Loading Events
  • This event has passed.

SI 2019 BayCare Health System CISO Case Studies Workshop

January 16, 2019

BayCare Health System’s VP & CISO, Thien Lam, along with CIO Tim Thompson and CTO Scott Patterson, hosted a very focused one-day SI CISO Case Studies Workshop at their headquarters in Clearwater, Florida in January 2019.

Chief Information Security Officers (CISOs) and other healthcare IT security executives (individuals and teams) from 12 SI Member organizations from around the country gathered at BayCare Health System on January 16, 2019, for an SI CISO “Show and Tell” Workshop which included a comprehensive review of leading practices in cybersecurity.

Thien Lam opened the discussion by welcoming the group and encouraged open and frank dialogue about successes and failures in healthcare IT security.  Attendees were involved in detailed discussions including strategies around data-breach response and recovery, and cybersecurity preparedness and prevention.

Case study presentations delved into the hot topics of: third-party breach, identity theft, ransomware, data-center failure and FBI/ OCR communication; prevent/detect/respond strategies, SIEM/SOAR/Incident Response playbooks risk assessment/measurement analysis and reporting; and operational impact/emergency preparedness planning and training.

Rich discussions were also held around network segmentation, ePHI inventory, and penetration testing; security threat intelligence technologies and ServiceNow/Remedy integration (and lessons learned); and DevSecOps planning and disaster-response tabletop exercises.

This event was designed to create an opportunity for quality personal networking and open sharing of strategies, techniques and lessons learned.

A private repository has been set up for CIOs and CISOs to access materials from this Workshop, along with other documents for sharing.

Plans for another CISO workshop are already in the making! Keep an eye out for information about future CISO Workshops hosted by CHRISTUS in Fall 2019 and by Banner Health in Winter 2020.


2019 BayCare Health System CISO Case Studies Workshop

Workshop Attendees

    Michael Czumak, III

    VP and CISO, Memorial Sloan Kettering Cancer Center

    VP and CISO at Memorial Sloan Kettering Cancer Center

    I have over 11 years experience in IT and Information Security. My primary role is developing and leading an application security and penetration testing program, performing hands-on testing of a variety of systems, devices, and applications (web, desktop and mobile applications, medical devices, etc).

    My primary areas of interest and core competencies are application security, penetration testing, and Windows OS security and I spend the majority of my free time researching these and related topics. Please visit my website to see more of my research interests: http://www.securitysift.com.

    Published Exploits: http://www.exploit-db.com/author/?a=6450

    Other Published Advisories/CVEs: http://osvdb.org/creditees/11091-mike-czumak

    Regular Hands-on Experience with:
    – Pentesting suites / tools (Kali, Metasploit, Burpsuite, Nmap, Sqlmap, etc)
    – Debugging / Reversing / Binary Analysis (Immunity, WinDbg, IDA Pro, JPEXS, etc)
    – Programming / Scripting languages (C/C++, Assembly, Python, Perl, Ruby, PHP, Javascript)
    – Web / Database Platforms (IIS, Apache, MS-SQL, MySQL, Oracle, Sybase, etc)
    – Other: Vulnerability Scanners, DLP, Network analysis, etc

    Recognized by multiple organizations for security contributions including: Microsoft, Apple, Adobe, PayPal, Ebay, Sony, and Etsy

    Practical Professional Certifications: OSCE, OSCP

    Other certifications: CISSP, CISM, CNSS 4012, Six Sigma Green Belt, CompTIA Security+/Network+/A+/Project+


    Updated November 2018

        Todd Greene

        AVP and CISO, Atrium Health

        Todd Greene is the AVP and CISO for Atrium Health. Todd has been with Atrium Health, formerly Carolinas HealthCare System, for more than 17 years, much of that time in the Information Security Department. He is a founding member of Atrium Health’s cybersecurity team dating back to 2000. He has a bachelor’s degree in Computer Science concentrating in Electrical Engineering and holds the CISSP certification.

        Atrium Health operates as an innovative healthcare organization. Atrium Health provides a full spectrum of healthcare and wellness programs throughout North and South Carolina. Their diverse network of more than 900 care locations includes academic medical centers, hospitals, healthcare pavilions, physician practices, destination centers, surgical and rehabilitation centers, home health agencies, nursing homes, and hospice and palliative care. Atrium Health works to improve and enhance the overall health and well-being of its communities through high quality patient care, education and research programs, and a variety of collaborative partnerships and initiatives.


        Updated March 2019

            James L. Hanson

            Regional Information Security Officer, Avera Health

            Regional Information Security Officer | Avera

            James L. Hanson (Jim) has over 30 years of senior management experience in the healthcare, insurance and financial services sectors.  His career has spanned organizations from Fortune 500 companies to information security start-ups.  In his current role at Avera Health he has overall responsibility for information security as well as being the regional information officer for a subset of Avera’s facilities.

