Article Details

From the "Department of No" to a "Culture of Yes": A Healthcare CISO's Journey to Enabling Modern Care. Breaking Out of the Security Mosh Pit When Jason Elrod, CISO of MultiCare Health System, describes legacy healthcare IT environments, he doesn't mince words: "Healthcare loves to walk backwards into the future. And this is how we got here, because there are a lot of things that we could have prepared for that we didn't, because we were so concentrated on where we were." This chaotic approach has characterized healthcare IT for decades. In a sector where lives depend on technology working flawlessly 24/7/365, security teams have traditionally functioned as gatekeepers—the "Department of No"—focused on protection at the expense of innovation and care delivery. But as healthcare continues its digital transformation journey, this approach is no longer sustainable. With 14 hospitals, hundreds of urgent care clinics, and nearly 30,000 employees serving millions of patients, MultiCare needed a different path forward – one that didn't sacrifice innovation for safety. That shift began with a mindset change at the top that was driven by years of experience navigating these exact tensions. Jason Elrod's View: The Healthcare Security Conundrum After 15+ years as a healthcare CISO, Elrod has a unique perspective on the security challenges facing healthcare organizations. According to him, healthcare's specific operational realities create security dilemmas unlike any other industry: It's a recipe for burnout, blame, and breakdowns. But what if security could enable care instead of obstructing it? Watch how MultiCare turned that possibility into practice in the Elisity Microsegmentation Platform case study with Jason Elrod, CISO, MultiCare Health System. Identity: The Key to Modern Healthcare Security The breakthrough for MultiCare came with the implementation of identity-based microsegmentation through Elisity. "The biggest attack surface is the identity of every individual," notes Elrod. "Why are the attacks always on identity? Because in healthcare, we must make sure all the information is available when they need it, with the minimum amount of friction possible." Traditional network segmentation approaches relied on complex VLANs, firewalls, and endpoint agents. The result? "A Byzantine spaghetti mess" that became increasingly difficult to manage and update. Elisity's approach changed this paradigm by focusing on identity rather than network location: From Skepticism to Transformation When Elrod first introduced Elisity to his team, they responded with healthy skepticism. "They're like, 'Did you hit your head? Are you sure you read what you were saying? I thought you stopped drinking,'" Elrod recalls. The technical teams were doubtful that such a microsegmentation solution could work with their existing infrastructure. "They said, 'That doesn't sound like something that can be done,'" shares Elrod. But seeing was believing. "When you see people who are deeply technical, people who just know their craft really well, and they see something and go 'Wow'… it shakes the pillars of their opinions about what can be done," explains Elrod. The Elisity solution delivered on its promises: ...all without forcing a tradeoff between protection and performance. But what surprised Elrod most wasn't just what the technology did, but how it changed the people using it.[JE2] Breaking Down Walls Between Teams Perhaps the most unexpected benefit was how the solution transformed relationships between teams. "There's been a friction point. Put this control and constraint around the network. Who's the first person to call? They're going to call IT. 'I can't do this thing.' And I'm saying, 'Well, you can't open everything, because everybody can't have everything. Because the bad guys will have everything then,'" Elrod explains. Identity-based microsegmentation changed this dynamic: "It changed from 'How do I get around you?' and 'How do you get around me?' to cooperation. Because now it's like, 'Oh, well, let's make that change together.' It shifted culturally, and this was not something I expected… We really are on the same team. This is a solution that works for all of us, makes all of our jobs better, Security and IT. It is a force multiplier across the organization," says Elrod. With Elisity, security and IT teams now share incentives rather than competing priorities. "The same thing that allows me to make connectivity work between this area and here in a frictionless fashion is also the same exact thing that provides the rationalized security around it. Same tool, same dashboard, same team," Elrod notes. Enabling a Culture of Yes For healthcare providers, the impact is profound. "If they don't have to worry about access, don't have to worry about the controls, they can take the cognitive load of thinking and worrying about the compliance factors of it, the security, the privacy, the technology underlying the table that they're working on," says Elrod. This shift enables a fundamental change in how security interacts with clinical staff: Breaking Down Silos: The Business Imperative of Security-IT Integration The traditional separation between security and IT operations teams is rapidly becoming obsolete as organizations recognize the strategic advantages of integration. Recent research demonstrates compelling business benefits for enterprises that successfully bridge this divide, particularly for those in manufacturing, industrial, and healthcare sectors. According to Skybox Security (2025), 76% of organizations believe miscommunication between network and security teams has negatively impacted their security posture. This disconnect creates tangible security risks and operational inefficiencies. Conversely, organizations with unified security and IT operations reported 30% fewer significant security incidents compared to those with siloed teams. For healthcare organizations, the stakes are even higher. Among healthcare institutions that experienced ransomware attacks, those with siloed security and IT operations reported a 28% increase in patient mortality rates in 2024, up from 23% in 2023 (Ponemon Institute & Proofpoint, 2024). This stark reality underscores that cybersecurity integration isn't just an operational consideration—it's a patient safety imperative. The financial case for integration is equally compelling. A Forrester Total Economic Impact study on ServiceNow Security Operations solutions demonstrated a 238% ROI and $6.2 million in present value benefits, with a 6-month payback period when integrating security and IT operations (Forrester/ServiceNow, 2024). Forward-thinking organizations are adopting sophisticated integration models like Cyber Fusion Centers. Gartner research confirms these represent a significant advancement over traditional security operations, predicting that by 2028, 20% of large enterprises will shift to cyber-fraud fusion teams to combat internal and external adversaries, up from less than 5% in 2023. For enterprise leaders, the message is clear: breaking down operational silos between security and IT teams isn't just good practice—it's essential for comprehensive protection, operational efficiency, and competitive advantage in today's threat landscape. Few understand that better than Elrod, who's spent decades trying to bridge this gap both technologically and culturally. The Bridge to Modern Healthcare For Elrod, identity-based microsegmentation represents more than just a technology solution—it's a bridge between where healthcare has been and where it needs to go. "Technology in the past wasn't bought because it was crappy… They were great. Good intention. They did what they needed to do at the time. But there's a lot of temporal distance between now and when that made sense," he explains. Elisity helps MultiCare "build that bridge from where we have been to where we need to go… It's a ladder out of the pit. This is great. Let's stop throwing things in there. Let's actually do things in a rational fashion," says Elrod. Looking Ahead While no single solution can address all of healthcare's security challenges, identity-based microsegmentation is "one of the bricks on the yellow brick road to making healthcare security and technology the culture of Yes," according to Elrod. As healthcare organizations continue to balance security requirements with the need for frictionless care delivery, solutions that align these competing priorities will become increasingly essential. By implementing identity-based microsegmentation, MultiCare has transformed security from a barrier to an enabler of modern healthcare—proving that with the right approach, it's possible to create a culture where "yes" is the default response without compromising security or compliance. Ready to escape your own security "mosh pit" and build a bridge to modern healthcare? Download Elisity's Microsegmentation Buyer's Guide 2025. This resource equips healthcare security leaders with evaluation criteria, implementation strategies, and ROI frameworks that have helped organizations like MultiCare transform from the "Department of No" to a "Culture of Yes." Begin your journey toward identity-based security today. To learn more about Elisity and how we help transform healthcare organizations like MultiCare, visit our website here.