Marin General’s Jason Johnson: Culture is Key to Hospital Information Security
Health system information security today requires much more teamwork with clinicians and other staff members. Jason Johnson, CISSP, PMP, CAHIMS, manager of information security and customer experience at Marin General Hospital in Greenbrae, Calif., is working to develop a strong focus on culture and learning rather than just technology solutions.
Johnson recently spoke with Healthcare Informatics about his approach to security in a community hospital.
First, I asked Johnson about the “customer experience” part of his title, which refers to internal customers, not patients.
“I came up through the ranks of IT starting at the help desk level. Customer service has always been a really important thing to me, and I view security as being at this pivotal point right now, where we are just starting to impact our customers — our clinicians and our users,” he said. “A lot of security up to this point has been technical and at the back end — firewalls and things like that. Now users are seeing phishing e-mails daily. We are starting to implement two-factor authentication and increase password complexity requirements.” He sees healthcare at a pivotal point. “We can have everyone on our side if we do it correctly, or we could just blast in and impact user work flows without a lot of consideration, and we would immediately fall out of the good graces of the staff.”
At Marin General, Johnson has started using “gamification” to make detecting cyber threats a challenge for staff. Working with marketing, he created ads for a “security sleuth” program with rewards for catching phishing emails. “It was much more successful than I had hoped because it really brought everyone to the table for security,” he said. “It shows that only a small portion of our controls can be technical. It not only stressed how important this is, but it also made it a little more fun.”
Next I asked Johnson whether Marin faces different security challenges as a community hospital than larger academic medical centers.
“We have fewer resources,” he said, “but everyone is strained for resources now, so I wouldn’t say that makes us unique either.” Academic medical centers have much larger challenges with larger populations, including residents who come and go quickly; community hospitals have the problem of community physicians who aren’t employees. “I can’t really mandate that they do a lot, so we are struggling with that. An advantage of being a community hospital is that we are big enough to have the resources to get the job done, but we are small enough that we can make moves quickly. I can get something done much faster in an organization our size that doesn’t have to go through corporate IT and 13 hospitals and have to scale it up.”
Has the attitude toward working with cloud providers evolved? “It has been changing,” he responded. “Eighteen months ago if you had said I have this thing I want to implement and it is on Amazon Web Services (AWS), my entire organization would have run away from it, but I think now the cloud providers are really starting to understand security and what it means to operate in healthcare and its unique challenges, so the industry is becoming much less risk-averse,” he said. “We are doing some things on AWS now that we certainly wouldn’t have been doing a few years ago.”
What challenges does Johnson face in explaining risk management to the hospital board? “The biggest struggle we are having now is showing them that cybersecurity is not just an IT problem, not just a problem that can be solved with technology; it is a business continuity issue. If something big happened, it is going to be a problem for the business, not just for IT. It could impact patient care.”
Are healthcare IT security officials doing a better job of banding together to share information and best practices? “I think that could definitely could be improved, ”Johnson said. “The new breed of security professionals is more willing to share information and best practices. We partner with the federal government’s Northern California Regional Intelligence Center, and a lot of healthcare organizations in the area do.”
One of the topics Johnson is going to be addressing at the Health IT Summit in San Diego, and also in San Francisco in April, is strengthening security of legacy systems. “The biggest thing we are looking at is medical devices,” he said. “One of our big initiatives for 2018 is to do a holistic assessment of how our medical devices are configured and procured, and not just looking at the technical aspects, but policy, procedures and process. For instance, lab devices are running Windows XP embedded, so how do you deal with that? It couldn’t even be patched against WannaCry. So it gets down to network segmentation issues.”