            Jim has participated in and served on several industry, technology and community groups over the years.  He and his wife Deb reside in Sioux Falls, SD and have two grown daughters.


            Updated December 2016


                Sean Henkel

                Director Infrastructure & Architecture at Spectrum Health

                Director of Infrastructure & Architecture,
                Spectrum Health Corporate

                Sean Henkel serves as Director of Infrastructure & IS Architecture for Spectrum Health.  His teams are responsible for the architecture, planning, design, implementation and day-to-day support for all aspects of Spectrum Health’s core infrastructure systems.  Sean has over 20 years of IT experience in the Manufacturing, Retail, Software Development, and Healthcare industries.

                Areas of expertise

                • Enterprise Technology Architecture (Servers, Storage, Databases, Network, Telephony)
                • Planning and Design of:
                  – (Secure) Servers, Storage, and Networks  – (Secure) Virtualized Server Environments – Highly Available and Disaster Tolerant Systems


                BA, Graphic Design | Madonna University | Livonia, Michigan

                About Spectrum Health

                Spectrum Health is a not-for-profit health system in West Michigan offering a full continuum of care through the Spectrum Health Hospital Group, which is comprised of 14 hospitals including Helen DeVos Children’s Hospital, a state of the art children’s hospital that opened in January 2011, and 220 service sites; the Spectrum Health Medical Group and West Michigan Heart, physician groups totaling more than 4200 providers; and Priority Health, a health plan with 900,000 members. Spectrum Health is West Michigan’s largest employer with more than 31,000 employees. The organization provided 9 million in community benefit during its 2018 fiscal year.



                Updated March 2019


                    Preston Jennings

                    EVP, Information Security and CISO, Trinity Health

                    Preston Jennings is the EVP, Information Security and Chief Information Security Officer for Trinity Health, a .3 B healthcare provider with 120,000 employees, operating in 22 states.

                    Preston joined Trinity Health in 2016 from PricewaterhouseCoopers, where he was the CISO of the US firm for 8 years, building their Information Security Program – including ownership of their Information Security Policy, Incident Response, and build out/implementation of their first Security Operations Center.  Prior to his role as CISO at PwC, Preston was a Director in PwC’s consulting practice for 10 years, where he worked with over 40 Fortune 500 clients, addressing a broad range of security topics from Ethical Hacking to design and deployment of security solutions.

                        Bryan C. Kissinger, PhD

                        VP & CISO at Banner Health

                        Bryan is Vice President and Chief Information Security Officer for Banner Health in Phoenix, Arizona. He leads a department focused on 6 key capabilities: Data Protection, Threat and Vulnerability Management, Incident Management and Response, Identity and Access Management, Security Architecture, and Security Governance. Bryan and his team are focusing on accelerating maturity and reducing risk across all 6 of these functional areas.

                        Prior to joining Banner Health, Bryan was Vice President, IT Risk Management and Chief Information Security Officer (CISO) for Sharp HealthCare in San Diego, California. He was a key member of Sharp’s IT Leadership Team focusing on managing IT risks and the protection of critical information and computing infrastructure. He was responsible for leading the enterprise-wide IT risk management function and the information security operations team for Sharp HealthCare. Within 18 months of assuming this leadership role, Bryan and his team were able to rapidly mature their program’s capabilities and significantly reduce IT risk across the organization.

                        Previously, Bryan held leadership roles with Kaiser Permanente, PricewaterhouseCoopers, LLP and the Mayo Clinic.  He is a Navy veteran, having served as a Surface Warfare Officer for seven years on active duty with tours in the Western Pacific and Persian Gulf theaters.

                        Bryan holds a Bachelor of Science degree from the University of Maryland, a master’s degree in Business Administration, and a PhD in Information Technology Management. His certifications include CISSP, CISA, CCNA, CWNA, and MCP for Microsoft Windows 2000.

                            Thien Lam

                            VP and CISO, BayCare Health System

                            Thien Lam currently serves as Vice President and Chief Information Security Officer for BayCare Health System (BayCare) in Clearwater, Florida. His responsibilities include: Information Security and IS Compliance

                            Thien has over 25 years of experience in information technology. Prior to joining BayCare in 2011, he served as Director of IT Security Systems and Data Security Officer for the Methodist Hospital System in Houston, Texas. Prior to working at Methodist, Thien was the Associate Director of Information Security at MD Anderson Cancer Center in Houston, Texas. He held security management positions at the Kelsey-Seybold Clinic and eBaseOne.  In addition, he has experience in Oil and Gas as well as the Software as a Service industry.

