At the Health IT Summit in Denver, Parsing the Complexities Around Creating a Cybersecurity Culture
As the leaders of patient care organizations move forward to try to get a handle on the growing wave of cybersecurity threats hitting them daily, one of the overarching challenges they’re facing is how to create a culture of cybersecurity. At the Health IT Summit in Denver, held this week at the Ritz Carlton Denver, a panel of healthcare IT leaders and experts dived into this issue, parsing its nuances and complexities, for an audience of fellow healthcare IT leaders.
The panel was moderated by Mitch Parker, executive director, information security and compliance, at Indiana University Health (Indianapolis). Parker was joined by panelists Michael Mercer, chief security officer, Denver Division, at the Federal Bureau of Investigation (FBI); Sheryl Rose, senior vice president and CIO, at the Denver-based Catholic Health Initiatives; Brian Sterud, vice president of information technology and CIO, Faith Regional Health Services (a 131-bed community hospital in Norfolk, Nebraska); and David Finn, a former CIO, and currently the health information technology officer at the Mountain View, California-based Symantec Corporation.
Early on in the discussion, Parker asked his panelists, “How do you make security meaningful in a clinical setting?” “Data is data,” said the FBI’s Mercer. “It’s all the same. We want to protect information, we don’t want it to get out there, we don’t want adversaries to get access to it; we want to protect it.”
“I agree,” said Finn, “but the problem with healthcare is that we have a couple of interesting dichotomies; healthcare is an industry where we need to share information, whether it’s a reference lab, a durable medical equipment company, etc. And we haven’t made the shift yet to understanding how we should protect it. And the second shift we haven’t yet made yet is that we don’t yet understand the (monetary) value of this data. The bad guys are looking at these pieces of data across huge spectrums, and they’re using the data in ways we haven’t thought about. And we need to catch up with this and train people that this is not only important for providing care, but that it has value” to our adversaries—in other words, to cybercriminals.
Referencing the many years she had spent in the financial services industry as an IT executive before coming into healthcare, Catholic Healthcare Initiatives’ Rose said, “In financial services, it seems as though it was a black-and-white thing. We did our training, we told our employees what they needed to know. But it’s different in healthcare. My biggest day-to-day fear is that I’m going to end up being like Charlie Brown’s teacher, saying, ‘Wha wha wha’”—referencing the cartoons in which the children didn’t hear what their elementary school teacher was saying to them. “And with 105 hospitals and thousands of employees, it’s hard to get the message across,” she said. “So I try to find champions—physicians, nurses, everyone” who might be champions for IT security, “because they’re going to listen to those people more than to Cheryl Rose in the corporate office. We need to engage them, because, to your point, David, they’re going to click on that link.”
“The last year or two has made it so much easier at the executive level, because everybody gets it now,” Sterud said of his community hospital organization. “And our board gets it, and they’re actually asking for (education) now. Awareness right now is amazing.”
“How do you make security part of the underlying process of application development?” Parker asked.
“For me, the devil’s always in the details,” Rose said. “And about four years ago now, we started to do very specific training for specific groups. It’s better if I niche the training and make things more relevant to specific groups of end-users. And that’s a big time-suck. But it requires the day-to-day [work], trying to engage and infuse ourselves into those groups so that they get it, so that when we walk away, they’ll continue forward. It can’t just be a policy or a standard.”
“I became a CIO in 2000 in a turnaround situation,” Finn noted. “And this is pre-privacy and security rule, but we knew it was coming, so we started targeted training around IT around security, and built security into our training. One important thing was addressing the issue of elevated accounts and security levels. You do have to draw a hard line. And I used to tell my IT staff, look, you’re not in technology, you’re in healthcare. We’re in patient care, and we have to protect patients first, and if you have to use a longer password, or change your password, so be it. And the change management element of building that into every process, was a big deal for us in IT.”
“Coming from a smaller health system, how does all this look, Brian?” Parker asked. “Being a smaller organization, we don’t do actual co-development; we do do system configurations,” Sterud replied. “And maybe I’ve been lucky from a staff perspective. Patient care still needs to happen in a way that’s also secure. So sometimes, I have to remind our IT staff that making people take extra steps, is a burden. So I have almost the opposite problem in that regard.
“Mike, what are your thoughts on this?” Parker asked. “I concentrate on the users more than anything else,” Mercer said of his work at the FBI with healthcare organizations. “We’ve always heard that old adage that users are the weakest link; I turn that around and tell our users, you’re our last defense. And when you click on an email or go to a link, that’s when something bad is going to happen. And if you lose a mobile device, it’s going to be on you. So making the users part of the solution rather than part of the problem, has worked really well. People are actually afraid to click. We do have a lot of good defenses in our network; and our employees know, even if you did click on something, tell us.”
“One of the things we did last year was to tell our people, if you see something, you’re required to say something,” Parker reported. And you can achieve greater organizational coordination. So, next question, how do you bring cybersecurity into the culture of your organization. And what incentives can you bring into this?”
“There are certain things that are non-negotiable,” Rose said firmly. “And when it comes to physician practices, if you’re going to connect as a new member of our family, there are certain things you have to do before you can connect. But then, on an ongoing basis, having the boots on the ground is much more important than having the talking heads in the national office. So one of the first things I did in my job was putting in regional security officers in. And what they prioritize their workload to be and how they message to their users, they have to be the bridge to the national security organization, but they’re allowed a lot of flexibility. And how things are done in Kentucky versus Tacoma or Fargo, may be very different; and I’m not going to get into the middle of that.”
Finn said, “To Cheryl’s point, one of the things I did—we had MSOs [management service organizations] and a health plan, and I was the CIO over them, but they operated independently. So I went to our HR VP, and for everyone who supervised people, we built privacy and security into their jobs. That was a massive effort.” What’s more, he added, “the health plan was working on building it into every 12,000-person job in the plan. I left before that process had been completed. But we developed specific security criteria, we did desk checks; and we empowered them to implement security within their individual offices—the managers. They’re not only your last line of defense, but also your first line of defense. And if they’re not engaged, you’re not going to get anywhere.”
“We have a few affiliated hospitals,” Sterud said, “where there’s not that formal authority. But the other thing we lose sight of sometimes in healthcare, is that we’re all connected. Even the smallest hospital we have—with a daily census averaging less than 1—well, if they’re breached, we’re all affected. So it’s important to make sure that everyone is moving forward together. The tough part is reaching out to smaller facilities with very little or no staff, and oftentimes, we’re doing things to help them out. But in the end, it works.”
“And I’ve worked with critical access hospitals, and there’s a huge difference between working with a critical-access hospital and a major academic medical center,” Parker noted.
“I’ve found that communication goes a long way,” Mercer said. “I can’t get too technical with my folks, because they can’t get technical. Just let them know that if they do something, this is how it will affect them. I’m always trying to turn people from a ‘department of no’ to a ‘department of yes.’ And can we work something out here, for this particular situation? Just know that there may be an adversary out there trying to get information out of us.”
Education, Training, Awareness
“We’ve talked about education, training, and awareness,” Finn said. “Those are actually three separate things, all of which have to happen. Awareness is an every-moment-of-every-day situation. We had a weird situation where the yard service ended up picking up some face sheets, and using them as mulch! And this has to be a living, breathing thing, and when Petya comes out or WannaCry comes out, if you’re not using that kind of occasion to explain things to people, you’re losing an opportunity.”
“I’ve found that to be very true,” Parker said. “Let’s put it this way: Target got compromised because of an HVAC vendor. Meanwhile, what are some tips and tricks around creating security steering committees?”
“As I said, I started as a privacy and security officer, and then was made a CIO,” Finn said. “But when I moved to that organization, it was 2000, and they had actually put together a pretty good steering committee, with the CFO, COO, and chief marketing officer, but hadn’t met in months. And I went to each one of the executives, and said, here’s the deal: we have to do HIPAA, and you don’t want to do it. But we have to. So we’ll have meetings every month, and I’ll tell you what you need to do. But when I call you in the middle of the month and we have an issue, you can’t ignore me, you’ll have to help me. They all agreed to that; they came to the monthly meetings, and they complied and helped when needed. So it’s giving that right mix; you have to understand who needs to be on that steering committee; it all starts with governance. And our chief nursing officer hated to talk about security, but she worked with us. Her sole request was, ‘Don’t call the computers on wheels, COWs; we’ve renamed them to WOWs!’ So it’s all about figuring out how to get done what needs to be done.”
“We stood up an IT security committee,” Sterud said. “couple of things we did well—one was the makeup of the group. The other thing was that I made clear that we had a lot of work to get done. So when we started getting going, they all knew that we had a lot to do. And we made sure we had HR involved—there are a lot of things with onboarding and terminations. And we got facilities on board. And at that time, biomed was not reporting to us; it is now. But we got them on board. And by the way, biomed really needs to report to IT now. And we got compliance on board, too. And you need to celebrate successes, too. So we’ve done a lot of important things over the course of the past five years, and we still have a lot of things to do. But things are moving forward, and it’s kind of self-governing at this point.”
“When I came seven years ago, there was an appetite for security,” Rose said. “I was blessed; we built a great security committee at national; and we had the same thing filtering down from there. And I spent years in financial services working successfully with steering committees. And it depends on the personalities of the people involved. But one thing that happened a few years back that was fantastic, was that a CMO had moved to a different market. And out of the blue, he called me and said, ‘Hey, I’m getting settled, and what should I know?’ And how great is that? When they’re engaged, it’s great, because I’m not just throwing scare tactics and metrics out there all day long.”
“We’ve all got Facebook accounts, and Twitter accounts, and LinkedIn accounts,” Finn noted. “And we might think that our Gmail accounts have nothing to do with our work; but the bad guys are already connecting our information. So we’ve got to get people to rethink. And to your point, Cheryl, yes, it’s engaging people, and sharing things with them that resonate with them.”
“And it’s important to keep in mind,” Parker added, “that your average home now contains more computers and devices than your average medical office did ten years ago.”