Within the healthcare industry, cyber threats are constantly evolving as the threat landscape changes, and executive leaders at patient care organizations, whether small community hospitals or large integrated health systems, all face the same daunting challenge of protecting information systems and patient data.
There continue to be reports of ransomware attacks and data breaches at healthcare organizations, and a recent Nuix report, based on a survey of hackers, found that a quarter of hackers (23 percent) said they could complete an entire breach of a hospital or healthcare organization in under five hours. The majority (61 percent) said it could be accomplished in under 15 hours.
At Lakeland Health, a three-hospital health system based in St. Joseph, Michigan and serving southwest Michigan, senior executive leaders recognized that work needed to be done to strengthen the organization’s cybersecurity posture, both from a technical and a cultural perspective. According to Lakeland Health CIO Robin Sarkar, Ph.D., security was looked at as an IT issue, not an organizational issue, there was an absence of visibility into cyber risk, and there was a false sense of security. “There was a sense of ‘it can’t happen here’,” he says.
In Lakeland Health’s submission for the 2018 Healthcare Informatics Innovator Awards Program, IT leaders outlined the key details behind the health system’s strategic initiative to implement a more robust cybersecurity program and also shared the results, to date, of this initiative. The submission, titled “Something Wicked This Way Comes,” ended up receiving semifinalist status in this year’s program.
Lakeland Health senior executive leaders set three goals for executing a new cybersecurity program, according to Sarkar, who lead the initiative. “Number one, we wanted to put risk management and cybersecurity at the top of health system leadership agenda. We wanted to be proactive. Second, there is a negative connotation to cybersecurity, mostly fear and negativity, so we wanted to change our storyline and move from fear and negativity to focusing on clinical integrity and business integrity,” he says. “Thirdly, we wanted to use innovative strategies and tools and more agile methodologies to make rapid progress using our distributed, cross-function teams to make improvements.”
The history of Lakeland Health dates back to the 1800s and the health system has grown to include three hospitals, an outpatient surgery center, a regional cancer center, rehabilitation centers, two long-term care residences, home care and hospice services and 34 affiliate physician practice locations. Senior executive leaders had their sights set on implementing a cybersecurity program that covers the hospitals, clinics, home care, hospice and all the different legal entities which comprised the health system.
In order to ensure strategic direction and alignment, senior executive leaders set up a steering committee that met every two weeks. Along with the CIO, members of the committee include the vice presidents of finance, legal and human resources as well as the chief medical officer, chief privacy officer and chief compliance officer. The steering committee has helped to foster honest and transparent dialog regarding the risk profile and risk tolerance of the health system, Sarkar says. IT leaders also have developed a formal information security team.
David Morin, manager of information security at Lakeland Health, says the IT security team also collaborated with other health systems with more advanced cybersecurity strategies in place to help prioritize the team’s work. “There are other health systems that have traveled this road before and are further ahead of us, so we had a lot of conversations with our colleagues in the industry. We partnered with a lot of agencies on information sharing and to get a grasp on the most urgent and emerging threats,” he says.
A Focus on People, Processes and Technology
Beginning in July 2016, Sarkar and the IT security team began executing the cybersecurity program using a three-pronged approach—people, process and technology. In the area of technology, IT teams focused on implementing an IT risk registry as well as laptop encryption, mobile device management, server patching, multi-factor authentication and improving threat filtration. The IT risk registry entailed documenting known risks and ranking them based on impact and likelihood, Morin says. “We used that to really prioritize and drive our work, and to get a good view of what our environment looks like. Rome is not built in a day, but you can identify the priorities,” he says.
As a result of this work, more than 1,000 laptops were encrypted and efforts are underway to encrypt 4,000-plus desktops in the health system, according to Lakeland Health’s submission. Server patching was a priority and patching improved three-fold since the cybersecurity program started. Identity and access management also strengthened the protocol around domain rights and more than 1,100 dormant accounts were deleted.
Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.