As the leaders of patient care organizations move forward to try to get a handle on the growing wave of cybersecurity threats hitting them daily, one of the overarching challenges they’re facing is how to create a culture of cybersecurity. At the Health IT Summit in Denver, held this week at the Ritz Carlton Denver, a panel of healthcare IT leaders and experts dived into this issue, parsing its nuances and complexities, for an audience of fellow healthcare IT leaders.
The panel was moderated by Mitch Parker, executive director, information security and compliance, at Indiana University Health (Indianapolis). Parker was joined by panelists Michael Mercer, chief security officer, Denver Division, at the Federal Bureau of Investigation (FBI); Sheryl Rose, senior vice president and CIO, at the Denver-based Catholic Health Initiatives; Brian Sterud, vice president of information technology and CIO, Faith Regional Health Services (a 131-bed community hospital in Norfolk, Nebraska); and David Finn, a former CIO, and currently the health information technology officer at the Mountain View, California-based Symantec Corporation.
Early on in the discussion, Parker asked his panelists, “How do you make security meaningful in a clinical setting?” “Data is data,” said the FBI’s Mercer. “It’s all the same. We want to protect information, we don’t want it to get out there, we don’t want adversaries to get access to it; we want to protect it.”
“I agree,” said Finn, “but the problem with healthcare is that we have a couple of interesting dichotomies; healthcare is an industry where we need to share information, whether it’s a reference lab, a durable medical equipment company, etc. And we haven’t made the shift yet to understanding how we should protect it. And the second shift we haven’t yet made yet is that we don’t yet understand the (monetary) value of this data. The bad guys are looking at these pieces of data across huge spectrums, and they’re using the data in ways we haven’t thought about. And we need to catch up with this and train people that this is not only important for providing care, but that it has value” to our adversaries—in other words, to cybercriminals.
Referencing the many years she had spent in the financial services industry as an IT executive before coming into healthcare, Catholic Healthcare Initiatives’ Rose said, “In financial services, it seems as though it was a black-and-white thing. We did our training, we told our employees what they needed to know. But it’s different in healthcare. My biggest day-to-day fear is that I’m going to end up being like Charlie Brown’s teacher, saying, ‘Wha wha wha’”—referencing the cartoons in which the children didn’t hear what their elementary school teacher was saying to them. “And with 105 hospitals and thousands of employees, it’s hard to get the message across,” she said. “So I try to find champions—physicians, nurses, everyone” who might be champions for IT security, “because they’re going to listen to those people more than to Cheryl Rose in the corporate office. We need to engage them, because, to your point, David, they’re going to click on that link.”
“The last year or two has made it so much easier at the executive level, because everybody gets it now,” Sterud said of his community hospital organization. “And our board gets it, and they’re actually asking for (education) now. Awareness right now is amazing.”
“How do you make security part of the underlying process of application development?” Parker asked.
“For me, the devil’s always in the details,” Rose said. “And about four years ago now, we started to do very specific training for specific groups. It’s better if I niche the training and make things more relevant to specific groups of end-users. And that’s a big time-suck. But it requires the day-to-day [work], trying to engage and infuse ourselves into those groups so that they get it, so that when we walk away, they’ll continue forward. It can’t just be a policy or a standard.”
“I became a CIO in 2000 in a turnaround situation,” Finn noted. “And this is pre-privacy and security rule, but we knew it was coming, so we started targeted training around IT around security, and built security into our training. One important thing was addressing the issue of elevated accounts and security levels. You do have to draw a hard line. And I used to tell my IT staff, look, you’re not in technology, you’re in healthcare. We’re in patient care, and we have to protect patients first, and if you have to use a longer password, or change your password, so be it. And the change management element of building that into every process, was a big deal for us in IT.”
“Coming from a smaller health system, how does all this look, Brian?” Parker asked. “Being a smaller organization, we don’t do actual co-development; we do do system configurations,” Sterud replied. “And maybe I’ve been lucky from a staff perspective. Patient care still needs to happen in a way that’s also secure. So sometimes, I have to remind our IT staff that making people take extra steps, is a burden. So I have almost the opposite problem in that regard.
Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.