhance security. By consolidating multiple consumer browsers into a single, controlled environment, Omada Health reduces security risks associated with managing different platforms and extensions. Additionally, the enterprise browser provides a consistent user experience across the organization, addressing challenges related to browser inconsistencies and user preferences.
Data-Driven Cost Optimization through Consolidation
Omada Health leverages its enterprise browser to gain insights into software usage, enabling strategic decisions about tool consolidation and license management. By identifying underutilized applications and overlapping functionalities, the company has achieved significant cost savings and improved operational efficiency. This data-driven approach allows for continuous evaluation and optimization of the IT landscape, ensuring that technology investments align with actual usage and business needs.
Episode participants
Bill Dougherty is CISO of Omada Health He has over 20 years of experience protecting and overseeing information security, information technology (IT) operations, and managed services for a host of technology companies. A self-proclaimed “tech geek,” he helped lead Omada through its hyper-growth phase by shaping all aspects of internal IT, end-user support, vendor management, operational security and compliance.
Michael Krigsman is an industry analyst and publisher of CXOTalk. For three decades, he has advised enterprise technology companies on market messaging and positioning strategy. He has written over 1,000 blogs on leadership and digital transformation and created almost 1,000 video interviews with the world’s top business leaders on these topics. His work has been referenced in the media over 1,000 times and in over 50 books. He has presented and moderated panels at numerous industry events around the world.
Transcript
Michael Krigsman: We're discussing security in digital healthcare with Bill Dougherty, Chief Information Security Officer of Omada Health. His focus is on the enterprise browser, how that simplifies his IT landscape, reduces costs, and makes life easier for end users.
Bill, tell us about Omada Health and tell us about your work.
Bill Dougherty: Omada Health is a digital healthcare company. We specialize in the prevention and treatment of cardiometabolic diseases, so primarily type II diabetes and hypertension.
We do this digitally, so we have a series of smartphone apps, connected devices like cellular connected scales, glucometers, blood pressure devices, and we deliver all of our services over the Internet.
In the back side, we have a team of care delivery specialists, coaches that are providing personalized care to people to help them better manage their chronic diseases.
Michael Krigsman: Bill, Omada refers to itself as a virtual-first healthcare organization. Tell us about that.
Bill Dougherty: Unlike traditional brick-and-mortar healthcare, there's no facility you come to. We're delivering our program over the Internet through a smartphone application and, on the backside, we've got hundreds of coaches and specialists that are there providing a personalized experience to help people manage their diseases.
Michael Krigsman: You are Chief Information Security Officer. Tell us about that role and why it's so crucial for Omada Health.
Bill Dougherty: Healthcare, as you know, is highly regulated. We're dealing with members' most sensitive information.
As the CISO, I'm responsible for all of our enterprise security, protecting that member data on a daily basis. I also run our internal IT, so I'm responsible for choosing and managing the general IT systems that all of our employees use.
Michael Krigsman: It's interesting that you're CISO. You're also playing the role of chief information officer, effectively.
Bill Dougherty: That's correct. I think that that is an important trend we're seeing in a lot of companies. If you are the CISO but you have no responsibility for the actual systems, then you really don't bear the impact of the decisions you make.
Part of my role is to empower all of our employees and do it in a safe way. When I choose a new security solution, I have to not only worry about how is that going to reduce our risk but how is it going to impact the user experience of all of our employees.
Michael Krigsman: What I find fascinating is Omada Health is a virtual-first healthcare organization and, at the same time, it seems that you are a security-first organization as well (just given the structure of your role as CISO and CIO).
Bill Dougherty: When I joined the company 7.5 years ago, one of my personal missions was to make security part of our brand.
The foundation of all healthcare is trust. If you don't trust your doctor, you won't take their advice.
If our members don't trust that we are good stewards of their data, and our customers don't trust that we're good stewards of their data, they won't do business with us. And bad security becomes a blocker to people getting a good health outcome.
Michael Krigsman: Can you describe briefly what are some of the security challenges that are unique to healthcare?
