The recent flurry of high-profile hacking attempts has moved security higher on the agendas of health system CIOs. Speaking at the CHIME CIO Spring Forum on April 12 in Chicago, Patricia Skarulis, senior vice president and chief information officer at Memorial Sloan Kettering Cancer Center (MSK) in New York, gave her colleagues some insights into the security challenges her organization faces. Although MSK has a chief information security officer, Skarulis must keep her focus on security as well. “Our spending on security has increased enormously. I spend 15 to 20 percent of my time on security,” she said.
She noted that today’s hackers are highly organized criminal organizations or state-sponsored. “Phishing is growing in sophistication,” Skarulis said. Years ago, the messages would have improper spelling and grammar. But now they grab the organization’s logo and look like communication from the institution. There are more instances of “spear phishing,” or targeting of doctors with personalized messages about their work or research. She said banks that have been hit by these spear phishing campaigns have started to tell their employees not to put anything on their LinkedIn profile about their work.
MSK has adopted data loss prevention software to address the problem and finds many instances of protected health information (PHI) being sent over e-mail. “We also are doing penetration testing,” she said, adding that MSK has worked to improve its training for employees who click on a link in a phishing campaign. Every breach or near breach they’ve had traces back to well-meaning staff making mistakes, she added.
Skarulis said the organization also recently moved to two-factor authentication. “If you don’t have two-factor authentication for outside e-mail you are courting disaster,” she told attendees. (By the way, in the 20 minutes it took to write this story, I received a phishing attempt e-mail.)
At the same session Ed Marx, senior vice president and chief information officer for Texas Health Resources, offered CIOs some ideas about employee engagement. He said it was important to be available to employees and purposefully have lots of interactions. He takes the long way on trips to the restroom and realizes the round trip might take 20 minutes because he has lots of interactions on the way. “Let people touch you,” Marx said. “Make yourself available.”
He added that building relationships with staff members is key to employee engagement. “Over half of Texas Resources’ 600 IT staffers have been to my house,” Marx said. “We celebrate all the time.”
Marx said CIOs should help give their teams a sense of purpose beyond collecting paychecks. If you ask Texas Health Resources IT staff their purpose, they all answer, “We save lives.” They are highly engaged as a result. He also asks employees to identify their personal goals and helps them to achieve it. He noted that he is gratified that 12 current CIOs, 11 of them in healthcare, used to report to him.