It was an honor, and very intellectually stimulating, to moderate a panel discussion on Tuesday on data security with two chief information security officers—what’s more, a discussion with two exceptionally thoughtful CISOs who have a broader vision of where IT security fits into U.S. healthcare right now.
Our panel discussion, entitled “Security & Data Protection: Engaging the Enterprise,” was the first panel of the day yesterday, at the Health IT Summit in Denver, sponsored by the Institute for Health Technology Transformation (iHT2, a sister organization under the Vendome Group umbrella), and being held at the Ritz-Carlton Denver. My fellow panelists were Fernando Blanco-Dopazo, vice president and CISO at the Irving, Tex.-based CHRISTUS Health, a 60-hospital, 175-clinic integrated system; and Howard Haile, vice president and CISO at SCL Health, an eight-hospital, 190-clinic integrated health system based in Denver.
To begin, I asked how both CISOs saw the current landscape for healthcare data and IT security. Haile stated that “It’s sort of flipped on us in the last few years. Historically, the main focus had been individuals snooping on patient records that they weren’t supposed to be looking at, or committing fraud on an individual level. But, as verified by a Ponemon Group survey a few weeks ago, the main issue is now primarily external cyber-threats. Another big issue,” he added, “is around medical devices on the network that are now connected. And,” he said, “the last one is the rapid pace of change, per the Affordable Care Act, and cloud computing,” phenomena that are putting more data out into potential exposure. He also agreed with my adding into the mix the acceleration of merger and acquisition activity among hospital-based organizations, with such developments adding to the challenge and complexity of enhancing hospital and health system data security.
What about the fact that the healthcare industry has historically lagged behind numerous other industries, including banking and financial services, manufacturing, transportation, and others, in ramping up data security? Blanco noted that “Healthcare has been behind other industries on cybersecurity, partly because the risks of cyberattacks were seen as lower until recently.” Specifically, he pointed to the February 2015 hack of the information systems of the Indianapolis-based Anthem, one of the country’s largest health insurers, as being a key moment in the history of healthcare cybersecurity. As a result of greater awareness in the past year and a half since that attack, Blanco said, “I see a shift in healthcare hiring professionals from other industries.” What’s more, CISOs, whether recruited from other industries or recruited from within healthcare, he noted, are very quickly being pushed into the limelight, presenting regularly to c-suites and to boards of directors at hospitals and health systems. “I participated in a meeting of Catholic healthcare CISOs last week,” he noted, “and every one of us has been presenting regularly to boards.” That alone is a very telling sign, he noted.
Now, what happens when IT security executives from other industries do come into healthcare? “It’s not a very easy job,” Blanco said, “and it’s often an unpopular one. The perception has historically been that, when asked, ‘Can we do that?’ the answer of CISOs is always ‘No.’ But,” he quickly added, “we’ve got to shift the dialogue so that the answer is, ‘Yes, and here is what we must do to get there.’” There remains a large chasm between larger, better-resourced patient care organizations that have the resources to more often say “yes,” he noted, and those small organizations that find themselves continually stretched to try to accomplish things that must be accomplished. Inevitably, the CISOs of the larger, better-resourced organizations find it easier to obtain the financial and strategic support they need in order to achieve their IT security goals.
Haile noted that one of the goals is that “We want the aspirations of the business to be able to flourish in a secure environment”; and for that to happen, CISOs will need to be able to communicate to senior leaders in their organizations precisely how investment in IT security will help their senior leadership to reach key business objectives in their organizations.
When it comes to security strategies themselves, Blanco noted that, in healthcare, “We as an industry tried to build a ‘security wall’ around patient care organizations, and that didn’t work. The reality,” he said, “is that there will inevitably be hacker attacks that will be successful. Instead of believing that cyberattacks can be entirely prevented, what you have to do is to build a resilient organization,” he emphasized.
What about accessing external resources, including security operations centers, or SOCs? Haile emphasized both the importance of external resources, as well as the limitations of making use of those resources. “Yes,” he told the audience, “do hire a SOC. But even after you’ve done so, you still have to build a timely response capability” to prepare for any potential cyberattack that does to any extent disable an organization’s information systems. In fact, he said of SCL, “Most of our security is handled in-house.”
Blanco concurred: “We’ve outsourced behavioral monitoring to our SOC,” he said, “but we also recognized that we needed to rethink our incident response preparation. Our incident response process was very IT-focused; now, it’s focused on the business. I formed an incident response group,” he noted, “with representation from human resources, communications, compliance, and legal, among other areas within our organization,” with the point being making certain that his organization would be prepared on a strategic level to meet any such challenges.
Another area that we discussed fairly extensively was the complexity around end-user education and training. As all of us agreed, on the one hand, continuous end-user education and training are absolutely essential, given the unique reality in healthcare that every staff member and clinician in every patient care organization represents a potential point of vulnerability for that organization. Healthcare as an industry really stands out compared to others, we agreed, because of that aspect.
At the same time, Blanco noted, “The challenge around end-user education is, how do we measure its success? If 80 percent of end users watch a training video, does that constitute ‘success’? We created our own phishing e-mails” at CHRISTUS Health, he told the audience. “And we blasted those phishing e-mails to all staff members. Now, most progressive organizations in the defense, financial services, and other industries, see an open rate of around 3 to 5 percent from such phishing tests. Needless to say, our initial results were higher than that! Fortunately, after conducting end-user education, we were able to significantly reduce our open rates.” Part of the complexity in all this, Blanco said, was the need to engage in the sequence of phishing tests in order to document to the organization’s c-suite the need to fund IT security technology and processes.
Meanwhile, Haile said, “One of the challenges around end-user education and training is this: after you do initial training, you initially see improvement in terms of lower open rates; but over time, such rates rise again. So there is a need to engage in regular training and education, in any case.”
The insights and perspectives shared by both of these very thoughtful CISOs underscore how challenging and complex all of this is. As both Howard Haile and Fernando Blanco-Dopazo made clear on Tuesday morning, there is a forest of issues to consider and manage around IT security. It’s also very clear that there is no simple checklist or menu that CISOs or anyone else can follow that will magically “take care of” everything. Instead, at this moment in the evolution of healthcare IT security, there remain massive issues to work through in the next few years, at a time of straitened reimbursement and growing demands for data- and information-sharing, even as the cybersecurity and other data security threats only accelerate.
So it was bracing and refreshing to engage in a robust discussion of the panoply of issues facing IT security leaders right now in U.S. healthcare, and particularly satisfying to discuss that range of issues with Howard Haile and Fernando Blanco-Dopazo, two exceptionally thoughtful and insightful CISOs. As things move forward in the next few years, it will be leaders like these who will help to develop winning strategies in IT security, and who will create strategic and tactical templates that others can follow. Will it be easy? By no means. But Tuesday’s discussion helped to underscore how much thought and effort are being focused on this vital area of healthcare operations, even as so many other areas demand executive-level attention these days.