Bill Dougherty: I always say that healthcare is harder than any other job I've ever done because it's highly regulated. You're dealing with people's most sensitive information, so there are a lot of rules that are very complicated that you have to navigate through.
Things that would be easy at other companies become much harder. Something as simple as negotiating a SaaS agreement becomes much more difficult in a healthcare setting because you have to worry about not only the general business terms but is the other provider capable of managing health information securely.
Michael Krigsman: Bill, you authored a security threat model called "INCLUDES NO DIRT."
Bill Dougherty: Four or five years ago, my head of compliance and I, we decided we wanted to start doing threat modeling internally for the company. Threat modeling really is just a way of repeatedly assessing the risk of any system.
What we found was there wasn't a good threat model for healthcare and, specifically, digital healthcare. Because, in healthcare, we have to balance the needs of security with privacy and compliance, sometimes those needs conflict with each other.
There are some systems we have where we must have non-repudiation. We must absolutely know who did what, when. There are other systems where anonymity is actually more important than non-repudiation.
We set out to create a threat model that would balance the needs of privacy, compliance, and security. INCLUDES NO DIRT is an acronym. We use it any time we go look at a new vendor. We use it when our engineering teams are proposing a new product feature.
We can use it kind of generally for any IT system, and it systematically makes sure that we've gone through and checked the boxes for:
- Do we know how we are logging data?
- Do we know how we're authenticating users?
- Do we know where the data will be stored and if it will be encrypted? And if so, how?
Michael Krigsman: Bill, how do security controls influence the threat model?
Bill Dougherty: We look at the controls we already have in place. And if the new system adopts those controls, we can move on faster.
As an example, we use multifactor authentication. If the new system is going to adopt our existing IDP, then we don't have to dig any deeper into how those controls will play. We can use that and move on, which means we can complete a threat model in less than 15 minutes on a system that is adopting all of our controls.
When I look at my control environment (and I'm looking at authentication, I'm looking at secure browsing, I'm looking at network controls), what I'm really looking for is, does the new thing adopt the controls we already have? If so, don't reinvent the wheel.
Michael Krigsman: Bill, you used the term "IDP." For our viewers who don't know, what is that?
Bill Dougherty: IDP is an identity provider. Because we are a SaaS-first, SaaS-only company, we use a SaaS-based identity provider that does authentication, enforces multifactor, and allows us to apply policies at the point of authentication.
Michael Krigsman: Bill, Omada is a SaaS-first, SaaS-only organization. How does that affect your security policies, your security posture, governance, and so forth?
Bill Dougherty: It simplifies many aspects of my life. I don't have a physical server that I need to go manage or administer.
It simplified our life during the pandemic because our business continuity plan was essentially to send everybody home because any task you could complete in our office, you could complete out of your house.
It also has a lot of challenges. The biggest challenge from a security perspective is I now have to trust all of those vendors, and so their security becomes my security. It increases the burden we put on our third-party risk management processes.
Michael Krigsman: All work then is essentially conducted through the browser.
Bill Dougherty: That is true both for the SaaS products we buy as well as our own internal tools that we develop. The browser is a very important point of control for me.
Michael Krigsman: Working exclusively through the browser simplifies life. At the same time, it adds complexities and security risks. Can you talk about those risks and the challenges of being a browser-based, SaaS-first company?
Bill Dougherty: I'm always cautious about the browser because I don't believe that most browsers were actually built for an enterprise-class security regime. They're really built to enable the consumer.
The browser can be a hard thing to manage, especially if you have a lot of them. We have seen it in the past where we're supporting multiple browsers on multiple machines.
It's very hard to control all of those permutations and things like managing browser extensions, which are really just other code running on that endpoint. Knowing where data is flowing in and out has been a significant challenge when dealing in a SaaS-first world.
Michael Krigsman: Working with multiple browsers then introduces a variety of security risks. There are also user experience inconsistencies because every browser is ultimately different.