                            Thien earned a bachelor’s degree in computer science from the Northeastern State University in Oklahoma.  He is a member of the College of Healthcare Management Executives (CHIME) and eHealth Initiative (eHI) Washington DC.


                            Updated October 2017


                                Leonard (Lenny) L. Levy, MBA, CISSP, CISA

                                VP & CISO at Providence St. Joseph Health

                                Leonard (Lenny) Levy is an accomplished information security executive with over 20 years’ experience addressing cybersecurity challenges.  He is currently the interim Chief Information Security Officer for Providence St. Joseph Health, a billion catholic healthcare system.  Previously, he served as vice president, chief information security officer of Spectrum Health, a not-for-profit integrated health system in West Michigan. Lenny was responsible for aligning risk-based strategic security initiatives with enterprise programs and business objectives to ensure information assets and technology platforms are appropriately protected across the entire system. He led an organization of experienced risk and information security professionals focused on embedding security into the organization, mitigating security risks, detecting potential incidents, and responding to issues. His leadership of the information security program supported an innovative, robust, and secure information technology environment throughout the organization.


                                Lenny has over 20 years of experience with diverse information security / technology topics across industries including healthcare, financial services, technology, retail, and government.  Prior to joining Spectrum Health in 2016, Lenny spent the majority of his career consulting on Information Security topics for organizations around the world with PricewaterhouseCoopers (PwC) LLP based in the United States and Singapore. At PwC he established track record of successfully managing large-scale complex projects, developing risk-driven security programs and delivering solutions that supported critical business initiatives.

                                Client experience at PwC included transformational security projects, developing pragmatic cybersecurity strategies, helping organizations leverage public and private clouds, responding to data breaches, addressing evolving regulatory requirements and implementing pragmatic solutions to reduce risk.  Example healthcare clients included HCA, Mayo Clinic, Dignity Health, Singapore Ministry of Health, United Health Group, Abbott Laboratories, Merck, Walgreens and CVS.  Other notable clients included Microsoft, Walmart, Delta Air Lines, Citibank, Temasek, Expedia, and Infocomm Development Authority of Singapore.

                                Lenny is a thought leader in the privacy and security industry and sought after speaker. In addition, he has published numerous articles on cybersecurity, security strategy, data breach response, global data protection requirements, and cloud computing.

                                He holds a Bachelor of Science in decision and information sciences from the University of Florida and a Master of Business Administration from the Fuqua School of Business at Duke University. He holds Certified Information Systems Security Professional (CISSP) and Certified Information Systems Auditor (CISA) certifications.


                                Lenny is an active contributor to the cybersecurity industry and relevant industry groups. He has been actively involved in a number of groups including the Department of Health and Human Services (HHS) 405(d) Cybersecurity Task Group, Department of Homeland Security (DHS) Healthcare and Public Health Sector Coordinating Council, Multiple Sclerosis Society Leadership Class, InfraGard, Michigan Healthcare Cybersecurity Council  (MiHCC), Association for Executives in Healthcare Information Security (AEHIS), College of Healthcare Information Management Executives (CHIME), American Chamber of Commerce in Singapore and Information Systems Audit and Control Association. He previously served as co-chair for the International Association of Privacy Professionals (IAPP) Singapore KnowledgeNet and president of the Metro Atlanta Information Systems Security Association (ISSA).


                                 Updated November 2018

                                    Nidhi Luthra

                                    CISO at AMITA Health

                                    Nidhi Luthra is AMITA Health’s AVP and CISO. In this role, Nidhi oversees the Chicago based health systems enterprise and clinical information security program, as well as IT regulatory, governance and risk management functions. AMITA Health is currently a system of 19 hospitals, 27 long term care facilities and approximately 400 physician practices.

                                    Prior to joining AMITA, Nidhi held a similar roles in other healthcare organizations such as Presence Health and Stericycle.  Through her progressive career, she has implemented security, risk programs in heavily regulated organizations seeking stability, strategic roadmaps and turnaround leadership.

                                    Nidhi most recently completed an Executive Leadership Program for Health Care professionals from Cornell. Her prior education includes a Masters in Labor Relations from Ahuja School of Business at Cleveland State;  Masters of Technology &  Policy, from Ohio University and a Bachelor of Science in Electronics engineering from Pune University, India.

                                    Originally from India, she currently lives with her husband in Chicago city.


