With a holistic and adaptive cyber resilience plan, Renown Health aligns information security and technology innovations to the organization’s strategic pillars, its CISO says.
Renown Health’s cybersecurity team has become a lot more visible to staff across the Nevada health system in recent years.
The reasons for that – a marked uptick in social engineering threats and assorted other ongoing cyber risks – aren’t ideal, but the team’s growing prominence has had positive side effects, says Steven Ramirez, Renown’s chief information security and technology officer.
Beyond improving staff awareness of scams to gain unauthorized network access and stage cyberattacks, imperatives of enterprise collaboration on security – data sharing, teaming up on business continuity and adaptive governance – has helped boost Renown’s cyber resilience and enabled other enterprise benefits too.
“It’s really helped us to get to the point where we are at, and mature quickly,” Ramirez said at the 2025 HIMSS AI & Cybersecurity Virtual Forum on Tuesday.
During a presentation on cybersecurity planning and its role in organizational strategy, he shared insights into leadership engagement tactics, risk-informed decision-making and how to partner with other organizational teams to drive innovation.
Data sharing is central
Reno, Nevada-based Renown Health has some 8,000 employees across four hospitals and several outpatient sites and serves more than a million patients each year.
In year four of its current six-year cybersecurity roadmap, Renown’s security team has made strides focusing on early invasion detection, isolation automation and identity verification protocols, Ramirez said.
Data from security analytics dashboards, created by the firm Cyderes, helps drive the health system’s adaptive cyber resilience plan, he said.
Inspired by Oura Circles, an information-sharing tool that allows users of the health monitoring ring to share high-level data with other users, the dashboards enable Renown to customize and share its cyber hygiene data.
“It’s been really important for us to make sure that we’re focusing on areas where we should be, areas we really shouldn’t be anymore or areas that are becoming emerging threats or need a little more TLC,” said Ramirez.
Analytics also improve routine reporting on cybersecurity issues an organization should focus on, and its overall cyber maturity. Ramirez said the security analytics feed quarterly state of the unions on compliance and security at Renown.
“That’s where we are transparent to the board and our senior leaders,” he said.
But the routine sharing of stories from the wild also helps to educate the board and various committees that drive the organization’s overall strategy, he said.
It’s part of the reason Ramirez calls his plan “adaptive cyber resilience” – the constantly evolving threat landscape means that security plans cannot be treated as static, nor can they be governed that way.
“Once you make a plan, you know things are going to change,” he said.
Adapting quickly to threats
In addition to tracking maturity, analytics monitoring and automation are critical for initiating timely defenses, said Ramirez.
It takes 60 minutes – “in and out” – for a threat actor to gain entry into an organization’s IT systems and cause damage, he said. “The line in the sand is really being able to see an action within 15 minutes.”
“I am an identity evangelist and junky,” he continued. With 80% of attacks being identity-based, uncovering those attempts can improve detection methodologies and isolation tactics downstream, he noted.
As part of efforts to diffuse identity-based attempts to gain network access, Ramirez said his team uses deception techniques to mislead and confuse attackers or insider threats.
Hiding critical assets from, or exposing “covertly tainted assets” to, the adversary can be very effective, he said. It’s the cyber equivalent of catching a bank robber with bait money.
An adaptive cyber resilience plan also implements defense-in-depth strategies – when multiple security control layers are used to protect critical assets – and establishes immutable backups to protect and restore data quickly.
Finally, cyber resiliency should address redundancy and segmentation – two cybersecurity strategies HIT practitioners have long discussed the importance of, he noted.
What may be key to “minimizing the overall blast radius” of an attack, Ramirez said, is restricting privileges based on attributes of users and system elements and on environmental factors, as well as defining and separating system elements based on criticality and trustworthiness.
All hands for baked-in security
With a major IT incident or cyber event, it’s not a matter of if, but when, Ramirez said.
Renown Health aligns cybersecurity with its overall strategic plan, so the integration of cybersecurity becomes foundational. However, organizational buy-in is built by culture and governance that support security practices and decisions, he stressed.
“We know that we have this as people send us emails, call, text – really wanting to engage us any time that they see various things that seem like they are suspicious,” said Ramirez. “They bring us into the fold when they are looking at new technology, and they know that we are the final yes or no coordinate.”
While a cybersecurity roadmap may exist behind the scenes of everyday provider operations, communicating certain aspects with staff by taking them on a “road show” can improve end-user impact, the CISO said.
For example, Ramirez said Renown is addressing enhanced identity verification techniques at the service desk level.
“Showing and sharing that with different stakeholders really helps us drive awareness and accountability,” he said.
Aligning cyber hygiene to the organization’s five strategic pillars and engaging through strategic workforce committees have dovetailed well with Renown’s people-first mindset.
Staff are considered the first line of defense and are viewed as essential to recovery after cyber incidents, while ensuring patient access by securing the organization’s digital front door helps to fulfill the organization’s patient care mission, said Ramirez.
Among leadership, Renown’s emergency management team has been an integral part of shared business continuity goals, he explained. But they aren’t just for in-house purposes.
With the Joint Commission and other accrediting bodies, “cybersecurity has continued to creep up on questions they’re asking,” said Ramirez.
Hazard and vulnerability assessments are a top risk for many organizations, so downtime planning, conducting tabletop exercises, crisis communication planning and other tasks are being managed by a multifunctional business continuity group.
“There’s been representation from everybody across the board,” he said.
Several aspects of business continuity at Renown are a multi-team sport.
Disaster recovery testing has involved three of Renown’s committees – EM, business continuity and disaster recovery, and governance, risk and compliance, Ramirez said.
Those three are then joined by the health system’s audit compliance steering committee to address attack mitigation, data protection and incident response readiness.
Beyond defense, cyber hygiene is also a key part of Renown’s plans to grow.
The health system is currently collaborating with Kaiser Health Plan to create Kaiser Nevada, and along with that effort is the need to protect technology investments in clinical services and operations, said Ramirez.
Also, as an integrated academic health system, security teams must optimize end-user experiences and ensure clinical collaborators are working in secure environments.
“Governance is quintessential to cyber resilience – it really drives accountability and helps build a culture,” he said. But “multiple layers ensure success, drive momentum and collaboration.”
Andrea Fox is senior editor of Healthcare IT News.
Email: [email protected]
Healthcare IT News is a HIMSS Media publication.
