Skip to content Skip to navigation

Stanford Hospital and Clinics CTO: Healthcare is a “Very Big Target” for Hackers

January 13, 2015
by Gabriel Perna
| Reprints
Jason Roos

If healthcare is entering a new era of data security, then many may remember 2014 as the year when that shift entered the limelight.

The year was full of major data breaches, including attention from mainstream media on the hack of the large hospital system, Community Health. For some, like Jason Roos, the CTO at Stanford Hospital & Clinics and Stanford University Medical Center in Palo Alto, Calif., these kinds of events raise the awareness of the perils that threaten data security. Roos’ background is in data security, having worked in application development and production support for Symantec, before coming to Stanford. He understands that in my respects, healthcare is lagging behind when it comes to data protection.

Roos will be a featured panelist at the Institute for Health Technology Transformation’s (iHT2) Health IT Summit in San Diego on Jan. 20-21, 2015. Roos, Reid Stephan, Director of IT Security at St. Luke's Health System, Robert Rice, Vice President of Infrastructure and Operations at St. Joseph Health, and Tim Brown, executive director of security at Dell, will discuss data breaches and other topics on the panel, “Privacy & Security: Strategies to Secure Patient Data.”

For this to wish to see Roos and others at iHT2’s Health IT Summit in San Diego, they can register here (iHT2 is a partner with Healthcare Informatics under our Vendome Group corporate umbrella). Healthcare Informatics Senior Editor Gabriel Perna recently spoke with Roos on why data security in healthcare has lagged behind and how that might change going forward. Below are excerpts from that interview.

What kinds of protections do you have in place at Stanford to secure data?

We use a lot of standard products out there from content filtering, endpoint protections, firewalls to augmented security operations center partnerships. It’s standard fare for protecting for both end points and monitoring external traffic. We train users on how to properly to use their device, basic stuff like what is phishing, don't click on links you're not expecting or look wrong. We're a very vigilant organization. I don’t want to get into specific details for obvious reasons.

You came from Symantec, from the perspective of someone who knows security software pretty does healthcare rank in terms of protecting data compared to other sectors?

I would say there are gaps that exist, obviously it depends on the organization and the resource that organization has at their disposal to make sure they’re covering all the areas. From a exposure or different vectors in which a healthcare organization can be affected, I think it’s much greater than other industries. You’re dealing with a very mobile population, both from a staffing and a clinical and biomedical technology perspective. They’re a lot of devices, therapeutic or clinical, on the network. They’re just a lot of opportunities for threats to take advantage of those connections and devices, if they do not meet a standard of compliance if they are deployed. The exposure of the threat is significant in healthcare.

Why has healthcare lagged behind?

There are two aspects of this. There is the response aspect and prevention piece. I think healthcare presents a big target for those that are trying to get a hold of personal, identifiable information for identity theft. Electronic medical records hold a lot of personal information that can identify someone. With HIPAA [the Health Insurance Portability and Accountability Act] and other rules, there are lots of standards to comply with. Yet, there is this conflict on making sure the information is available to those that need it, while preventing those who don’t from getting it, but still knowing where it lives, resides, and shared. I think lot of times there may be inadvertent sharing of information from a staff if they are not properly trained. This is where training becomes important and making sure people on the inside are not doing things they shouldn’t be doing. There are a lot of opportunities for things to happen, if an organization is not taking a comprehensive, strategic approach to creating a robust, security environment, they will be susceptible to threats.

Did some of the major security events in 2014 spur more action?

I think it's going to raise the awareness that people need to be more proactive, and ensure they’re not just buying products and installing them. I think it raises the level of vigilance across the industry. Understanding you cannot just check the box. It’s finding out what we are trying to achieve, what's the outcome of this activity, and is it meeting what it was intended for. It will require education beyond the IT department. Senior leadership will have to understand the importance of this and make sure it has the attention that it needs to be addressed properly.

As CTO, what keeps you up at night, from a security perspective? The bring-your-device [BYOD] phenomenon? Phishing emails? Something else?

All of the above. I want to ensure people are educated and we don't become our own worst enemy, by just complacency.

On the BYOD policy, does your organization have official anything in place?