                                    Updated March 2019


                                        Scott Patterson

                                        VP & CTO at BayCare Health System

                                        Scott currently serves as vice president and chief technology officer (CTO) for BayCare Health Services. His responsibilities include leadership for the people, processes and technology within BayCare’s IT infrastructure.  His team includes all Operations & Support teams across the BayCare enterprise, including medical device engineering & services, IS Service Center, collaboration services, connectivity/network services, data center operations and IS security operations.  His team provides technical and service leadership and bring a detailed understanding on current IT trends and technologies that can be applied to the business, creating overall value for BayCare.

                                        Scott has more than 35 years of experience in pharmaceuticals & health care information technology. Prior to joining BayCare in 2016, he was the Vice President and Chief Technology Officer for Allergan Pharmaceuticals in Parsippany, NJ.   Prior to Allergan, Scott held several executive roles within GlaxoSmithKline’s (GSK) Corporate Information Technology organization.  During his tenure he served as Vice President of Infrastructure Engineering, VP of Network Services, VP of Application Provisioning and Performance Management, VP  Core Infrastructure and Application Services, and finally as VP, Security, Access and Network Services (SANS).  Each position allowed Scott to build and/or integrate teams that were agents of change allowing for new solutions and services within GSK IT.  Most recently, Scott built and led a strategy team that defined and built solutions that dramatically improved the way GSK and its business partners are able to work together.  This strategy called Externalization, defined/created/implemented many new solutions and changed the way we now provide services in support of GSK Growth and Simplification strategies.   Externalization solutions now allow for the rapid provisioning of appropriate access to GSK applications and data, flexible connectivity to partner applications/data, and secure data flow between GSK systems and partner systems.  This strategy, and solutions implemented, included the ability for IT infrastructure services to rapidly respond to business needs regarding mergers, acquisitions and divestiture’ in order to integrate quickly.

                                        Scott worked in several director roles within SmithKline Beecham R&D where he focused on empowerment, continuous improvement, transformation change and efficiencies through Lean Sigma technique, and client/user productivity.   He developed the infrastructure that hosted all of the Bioinformatics applications and data, including the company’s first Internet presence, in support of the mapping of the human genome initiative and microbial research programs.  Scott provided technical leadership as part of a team that established external business partnership’s for the development of Genomic data; including The Institute of Genomic Research (TIGR), Human Genome Sciences (HGS), E-Merck, Takeda, Syntheloba and GlaxoWellcome,

                                        Scott places a high priority on family, and over the last year has settled in Florida.  He is the proud father of four with three boys and a daughter, who is married and lives in the Philadelphia area.  Scott and his wife Sheila are avid golfers and tennis players and enjoy spending time, and hosting visits, with family that want to enjoy Florida’s good weather and beautiful outdoors.


                                        Updated March 2019

                                            Chad Spiers

                                            Director of Info Security, Deputy CISO at Sentara Healthcare

                                            Chad Spiers is Director of Information Security and deputy CISO at Sentara Healthcare, the largest health system in Virginia. Chad has been at Sentara since May 2002. He has held numerous roles at Sentara including Director of Voice and data systems before moving over into Information Security. Chad has been an organizational leader in cybersecurity and technology for healthcare and banking 28 years.

                                            Chad’s professional and academic interests include identity and device based network segmentation, security compliance, machine learning, and software defined networking.

                                            Chad works actively with Old Dominion University and other universities in Virginia supporting several programs developing the cybersecurity workforce of the future. His cyber security team at Sentara is employing over 12 university students as continuous part-time staff. These students perform crucial security assurance and risk management roles for Sentara, while building strong skills and referable experience for themselves.


                                            Updated March 2019

                                                Tim Thompson

                                                SVP and CIO at BayCare Health System

                                                Tim Thompson currently serves as Senior Vice President and Chief Information Officer for BayCare Health System (BayCare) in Clearwater, Florida.  His responsibilities include leadership of the technology planning and operations for the system-wide Information Services and Clinical Engineering operations.

                                                Tim has over 35 years of experience in health care administration and information technology.  Prior to joining BayCare in 2010, he served as Senior Vice President and Chief Information Officer for The Methodist Hospital System in Houston, Texas.  Prior to working at Methodist, Tim was the CIO and Senior Vice President at the Adventist Health System in Orlando and Palmetto Health in Columbia, South Carolina.  In addition he has held senior management positions at The Cleveland Clinic, Dynamic Healthcare Technologies, Inc., and Proctor Healthcare Incorporated.

                                                Tim earned a bachelor’s degree in management from the University of Illinois.  He is a member of the College of Healthcare Management Executives (CHIME) and Healthcare Information and Management System Society (HIMSS).

                                                BayCare Health System

                                                  Not pictured: Joseph “Augie” D’Agostino, Director, Deputy CISO at Spectrum Health

                                                  Presentations and audio recordings of this event are available only to members.   or create a profile.


                                                  January 16, 2019
                                                  Event Categories: