At Lakeland Health, IT Leaders are “Changing the Storyline” on Cybersecurity and Seeing Significant Results | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

At Lakeland Health, IT Leaders are “Changing the Storyline” on Cybersecurity and Seeing Significant Results

April 17, 2018
by Heather Landi
| Reprints
Click To View Gallery

Within the healthcare industry, cyber threats are constantly evolving as the threat landscape changes, and executive leaders at patient care organizations, whether small community hospitals or large integrated health systems, all face the same daunting challenge of protecting information systems and patient data.

There continue to be reports of ransomware attacks and data breaches at healthcare organizations, and a recent Nuix report, based on a survey of hackers, found that a quarter of hackers (23 percent) said they could complete an entire breach of a hospital or healthcare organization in under five hours. The majority (61 percent) said it could be accomplished in under 15 hours.

At Lakeland Health, a three-hospital health system based in St. Joseph, Michigan and serving southwest Michigan, senior executive leaders recognized that work needed to be done to strengthen the organization’s cybersecurity posture, both from a technical and a cultural perspective. According to Lakeland Health CIO Robin Sarkar, Ph.D., security was looked at as an IT issue, not an organizational issue, there was an absence of visibility into cyber risk, and there was a false sense of security. “There was a sense of ‘it can’t happen here’,” he says.

In Lakeland Health’s submission for the 2018 Healthcare Informatics Innovator Awards Program, IT leaders outlined the key details behind the health system’s strategic initiative to implement a more robust cybersecurity program and also shared the results, to date, of this initiative. The submission, titled “Something Wicked This Way Comes,” ended up receiving semifinalist status in this year’s program.

Lakeland Health senior executive leaders set three goals for executing a new cybersecurity program, according to Sarkar, who lead the initiative. “Number one, we wanted to put risk management and cybersecurity at the top of health system leadership agenda. We wanted to be proactive. Second, there is a negative connotation to cybersecurity, mostly fear and negativity, so we wanted to change our storyline and move from fear and negativity to focusing on clinical integrity and business integrity,” he says. “Thirdly, we wanted to use innovative strategies and tools and more agile methodologies to make rapid progress using our distributed, cross-function teams to make improvements.”

The history of Lakeland Health dates back to the 1800s and the health system has grown to include three hospitals, an outpatient surgery center, a regional cancer center, rehabilitation centers, two long-term care residences, home care and hospice services and 34 affiliate physician practice locations. Senior executive leaders had their sights set on implementing a cybersecurity program that covers the hospitals, clinics, home care, hospice and all the different legal entities which comprised the health system.

In order to ensure strategic direction and alignment, senior executive leaders set up a steering committee that met every two weeks. Along with the CIO, members of the committee include the vice presidents of finance, legal and human resources as well as the chief medical officer, chief privacy officer and chief compliance officer. The steering committee has helped to foster honest and transparent dialog regarding the risk profile and risk tolerance of the health system, Sarkar says. IT leaders also have developed a formal information security team.

David Morin, manager of information security at Lakeland Health, says the IT security team also collaborated with other health systems with more advanced cybersecurity strategies in place to help prioritize the team’s work. “There are other health systems that have traveled this road before and are further ahead of us, so we had a lot of conversations with our colleagues in the industry. We partnered with a lot of agencies on information sharing and to get a grasp on the most urgent and emerging threats,” he says.

A Focus on People, Processes and Technology

Beginning in July 2016, Sarkar and the IT security team began executing the cybersecurity program using a three-pronged approach—people, process and technology. In the area of technology, IT teams focused on implementing an IT risk registry as well as laptop encryption, mobile device management, server patching, multi-factor authentication and improving threat filtration. The IT risk registry entailed documenting known risks and ranking them based on impact and likelihood, Morin says. “We used that to really prioritize and drive our work, and to get a good view of what our environment looks like. Rome is not built in a day, but you can identify the priorities,” he says.

As a result of this work, more than 1,000 laptops were encrypted and efforts are underway to encrypt 4,000-plus desktops in the health system, according to Lakeland Health’s submission. Server patching was a priority and patching improved three-fold since the cybersecurity program started. Identity and access management also strengthened the protocol around domain rights and more than 1,100 dormant accounts were deleted.

In the area of improving processes, the project team focused on implementing and auditing policies and procedures as well as conducting risk assessments and evaluating HIPAA (Health Insurance Portability and Accountability Act) compliance. The steering committee would then review a monthly information security executive dashboard. As a result of this work, more than 100 business associate agreements (BAA) were signed with strategic partners and a third-party vendor risk assessment was implemented. Annual HIPAA risk assessment and remediation plans were put in place, with more than 140 out of 164 compliant areas, Sarkar says.

While improving technology and processes are important elements in a cybersecurity program, changing the organizational mindset and culture around security has been critical, Sarkar says. As phishing continues to be a significant cyber threat to organizations, the IT security team developed education and awareness campaigns to increase employee awareness of phishing emails. “We go to different department meetings and engage people and tell them, ‘I’m the information security manager but you are on the information security team, whether you’re in radiology, a nurse, or in the billing department, you’re on the security team. We need your eyes and ears, we need your help.’ We tell them that this is everyone’s initiative, and I think people have really bought into that,” Morin says.

