For NIH’s Dugar, like minds really do think differently about cybersecurity


The National Institutes of Health is striving to create cognitive diversity among its employees.

This idea of bringing in employees with different backgrounds is especially important for the office of cybersecurity where Jothi Dugar, the NIH’s clinical center’s chief information security officer, said she’s taking advantage of this new program to build a different type of cyber team. Over the last few years since becoming the CISO, Dugar increased her staff to 14 employees from four with a keen eye toward attracting more women into the cyber ranks.

That new program is called the Diversity of Science, through which NIH is analyzing the state of  diversity in healthcare and science across the bureau.

“I’m partnering with this program and reaching out to various outreach programs where students come to the NIH to learn about careers in the NIH and many people don’t even realize that cybersecurity in healthcare is a thing,” Dugar said on Ask the CIO. “They come in wanting to talk to researchers or scientists or doctors or nurses on the most fascinating biomedical research out there, cures for cancer or other diseases. Then they meet me and ask if I’m a doctor, and I say no, ‘I’m a chief information security officer.’ And that’s how we start talking.”

Jothi Dugar is the NIH’s clinical center’s chief information security officer.

She also is communicating with different student outreach programs, the cybersecurity community and those focused on women in IT.

“Diversity brings more excellence, more creativity, more innovation and broadens the scope of inquiry, and just the general positive impact it has on the workforce and ensuring fairness,” Dugar said. “The previous phenomena used to be like minds think alike, but now it’s starting to be like minds think differently.”

Dugar said the need for more diversity becomes even clearer to her when she looks at the number of women in the cybersecurity field. She said the latest statistics show only about 11 to 14 percent worldwide and only 5 to 6 percent across the federal government. In the healthcare sector, the number of women in federal cyber drops to about 1 percent.

“For me, as a woman, when I was looking for role models in this space, whether federal or private sector, there really wasn’t any. So I felt that once I got to this position that’s what I want to be for others who are aspiring in in cybersecurity and the technical IT space,” she said. “I don’t think everyone is looking at all the avenues [to bring on cybersecurity employees]. We have something called special volunteer positions, intern positions and that’s really the way for students to get into cybersecurity and get their experience before they graduate.”

Another thing Dugar said she is doing and others in the cybersecurity field should consider is making more of a show at job fairs and other recruitment opportunities.

NIH cyber priorities

While not recruiting or working with young women and girls to get them interested in cybersecurity, Dugar is helping to protect the clinical center’s systems and data.

“One of our primary concerns right now is medical device security and just making sure all of our medical devices are accounted for, that we have a good asset inventory of them and trying to figure out how each of them work and the best way to secure them,” she said. “Most of these medical devices are so fragile that they can’t be scanned the way normal systems can be scanned or patched because we run into FDA and certification concerns.”

She said NIH has to figure out how to segregate the devices from the main network as well as ensure they are not accessible from the outside.

Dugar said one big challenge is figuring out what constitutes an IT system when it comes to medical devices. She said the standard definition under the Federal Information Security Management Act (FISMA) isn’t clear when it comes to both healthcare technology as well as the broader idea of connected devices.

“If we have a Bluetooth headset that is transmitting some radio waves is that a system? Or if you have an IV pump, is that a system?” she said. “So we are trying to figure out what is in the boundary of a system and what security we have to put around that.”

One way the clinical center is addressing this ever-increasing challenge is through procurement reviews. Dugar said the chief information officer’s office reviews any buy that includes technology and they ensure all necessary security clauses are added to the contract.

“Then when we actually purchase equipment or medical device or any sort of system, before that system gets implemented we have someone from my team involved in the project making sure all the security requirements are taken care of,” she said. “For anything going into the clinical center, we do a fairly good job in making sure security is involved and we go over the requirements before the system is installed.”

Additionally, the clinical center uses a mobile device management system from MobileIron to protect the network from mobile applications and devices that may introduce risk into the system.