In a series of lively discussion panels on December 6 in Dallas, healthcare IT and healthcare IT security leaders looked at some of the core challenges facing the leaders of U.S. patient care organizations, at a time of accelerating IT security threats across the healthcare system.
All those leaders were participants in discussions at the Dallas CHIME LEAD Forum, being held at the Joule Hotel in downtown Dallas, and cosponsored by the Ann Arbor, Mich.-based College of Healthcare Information Management Executives (CHIME) at Healthcare Informatics. The daylong event was focused on cybersecurity, and included several important panels whose discussants included CIOs, CISOs (chief information security officers), and others. All of the day’s panels were moderated by Adrienne Edens, CHIME’s vice president of education.
In the first panel, “Essential Factors for Cybersecurity Preparedness,” Edens led a discussion among John Delano, CISO at Cook Children’s Health System (Ft. Worth); Major Chani Cordero, CIO of the Medical Education Training Campus of the Defense Health Agency (headquartered at Joint Base San Antonio), and Dave Kythe, vice president of security services and strategy at the Carpinteria, Calif.-based Redspin, an Auxilio Company.
First things first, Delano emphasized, near the start of that discussion. “When you’re building a house, you need a structural framework; you can’t just start nailing boards together.” The same is true with regard to healthcare IT security planning, he said. “So you need a security framework to start with. Then you have to prioritize your risk, from the most critical risks, and on. It’s important to create an incident response plan,” he added. “It’s been said that there are two types of networks—one, you have a breach and know it, and the other, you don’t. So develop an incident response plan. Develop security awareness training materials. We do weekly and monthly security tips for our end-users. We train our employees on phishing attempts. You should also invest in cyber insurance,” he urged.
“I saw some numbers recently,” Delano continued. “The average cost of a breach is $7 million to the average organization. So cyber insurance is really a drop in the bucket. And we had a breach where about 3,000 records were compromised. We were able to tap into some resources from the cyber insurance we had bought, and, based on our investigation, we were able to determine that only 11 of those 3,000 records actually had been compromised.” That, he said, demonstrated the value both of cyber insurance, and of strong analytics and processes to investigate potential breaches and other incidents.
Maj. Cordero noted the size and breadth of scope of the operations at the Defense Health Agency’s Medical Education Training Campus. “We’re the DoD’s [Department of Defense’s] largest integrated training campus,” she noted. “We have about 8,000 students and 2,000 staff members at any given time. What we focus on for the most part is defense in depth. One thing that we probably do a bit differently from you is that we’re really big on policy. We have the ability to cut things off—if we have to remove a system or application, we can do it if necessary. Our job is to support providers in patient care, and we do our best to mitigate any risk. I’m pretty sure the bulk of what we do is also what you do.”
Among the advantages that she and her colleagues have at the Defense Health Agency, Cordero said, is that, “For you to have a network account within the DoD, you have to acquire at least a baseline security certification, to add a computer to the domain or do any administrative tasks. As you go up the line as an information security manager or officer, you have to have your CSSP [Certified SonicWall Security Professional certification], or one of two other certifications. Your information assurance manager is not going to be your network chief; your inspection auditor won’t be a facility person. We try to keep those things separate. And Lord forbid you work on Windows XP or anything—we separate all of those consumer-level applications and systems” from the DoD’s networks. “Also, the medical network is typically separate for the Army from the network that the rest of the DoD is on. We do that not only because of traffic, such as PACS [picture archiving and communications systems], because images are very big items, but also because devices on our medical network could be very vulnerable, and we don’t want them to be on an arms system together.” Most importantly, Cordero said, “What we really focus on is known attacks and vulnerabilities. A lot of the attacks today are known to us; they’re just variants on what’s out there. So we focus on what we know right now.”
Kythe noted that “One of the things I’ve seen in larger corporations, especially in global companies, but which we can also do in the U.S., is to spread out responsibilities across time zones.” In U.S. healthcare, that could occur within a national integrated health system, which in some cases, he noted, could relieve the burden on any one portion of an IT team to manage a security crisis.
“Unlike the Army, with its 50 hospitals and a whole slew of government folks who could be all hands on deck if something happened,” Cordero said. “If you’re a standalone facility, I would absolutely do what it takes to have someone at the ready. The risk, we know, is there. And if your team is not available to handle the incident, I would look at insurance and at outsourcing capability.”
Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.