Bill Dougherty: Absolutely. Before we adopted an enterprise browser, we were managing three to five different browsers on Macs and three to five different browsers on PCs. So, that's eight different permutations with a different user experience in each of them.
They're hard to patch. They're hard to keep consistent. And we would get support calls where a user was trying to do something and the ultimate result was that it was a browser inconsistency. And so, we needed to point them back to a different browser.
One thing I've learned over the last couple of years is that the browser is a surprisingly personal thing for end users. They will latch onto one browser of choice, and they really like it.
Going through a journey of trying to create some better consolidation, a more consistent user experience, and improve security, we had to take that into account; the browser is very, very personal. But when you have a wide permutation of them, they're very hard to manage.
Michael Krigsman: Bill, you used the term "enterprise browser." Tell us about that.
Bill Dougherty: To me, an enterprise browser is a single, consistent, purpose-built browser with built-in security functions. And it's something that is easy to deploy and easy to manage. Instead of being a point of vulnerability and a point of support calls, is really a point of better user experience and better control for my users and my IT and security staff.
Really, the browser is my point of control and it is my point of policy enforcement. An enterprise browser gives us the ability to push policies down, get visibility into what end users are doing, and provide better security and control over that endpoint than what we would get out of the natively installed browsers that come with our endpoints.
Michael Krigsman: Bill, you've described the enterprise browser, and you've spoken about the security challenges associated with consumer browsers. You're working closely with Island. What are you doing with Island?
Bill Dougherty: Island is our enterprise browser of choice.
Last year, one of my security engineers, he was facing this problem of trying to keep browsers patched. We have lots of obligations, lots of audits where we're trying to figure out are we patching our endpoints regularly. He was also trying to get some control over browser extensions, and browser extensions are something that are the bane of everybody's existence.
He was at RSA, and he was looking around at the various booths. He talked to Island, and he was really impressed. He was so impressed that he came back and said, "We have to do this. This is our thing."
I was a little bit skeptical. I was skeptical for a bunch of reasons. First of all, in my mind, it was just another browser, and so we had to figure out how we would enforce this.
I was also skeptical because it was not on our 2023 roadmap. It was not in my budget, so I needed to figure out how I was going to pay for this wonderful new security tool.
He introduced me to Island, we had a bunch of meetings, and I came away very impressed. The reason I came away impressed was I saw a couple of things.
One is it would give me new superpowers in the browser, so it would give us a better way of pushing security control and policy down.
The second was it consolidated a bunch of tools, and so it let us replace some tools we didn't like.
We had an observability tool that we didn't like. It wasn't doing the job. It was very expensive.
The third was it would let us push out new features to our end users.
We used a password manager internally that we really didn't like, but we only used it for about 5% of our users because it was expensive. Island had that built natively into the browser.
They brought executive support to the first set of conversations. And it was clear that they wanted a healthcare partner but also that they understood what it meant to do business with a healthcare company.
And so, we went through a very, very quick set of negotiations with them. And around the end of June last year, we started working with them.
Michael Krigsman: Bill, it sounds like all of this is a goal to simplify your IT landscape while at the same time reducing costs, and there are user experience benefits as well (that you described earlier).
Bill Dougherty: That's correct. Every year, we assess our enterprise risk and we look for ways to improve our security regime. We're also, like everybody, looking for ways to cut costs. The world changed on us a couple of years ago, and we've had to get far leaner, far more efficient. And we want to improve the user experience.
You've got three things that are in tension with each other. I want to get more secure for less money with better user experience. Not an easy task.
When we do go out and look at new solutions, one of the things we're looking at is what holes does it plug. The other is what else can it replace. And the third is what's the impact on the end user.
It just happened that the confluence of our discussions with Island is we were able to tick all three boxes. That's rare. Usually, I can tick one or two and I live with that.
Michael Krigsman: Obviously, you're pleased with the caliber of the tools that are built in as opposed to the ones that you replaced.
Bill Dougherty: The principal one I replaced was the observability tool and the Island one works way better. The old observability tool, there was an agent that ran on endpoints.
