Joe Voje is the Chief Information Security Officer (CISO) at OHSU. Before joining OHSU in May, Joe worked as CISO for the City and County of San Francisco. He’s an active contributor to the international and national information security communities, serving on the Certified Chief Information Security Officer advisory board for EC-Council, an international information security training and certification body.
What is your vision for the research community and data security?
I’m committed to enabling our research community to do the great work they’re doing. My job isn’t to burden anyone with security for security’s sake. Rather, it’s to address the threats to our collective information and computing environment by applying reasonable controls. Defining what’s reasonable means working together, and I’m looking forward to partnering with our research community.
How would you describe your role as CISO?
My primary function is to help the organization make decisions that mitigate risks to our information (data) and our operational system. That requires a deep understanding of the types of internal and external threats to OHSU’s information resources. Although most folks only see a piece of what we do protect OHSU, there is a larger program involving a lot people, processes and technology that allows us to keep the right information at employees’ fingertips when and where it is needed.
What do you like best about your job?
I enjoy working with people to solve complex problems — and there are some pretty complex problems in the cybersecurity and privacy worlds. Organized crime, nation-state hackers, natural disasters — any one or combination of these can emerge instantly to make for a challenging day. I like to see the end result of our preparations thwart what would otherwise do us harm. Of course, we don’t win them all. And that is the challenge — can we build a program that enables us to win regularly?
What do you like least about your job?
I don’t like to lose. I don’t like anyone on our team to lose. There have been occasions when I’ve seen skilled people fail to prevent a breach, even following best practices. The online world offers a lot of time-saving and potential for collaboration and innovation, but brings threats that require us to remain vigilant in protecting ourselves and addressing our vulnerabilities.
What unique information privacy and security challenges do you see for researchers at OHSU and elsewhere?
The threats to researchers really boil down to three main areas. The first area has to do with the confidentiality, integrity and availability of research data. Most researchers are focused on their research, not confidentiality. In fact, confidentiality often runs counter to the purpose of research, but it’s necessary in certain circumstances: Grant language may require it, protected health information may be involved, or exposure might jeopardize the researcher’s intellectual property claims, for example. In addition to confidentiality concerns, unauthorized access to a researcher’s system or data can call into question the integrity of the data source and compromise their results. The flip side to unauthorized access is unauthorized destruction or disappearing of data — ransomware or sophisticated denial-of-service attacks can potentially cut off access to needed resources.
The next area is the compromise of very powerful computer clusters and supercomputer platforms. Most, if not all, academic research institutions have very powerful computing platforms that have the ability to be turned against the institutions themselves or used by criminals for profit
Lastly, researchers frequently use non-standard or specialized equipment and software. Often, security isn’t considered in the design of this equipment and software, or it isn’t regularly updated to address emerging threats. That exposes the research environment to potential compromise, as well as the institution as a whole.
How can OHSU researchers address such challenges?
The best strategy is to consider security as part of the overall research project. Think about how the information could be monetized and by whom. Think about the systems you use and how they are connected to other systems and devices, and implement the principle of least privilege. The Information Privacy and Security team is here to assist you with your efforts.
— Submitted by Melissa Flitsch, Communications Specialist, Information Privacy & Security