As a result, there has been a significant increase in the suspicious emails forwarded to the security team through an automated ‘phish alert’ button in the email system. “Our employees are now perhaps over-reporting, as anything that looks remotely suspicious they are identifying it and flagging it. I think I’d rather have them be a little overcautious, than to be unaware of what is going on,” Morin says.

The IT security team also runs simulating phishing emails to gauge the success of these internal education efforts. The initial internal phishing campaign generated 18 percent clicks, and subsequent awareness and training improved this metric to 10 percent clicks. “Our team members and employees are the most vulnerable element, but they are also the strongest,” Sarkar says, adding, “By continuous awareness and training, we found that our team wasn’t just the 150 folks we have in IT, but thousands of associates and team members, and they all became part of helping to keep Lakeland safe. The fact that people were on their toes to help keep our patients and providers safe was a strong part of our cultural journey.”

Sarkar continues, “One of our challenges was, how do we get looked at as an enabler and not a barrier? We are still on that journey and we have moved considerably forward on that journey. Clinicians do understand the value that you do need to be safe and secure before you can do work.”

Lakeland Health’s IT leaders note that changing the organizational mindset was a vital step to successfully implement newer data security technologies. For example, implementing multi-factor authentication adds a second layer of security. “When you have busy physicians with large numbers of patients and now they are having to check their phones to get authenticated, that can be an irritant, but we really haven’t gotten any resistance. I would put culture and mindset change and strong leadership support from the CEO as the core enablers that helped us to deploy some of what we deployed,” Sarkar says.

Innovative Approaches and Next Steps

In parallel with focusing on people, process and technology, the IT security team also employed a number of innovative approaches to execute the cybersecurity program. The team focused on leveraging internal talent, rather than bringing in new hires, and this helped to move forward on the IT security team’s second goal, which was “speed to value.” “Given the escalating threat environment, the team decided to accelerate execution – how could implementation time-frames be measured in days rather than months. Given the risk-averse culture in the health system, the team decided to adopt an agile approach and methodology to drive execution,” Sarkar says.

The IT security team also took steps to change the “storyline” around cybersecurity to “capture the hearts and minds of the health system team members in a positive and inspirational way,” Sarkar says. Rather than a horror story of all the bad effects of a cyber-attack, multiple story genres and different interactive approaches were used to show the positive aspects of building a security-conscious health system culture, and to spin the story from negative to positive.

As the health system footprint evolves, the cybersecurity program is working to strengthen new areas—cloud security, vendor identity and access, and medical device security. The health system also is taking a community-based approach to cybersecurity by leveraging its internal security skills to support community clinics who do not have the technical and security skills needed to protect their patient data.

Sarkar says the success of the cybersecurity program, to date, reflects the improvements in organizational performance that are possible with a team-based approach using limited resources and funding. “I think one key to our success was that we treated this not as a technical or an IT initiative, but as an organizational initiative. The steering committee consisted of leaders from across the health system who really owned and who passionately participated in the activity and focused on how we could get better. I think that’s an important step for organizations to succeed, to look at this as an organizational priority and not an IT priority,” he says.

2018 Seattle Health IT Summit

Renowned leaders in U.S. and North American healthcare gather throughout the year to present important information and share insights at the Healthcare Informatics Health IT Summits.

October 22 - 23, 2018 | Seattle


PODCAST: AHA's Cybersecurity Leader John Riggi on the Evolving Cyber Threats Facing Healthcare

August 17, 2018
by Heather Landi
| Reprints
Riggi believes the cyber threats against healthcare are increasing in severity, complexity and frequency
Click To View Gallery


Within the healthcare industry, cyber threats are constantly evolving as the threat landscape changes, and executive leaders at patient care organizations all face the same daunting challenge of protecting information systems and patient data.

A recent report found that cyberthreats are continuing to increase and shift, and even though ransomware attacks are significantly declining, cyberattacks overall are on the rise. A Protenus Breach Barometer report found that 3 million patient records were breached in the second quarter of 2018 alone. At the same time, an IBM Security study found that the cost of a data breach for healthcare organizations continues to rise, from $380 per record last year to $408 per record this year. Overall, the healthcare industry continues to incur the highest cost for data breaches compared to any other industry.

Another report based on a survey of hackers uncovered some alarming results: about a quarter of hackers surveyed say they can complete a breach of a hospital or healthcare organization under five hours.

On top of all that, recent high-profile healthcare cybersecurity incidents in the past few months serve as a stark reminder that the healthcare industry continues to be a ripe target for attacks. One cyber attack on Singapore’s public health system, SingHealth, breached the records of 1.5 million people and targeted the country’s prime minister. The breach impacted about a quarter of Singapore’s population of 5.6 million people.

John Riggi, who serves in the newly created role of senior advisor for cybersecurity and risk with the American Hospital Association (AHA), sees the  cyber threats against healthcare increasing in severity, complexity and frequency. Prior to his role at AHA, Riggi spent nearly 30 years with the FBI, including in the cyber division.

