It was fascinating last week to hear several healthcare IT leaders discuss the topic of developing a culture of cybersecurity, during the Health IT Summit in Denver, sponsored by our publication, Healthcare Informatics. The discussion was wide-ranging and freewheeling, and offered the assembled audience a broad range of informed perspectives. It also reinforced for me how complex and challenging it really is to develop a culture of cybersecurity in any patient care organization.
The panel was moderated by Mitch Parker, executive director, information security and compliance, at Indiana University Health (Indianapolis). Parker was joined by panelists Michael Mercer, chief security officer, Denver Division, at the Federal Bureau of Investigation (FBI); Sheryl Rose, senior vice president and CIO, at the Denver-based Catholic Health Initiatives; Brian Sterud, vice president of information technology and CIO, Faith Regional Health Services (a 131-bed community hospital in Norfolk, Nebraska); and David Finn, a former CIO, and currently the health information technology officer at the Mountain View, California-based Symantec Corporation.
One of the issues that came up in that discussion is how different the organizational landscape is in healthcare from, say, the banking and financial services industry. For example, Finn, a former CIO, noted that “The problem with healthcare is that we have a couple of interesting dichotomies; healthcare is an industry where we need to share information, whether it’s a reference lab, a durable medical equipment company, etc. And we haven’t made the shift yet to understanding how we should protect it. And the second shift we haven’t yet made yet is that we don’t yet understand the (monetary) value of this data. The bad guys are looking at these pieces of data across huge spectrums, and they’re using the data in ways we haven’t thought about. And we need to catch up with this and train people that this is not only important for providing care, but that it has value” to the cybercriminals.
And, referencing the many years she had spent in the financial services industry as an IT executive before coming into healthcare, Catholic Healthcare Initiatives’ Rose said, “In financial services, it seems as though it was a black-and-white thing. We did our training, we told our employees what they needed to know. But it’s different in healthcare. My biggest day-to-day fear is that I’m going to end up being like Charlie Brown’s teacher, saying, ‘Wha wha wha’”—referencing the cartoons in which the children didn’t hear what their elementary school teacher was saying to them. “And with 105 hospitals and thousands of employees, it’s hard to get the message across,” she said. “So I try to find champions—physicians, nurses, everyone” who might be champions for IT security, “because they’re going to listen to those people more than to Cheryl Rose in the corporate office. We need to engage them, because, to your point, David, they’re going to click on that link.”
I think that Finn and Rose really hit the nail on the head here. Healthcare is different from other industries: data-sharing is essential, and is actually becoming more essential, as we move into a new era of accountable care, population health management, and care management. We simply cannot create cybersecurity parameters that impede the flow of data and information as used to manage the care of patients, particularly those with chronic illnesses; so all stakeholders around the table are going to have to figure out how to manage two ostensibly contradictory goals—securing data as much as possible from harm, while expanding its sharing for clinical and analytical purposes.
So one of the challenges that face healthcare IT security leaders as they begin to drill down through the layers of IT security governance, is how to determine where to draw firm lines, and where to negotiate with frontline end-users and end-user leaders, most particularly physicians. In that context, Sheryl Rose made the statement that “There are certain things that are non-negotiable. And when it comes to physician practices, if you’re going to connect as a new member of our family, there are certain things you have to do before you can connect. But then, on an ongoing basis, having the boots on the ground is much more important than having the talking heads in the national office. So one of the first things I did in my job” at Catholic Health Initiatives several years ago, Sheryl Rose noted, “was putting in regional security officers in. And what they prioritize their workload to be and how they message to their users, they have to be the bridge to the national security organization, but they’re allowed a lot of flexibility. And how things are done in Kentucky versus Tacoma or Fargo, may be very different; and I’m not going to get into the middle of that.” And Finn noted that he did something analogous as CIO, empowering managers to “implement security within their individual offices.” But he also noted that that kind of manager-level flexibility only works when a rigorous healthcare IT security governance infrastructure is created around it.
Indeed, Rose testified, “I was blessed” that there was a “great appetite” for improving healthcare IT security at CHI when she arrived at her organization several years ago. With that wind at her back, she reported, “we built a great security committee at national; and we had the same thing filtering down from there. And I spent years in financial services working successfully with steering committees. And it depends on the personalities of the people involved,” she noted.
But how might all this work in a smaller organization with fewer resources? Working in a standalone community hospital setting, Faith Regional Health Services’ Sterud reported that “We stood up an IT security committee,” and that “a couple of things we did well—one was the makeup of the group. The other thing was that I made clear that we had a lot of work to get done. So when we started getting going, they all knew that we had a lot to do,” he said. “And we made sure we had HR involved—there are a lot of things with onboarding and terminations.” And a moment later, he added that “You need to celebrate successes, too. So we’ve done a lot of important things over the course of the past five years, and we still have a lot of things to do. But things are moving forward, and it’s kind of self-governing at this point.”
All of these nuances speak to the challenges of translating broad, abstract principles around cybersecurity into actual organizational processes and norms, in actual patient care organizations, with living human beings. It’s never been easy, and it will never be easy. And healthcare IT security leaders are working, not in a vacuum, but in a swiftly changing operational landscape, one in which the tensions between accelerating data-sharing and accelerating data security threat vectors, will continue to be prominent, and will almost certainly become even more complex and frustrating.
But this is the operational landscape in which healthcare IT security leaders, especially CISOs and CIOs, will be working, going forward. There will be no shortcuts, and there will be plenty of bumps in the road going into the near future. The good news, as all the panelists in Denver noted, is that, because of all of the high-profile breaches in the news in the past year-and-a-half, the level of awareness of data security is greater than ever before.
So, soldiering forward, we’ll see how all of this plays out. In the meantime, it is good to hear from healthcare IT security leaders like the panelists at the Denver Health IT Summit, and to know that there are healthcare IT leaders out there who are building cultures of cybersecurity in their organizations, brick by brick, over time.