Within the healthcare industry, cyber threats are constantly evolving as the threat landscape changes, and executive leaders at patient care organizations, whether small community hospitals or large integrated health systems, all face the same daunting challenge of protecting information systems and patient data.
There continue to be reports of ransomware attacks and data breaches at healthcare organizations, and a recent Nuix report, based on a survey of hackers, found that a quarter of hackers (23 percent) said they could complete an entire breach of a hospital or healthcare organization in under five hours. The majority (61 percent) said it could be accomplished in under 15 hours.
At Lakeland Health, a three-hospital health system based in St. Joseph, Michigan and serving southwest Michigan, senior executive leaders recognized that work needed to be done to strengthen the organization’s cybersecurity posture, both from a technical and a cultural perspective. According to Lakeland Health CIO Robin Sarkar, Ph.D., security was looked at as an IT issue, not an organizational issue, there was an absence of visibility into cyber risk, and there was a false sense of security. “There was a sense of ‘it can’t happen here’,” he says.
In Lakeland Health’s submission for the 2018 Healthcare Informatics Innovator Awards Program, IT leaders outlined the key details behind the health system’s strategic initiative to implement a more robust cybersecurity program and also shared the results, to date, of this initiative. The submission, titled “Something Wicked This Way Comes,” ended up receiving semifinalist status in this year’s program.
Lakeland Health senior executive leaders set three goals for executing a new cybersecurity program, according to Sarkar, who lead the initiative. “Number one, we wanted to put risk management and cybersecurity at the top of health system leadership agenda. We wanted to be proactive. Second, there is a negative connotation to cybersecurity, mostly fear and negativity, so we wanted to change our storyline and move from fear and negativity to focusing on clinical integrity and business integrity,” he says. “Thirdly, we wanted to use innovative strategies and tools and more agile methodologies to make rapid progress using our distributed, cross-function teams to make improvements.”
The history of Lakeland Health dates back to the 1800s and the health system has grown to include three hospitals, an outpatient surgery center, a regional cancer center, rehabilitation centers, two long-term care residences, home care and hospice services and 34 affiliate physician practice locations. Senior executive leaders had their sights set on implementing a cybersecurity program that covers the hospitals, clinics, home care, hospice and all the different legal entities which comprised the health system.
In order to ensure strategic direction and alignment, senior executive leaders set up a steering committee that met every two weeks. Along with the CIO, members of the committee include the vice presidents of finance, legal and human resources as well as the chief medical officer, chief privacy officer and chief compliance officer. The steering committee has helped to foster honest and transparent dialog regarding the risk profile and risk tolerance of the health system, Sarkar says. IT leaders also have developed a formal information security team.
David Morin, manager of information security at Lakeland Health, says the IT security team also collaborated with other health systems with more advanced cybersecurity strategies in place to help prioritize the team’s work. “There are other health systems that have traveled this road before and are further ahead of us, so we had a lot of conversations with our colleagues in the industry. We partnered with a lot of agencies on information sharing and to get a grasp on the most urgent and emerging threats,” he says.
A Focus on People, Processes and Technology
Beginning in July 2016, Sarkar and the IT security team began executing the cybersecurity program using a three-pronged approach—people, process and technology. In the area of technology, IT teams focused on implementing an IT risk registry as well as laptop encryption, mobile device management, server patching, multi-factor authentication and improving threat filtration. The IT risk registry entailed documenting known risks and ranking them based on impact and likelihood, Morin says. “We used that to really prioritize and drive our work, and to get a good view of what our environment looks like. Rome is not built in a day, but you can identify the priorities,” he says.
As a result of this work, more than 1,000 laptops were encrypted and efforts are underway to encrypt 4,000-plus desktops in the health system, according to Lakeland Health’s submission. Server patching was a priority and patching improved three-fold since the cybersecurity program started. Identity and access management also strengthened the protocol around domain rights and more than 1,100 dormant accounts were deleted.