It didn't always capture videos or logs. Or if it did, sometimes we'd get transmission errors coming back to us, and so we would lose them.
Island captures a different level of fidelity and transmits them differently. And so, when we want to see what an end-user has done, we've got a much higher degree of confidence that we have captured it using Island's tools.
Michael Krigsman: That makes perfect sense because an agent is essentially an external third party. And when you're using the enterprise browser, all of the data is coming in natively and it's right there.
Bill Dougherty: Absolutely. And the side benefit of that is we're running less code on the endpoints, so it actually performs better, too.
For our power users like our engineers that are trying to squeeze every last cycle out of their laptop, we actually saw a little bit of a performance boost on their endpoints because we're running one less agent. It is one less thing to conflict with for what they're trying to do on their laptop.
Michael Krigsman: Bill, earlier you alluded to the implementation or the rollout process. Can you describe how you migrated from your existing set of consumer browsers to the Island enterprise browser?
Bill Dougherty: The browser is a shockingly or surprisingly personal thing for people, so we brought our users along gently. We worked last summer to bring Island into our software management platform so that we could push it out to all of our endpoints.
We pushed it out silently. We didn't tell anybody we were doing it. Just suddenly, there's a new application on their laptop.
We then did a lot of testing to make sure that it wasn't going to conflict with something. And we then notified our users, "Hey, we have this new tool that we're migrating to," and migrating was important.
We told them, "Start using it. Start playing with it. Tell us what you like and what you don't like. We'll change the things that you don't like (if we can). But eventually, this will become our only browser."
We gave them – I think it ended up being – closer to two months of time where they could try it but not be forced to use it. But they always knew that's where we were going.
The enforcement of this is really important. For us, we use an IDP for authenticating the single sign-on to all of our SaaS products. Island integrated with that IDP.
We made it – when we were ready to cut over – such that you can no longer authenticate to any of our applications unless you're from a binary we trust, which is Island. So, when we finally did that push, suddenly, all other browsers effectively disappeared.
Some of them, we uninstalled. Some of them, you can't uninstall. But the users are no longer using them for any application we care about or any set of data we care about.
Michael Krigsman: Island becomes the trusted authority, the reference point.
Bill Dougherty: That's correct. If you think about layers of security just for something simple like authentication, we often talk about username and password or multi-factor. In our environment, we've added several layers.
In order to get access to any of our applications, you must start in a browser binary we trust. And you must do that on a laptop we trust, control, and have a pre-shared certificate for.
Then you can only log into one system. And when you do that, it checks is the system patched and up to date, is it one that we have a pre-shared certificate with, are you using our browser code. Also, we check what IP address you're coming from, so you have to be from a subnet that we trust. Then you need a username and password and multifactor.
It's a whole bunch of layers before you get to do anything we consider valuable. The user experience matters, so all of that has to be seamless. To the end user, it should just look like they're logging in.
Michael Krigsman: You have adopted a zero-trust approach intended to maintain security while making the entire set of security operations seamless and easy for the user.
Bill Dougherty: To me, it's not zero trust. It's layers of trust. And so, it is seamless to the end user but they're on a laptop that we have deployed and control and trust using a binary we control and trust, using credentials we control and trust, from a network we control and trust.
Once you log in, you're continuously revalidating that. It's not that you don't trust it. It's that you don't trust in perpetuity.
Michael Krigsman: Bill, you're describing layers of trust that create a seamless experience for end users.
Bill Dougherty: That is definitely the goal. From the end user's perspective, they wake up in the morning, they log into their laptop, and then they log into Island.
When they log into Island, that logs them into our IDP. Then they can just start using our SaaS applications.
They only have to do that one time. But built into that very seamless experience is a whole lot of layers of security and control and policy.
Michael Krigsman: Consolidation of various systems is one of the key advantages provided by an enterprise browser. How does that impact the overall cost equation?