Riggi dives into the evolving cyber threats facing the healthcare industry right now, including sophisitcated criminal organizations, nation-state actors and cryptocurrency mining malware. Case in point, the incident of cryptocurrency mining on healthcare networks and other critical infrastructure networks increased by 1,000 percent from late 2017 to the present, Riggi says. He also discusses the implications of recent high-profile cyber incidents such as the hack at SingHealth.

The podcast runs about 13 minutes in length. You can listen to all Healthcare Informatics podcasts right here.

More From Healthcare Informatics


Who Can Healthcare Trust When Ransomware Hits?

Please register to download

WannaCry and Petya caused business impact for several organizations and in both cases the damage was largely mitigated across the industry. This information is widely known.

What is not widely known is what the role of information sharing was between private industry and the public sector specifically between the NH-ISAC Threat Intelligence Committee members (TIC) and the HHS Healthcare Cybersecurity Communications and Integration Center (HCCIC).

Related Insights For: Cybersecurity


Report: More than 3M Patient Records Breached in Second Quarter of 2018

August 8, 2018
by Heather Landi
| Reprints
Click To View Gallery

More than 3.14 million patient records were breached in 142 disclosed health data breach incidents during a three-month span from April to June 2018, according to new data released in the Protenus Breach Barometer.

Published by Protenus, a cybersecurity software company that issues a Breach Barometer report each month, the latest data showed that in the second quarter of 2018 the number of affected patient records almost tripled from those reported in the first quarter of this year (1.13 million patient records).

Protenus and compiled the report using health data breaches reported to the U.S. Department of Health and Human Services (HHS) or to the media. The data found that there were several large data breach incidents during the second quarter, including a theft incident in April involving a Sacramento-based office of the Department of Developmental Services, affecting 582,000 patient records, and a hacking incident at a healthcare provider in May that impacted 566,000 patient records.

For incidents disclosed to the HHS or the media, insiders were responsible for 30.9 percent of the total number of breaches in Q2 2018 (44 incidents). Details were disclosed for 27 of those incidents, affecting 421,180 patient records (13.4 percent of total breached patient records).

The report notes an interesting trend with regard to insider breach incidents. In Q2 2018, 29.7 percent of privacy violations were repeat offenders. “This evidence indicates health systems accumulate risk that compounds over time if proper reporting and education do not occur. On average, if an individual healthcare employee breaches patient privacy once, there is a greater than 30 percent chance that they will do so again in three months’ time, and a greater than 66 percent chance they will do so again in a years’ time,” the report states.

The report authors note, “In other words, even minor privacy violations that are not promptly detected and mitigated, have the potential to compound risk over time.”

The Breach Barometer report data also shows that each hospital investigator is responsible for monitoring the electronic access of an average of 4,000 active EHR users in Q2 2018, underscoring that manual audit processes, like ad-hoc or random audits, are insufficient to monitor such a large population, each of whom accesses multiple medical records per day.

Nine out of 1,000 employees breach patient privacy, and family member snooping is the most common insider-threat violation (71.4 percent of violations), the Protenus data found.

Protenus data estimated that on average, 9.21 healthcare employees breach patient privacy per every 1,000 employees. This increase, from what was reported in Q1 2018, is due to healthcare privacy teams better leveraging advanced analytics, and proactively detecting more incidents, according to the report.

There were 25 publicly disclosed incidents that involved insider-error between April and June 2018. Details were disclosed for 14 of these incidents, affecting 343,036 patient records. In contrast, 18 incidents involved insider-wrongdoing, with data disclosed for 13 of these incidents. There was a substantial increase of breached patient records as a result of insider-wrongdoing.  In Q1 2018, there were only 4,597 affected patient records, while in Q2 2018, there were 70,562 affected patient records.

Looking at external threats, hacking continues to threaten healthcare organizations in 2018, with an increase in incidents in the second quarter. Between January and March, there were 30 hacking incidents, however, between April and June 2018 there have been a total of 52 incidents (36.6 percent of all Q2 2018 publicly disclosed incidents). Details were disclosed for 44 of those incidents, which affected 2 million patient records.

Of the 143 disclosed health data breaches that occurred between April and June 2018, 99 of them (76 percent of total incidents) were disclosed by a healthcare provider, 15 were disclosed by a health plan, 18 were disclosed by a business associate or third-party vendor, and ten were disclosed by businesses or other organizations.

Even though most healthcare organizations have already switched over to digitized patient records, 23 breach incidents still involved paper records.

The Protenus data also reported that, of the 142 health data breaches for which data was disclosed, it took an average of 204 days from when the breach occurred to when it was discovered. The median discovery time was 18 days. There was a wide variety in the data, with the shortest discovery time of one day and the longest of 1,587 days (4.35 years).

In conclusion, the Protenus report notes that the average cost per breached record has increased 6.4 percent ($408 per record) over last year. “Healthcare organizations must remain vigilant, looking for best practices in healthcare privacy that will allow them to audit every access to their patient data. Full visibility into how their data is being accessed and used will help organizations secure patient trust while preventing data breaches from having costly consequences for their organization,” the report states.


See more on Cybersecurity ...