In the area of improving processes, the project team focused on implementing and auditing policies and procedures as well as conducting risk assessments and evaluating HIPAA (Health Insurance Portability and Accountability Act) compliance. The steering committee would then review a monthly information security executive dashboard. As a result of this work, more than 100 business associate agreements (BAA) were signed with strategic partners and a third-party vendor risk assessment was implemented. Annual HIPAA risk assessment and remediation plans were put in place, with more than 140 out of 164 compliant areas, Sarkar says.
While improving technology and processes are important elements in a cybersecurity program, changing the organizational mindset and culture around security has been critical, Sarkar says. As phishing continues to be a significant cyber threat to organizations, the IT security team developed education and awareness campaigns to increase employee awareness of phishing emails. “We go to different department meetings and engage people and tell them, ‘I’m the information security manager but you are on the information security team, whether you’re in radiology, a nurse, or in the billing department, you’re on the security team. We need your eyes and ears, we need your help.’ We tell them that this is everyone’s initiative, and I think people have really bought into that,” Morin says.
As a result, there has been a significant increase in the suspicious emails forwarded to the security team through an automated ‘phish alert’ button in the email system. “Our employees are now perhaps over-reporting, as anything that looks remotely suspicious they are identifying it and flagging it. I think I’d rather have them be a little overcautious, than to be unaware of what is going on,” Morin says.
The IT security team also runs simulating phishing emails to gauge the success of these internal education efforts. The initial internal phishing campaign generated 18 percent clicks, and subsequent awareness and training improved this metric to 10 percent clicks. “Our team members and employees are the most vulnerable element, but they are also the strongest,” Sarkar says, adding, “By continuous awareness and training, we found that our team wasn’t just the 150 folks we have in IT, but thousands of associates and team members, and they all became part of helping to keep Lakeland safe. The fact that people were on their toes to help keep our patients and providers safe was a strong part of our cultural journey.”
Sarkar continues, “One of our challenges was, how do we get looked at as an enabler and not a barrier? We are still on that journey and we have moved considerably forward on that journey. Clinicians do understand the value that you do need to be safe and secure before you can do work.”
Lakeland Health’s IT leaders note that changing the organizational mindset was a vital step to successfully implement newer data security technologies. For example, implementing multi-factor authentication adds a second layer of security. “When you have busy physicians with large numbers of patients and now they are having to check their phones to get authenticated, that can be an irritant, but we really haven’t gotten any resistance. I would put culture and mindset change and strong leadership support from the CEO as the core enablers that helped us to deploy some of what we deployed,” Sarkar says.
Innovative Approaches and Next Steps
In parallel with focusing on people, process and technology, the IT security team also employed a number of innovative approaches to execute the cybersecurity program. The team focused on leveraging internal talent, rather than bringing in new hires, and this helped to move forward on the IT security team’s second goal, which was “speed to value.” “Given the escalating threat environment, the team decided to accelerate execution – how could implementation time-frames be measured in days rather than months. Given the risk-averse culture in the health system, the team decided to adopt an agile approach and methodology to drive execution,” Sarkar says.
The IT security team also took steps to change the “storyline” around cybersecurity to “capture the hearts and minds of the health system team members in a positive and inspirational way,” Sarkar says. Rather than a horror story of all the bad effects of a cyber-attack, multiple story genres and different interactive approaches were used to show the positive aspects of building a security-conscious health system culture, and to spin the story from negative to positive.
As the health system footprint evolves, the cybersecurity program is working to strengthen new areas—cloud security, vendor identity and access, and medical device security. The health system also is taking a community-based approach to cybersecurity by leveraging its internal security skills to support community clinics who do not have the technical and security skills needed to protect their patient data.
Sarkar says the success of the cybersecurity program, to date, reflects the improvements in organizational performance that are possible with a team-based approach using limited resources and funding. “I think one key to our success was that we treated this not as a technical or an IT initiative, but as an organizational initiative. The steering committee consisted of leaders from across the health system who really owned and who passionately participated in the activity and focused on how we could get better. I think that’s an important step for organizations to succeed, to look at this as an organizational priority and not an IT priority,” he says.