It was an honor, and very intellectually stimulating, to moderate a panel discussion on Tuesday on data security with two chief information security officers—what’s more, a discussion with two exceptionally thoughtful CISOs who have a broader vision of where IT security fits into U.S. healthcare right now.
Our panel discussion, entitled “Security & Data Protection: Engaging the Enterprise,” was the first panel of the day yesterday, at the Health IT Summit in Denver, sponsored by the Institute for Health Technology Transformation (iHT2, a sister organization under the Vendome Group umbrella), and being held at the Ritz-Carlton Denver. My fellow panelists were Fernando Blanco-Dopazo, vice president and CISO at the Irving, Tex.-based CHRISTUS Health, a 60-hospital, 175-clinic integrated system; and Howard Haile, vice president and CISO at SCL Health, an eight-hospital, 190-clinic integrated health system based in Denver.
To begin, I asked how both CISOs saw the current landscape for healthcare data and IT security. Haile stated that “It’s sort of flipped on us in the last few years. Historically, the main focus had been individuals snooping on patient records that they weren’t supposed to be looking at, or committing fraud on an individual level. But, as verified by a Ponemon Group survey a few weeks ago, the main issue is now primarily external cyber-threats. Another big issue,” he added, “is around medical devices on the network that are now connected. And,” he said, “the last one is the rapid pace of change, per the Affordable Care Act, and cloud computing,” phenomena that are putting more data out into potential exposure. He also agreed with my adding into the mix the acceleration of merger and acquisition activity among hospital-based organizations, with such developments adding to the challenge and complexity of enhancing hospital and health system data security.
What about the fact that the healthcare industry has historically lagged behind numerous other industries, including banking and financial services, manufacturing, transportation, and others, in ramping up data security? Blanco noted that “Healthcare has been behind other industries on cybersecurity, partly because the risks of cyberattacks were seen as lower until recently.” Specifically, he pointed to the February 2015 hack of the information systems of the Indianapolis-based Anthem, one of the country’s largest health insurers, as being a key moment in the history of healthcare cybersecurity. As a result of greater awareness in the past year and a half since that attack, Blanco said, “I see a shift in healthcare hiring professionals from other industries.” What’s more, CISOs, whether recruited from other industries or recruited from within healthcare, he noted, are very quickly being pushed into the limelight, presenting regularly to c-suites and to boards of directors at hospitals and health systems. “I participated in a meeting of Catholic healthcare CISOs last week,” he noted, “and every one of us has been presenting regularly to boards.” That alone is a very telling sign, he noted.
Now, what happens when IT security executives from other industries do come into healthcare? “It’s not a very easy job,” Blanco said, “and it’s often an unpopular one. The perception has historically been that, when asked, ‘Can we do that?’ the answer of CISOs is always ‘No.’ But,” he quickly added, “we’ve got to shift the dialogue so that the answer is, ‘Yes, and here is what we must do to get there.’” There remains a large chasm between larger, better-resourced patient care organizations that have the resources to more often say “yes,” he noted, and those small organizations that find themselves continually stretched to try to accomplish things that must be accomplished. Inevitably, the CISOs of the larger, better-resourced organizations find it easier to obtain the financial and strategic support they need in order to achieve their IT security goals.
Haile noted that one of the goals is that “We want the aspirations of the business to be able to flourish in a secure environment”; and for that to happen, CISOs will need to be able to communicate to senior leaders in their organizations precisely how investment in IT security will help their senior leadership to reach key business objectives in their organizations.
When it comes to security strategies themselves, Blanco noted that, in healthcare, “We as an industry tried to build a ‘security wall’ around patient care organizations, and that didn’t work. The reality,” he said, “is that there will inevitably be hacker attacks that will be successful. Instead of believing that cyberattacks can be entirely prevented, what you have to do is to build a resilient organization,” he emphasized.
What about accessing external resources, including security operations centers, or SOCs? Haile emphasized both the importance of external resources, as well as the limitations of making use of those resources. “Yes,” he told the audience, “do hire a SOC. But even after you’ve done so, you still have to build a timely response capability” to prepare for any potential cyberattack that does to any extent disable an organization’s information systems. In fact, he said of SCL, “Most of our security is handled in-house.”