Bill Dougherty: For the providers we replaced with Island, we cut our cost in half. That was compelling enough to make us act in the middle of last year when it wasn't on our roadmap.
This was disruptive to my team. We had a laundry list of projects we were going to do. We had a fixed budget. And we inserted this in there because everybody understood that if we did this and did it right, we would cut our cost, we would simplify our long-term support, and we'd improve our security.
At the same time, we were able to deploy new features we had always wanted to deploy but could never afford. The biggest one being a password manager.
Enterprise password managers are fantastic. They also tend to be expensive. And so, most of our users didn't have access to one.
That impacted them not only for their work where they may have passwords they have to manage on third-party sites, but also we allow our users to do some personal business. And so, we want to enforce good security policy like don't reuse your passwords and also don't write them down on sticky notes and put them on your desk, but we hadn't given them the tools necessary. By deploying an enterprise browser, we actually got access to this.
Michael Krigsman: That kind of cost savings is pretty incredible. Can you isolate the source of those reduced costs?
Bill Dougherty: We had an observability platform that was monitoring what end users did, that would record videos when it tripped a rule so that a security analyst could go in and see what they were doing to figure out if they just made a mistake, if they were doing something malicious, if the rule needs to be fine-tuned. That platform is very expensive.
Island has that capability built-in, and it works better. Ultimately, I get the entire stack of Island for half of what I was paying for a standalone observability tool.
Michael Krigsman: Again, you're reducing the number of software components and software vendors in this mix as well.
Bill Dougherty: Absolutely. It's less software for me to patch and worry about on a daily basis. And I have now got enterprise control of our browser extensions, so we have less risk there of malicious third-party extensions coming in because no extension can be installed that we don't review and approve.
Michael Krigsman: Overall, you have really significantly simplified your IT landscape.
Bill Dougherty: Absolutely.
Michael Krigsman: Bill, what's next for security at Omada Health?
Bill Dougherty: Like every CISO, we are very focused on AI and how we bring the benefit of these new AI tools into our environment and how we do that safely. In healthcare, that's hugely complex because of the rules around how you use member data.
We are continuing our focus on efficiency. Efficiency is job one, and AI tools have the potential to help with that. But also, just general consolidation of vendors down.
As you grow over the years, especially in your SaaS world, it's too easy to just add another tool and add another tool. What you get is drift.
We are identifying every SaaS product we have that we think can be consolidated down. Our enterprise browser actually gives us really good usage statistics, so I can see who is using what tools when and can identify areas to reduce licenses, to consolidate, to just throw tools away.
All of those are top of mind for me right now.
Michael Krigsman: The Island browser gives you a level of visibility and transparency into software usage which in turn allows you to reduce that drift and drive the simplicity of the overall IT landscape.
Bill Dougherty: Yes, there are some dashboards in there that show me what my top applications are. I can see who is using what, when.
When I want to know, for a given SaaS product, "I wonder how many people are using this compared to how many licenses I own," I can get some of that data from my IDP. I can see who is authenticating. But I can actually see more data on how long they're using it or I can turn on an observability rule to see how they are using it.
It allows me to really effectively identify areas for improvement. That can be consolidation. That can be tool reduction. Sometimes it's tool expansion.
We may find that there is a tool that we've approved that one department is using and using really, really well. If you see that they're using it on a daily basis, you then go look and see, "Well, who else would benefit from that?"
The enterprise browser has given me a lot of additional observability that I actually didn't think of when I was evaluating the product.
Michael Krigsman: Bill, any final thoughts as we finish up?
Bill Dougherty: The security landscape just keeps getting more and more challenging. And so, areas where we can improve user experience while improving security is where we should all be focused. Simplifying that user experience and baking the security controls into the toolset, it just helps everybody.
Michael Krigsman: Bill Dougherty, Chief Information Security Officer of Omada Health, thanks so much for taking time to speak with us.
Bill Dougherty: Thank you, Michael. It's been a pleasure.
Published Date: May 13, 2024
Author: Michael Krigsman
Episode ID: 839