Kelsey-Seybold Clinic’s Littmann: Cybersecurity Advice for Leaders and Staff
As cybersecurity challenges continue to test healthcare organizations, the importance of educating and communicating best practices to leadership and staff is more relevant than ever before. On Aug. 30, Healthcare Innovation interviewed Martin Littmann, senior director, CTO, and CISO for the Houston-based Kelsey-Seybold Clinic.
Can you tell me a little about Kelsey-Seybold Clinic?
Kelsey-Seybold Clinic is a multispecialty clinic, Houston-area focused, so one of the things that makes us unique is we are not a hospital. We do have a health plan; we are a Medicare Advantage Plus organization—we are 5-Star Medicare advantage plus organization. We have held that designation for five years in a row now. We have about 450-500 physicians, we are growing significantly. We have about 23 to 25 locations in the Houston area today. We have two ambulatory surgery centers. We have a major cancer treatment facility and our main campus facility. We have cancer infusion at several locations as well. So, we are primarily a capitated organization in terms of our healthcare. We have a little more than a million patients that we service in Houston today.
What advice do you have for leaders regarding ransomware?
There are a couple of things that come to my mind, and the first thing is to understand that ransomware is itself almost a popularized crime, if you will. And by that, I mean, we have had issues going on within healthcare and organizations that are security related for many, many years.
In the past, before hearing about ransomware, not many people had heard of bitcoin. So, the first ransomware events were when people began to learn about bitcoin because these organizations wanted untraceable ransoms paid for the data. The attacks have evolved over time to move from just pure “we stole or ransomed your data, we encrypted it in place, and we want to you to pay us for it” to “pay this but now we are going to release it unless you pay some blackmail,” so there were some additions to the crime aspect. So, that is one aspect about “popularity.”
The second dimension is, because people are not aware of it, and not necessarily technically aware of everything involved, they tend to, in some ways, overreact. But there are very basic steps that we can do from an information security perspective to protect ourselves and to reduce the risk of ransomware.
So, a couple of things that come to my mind are protecting our credentials—meaning username and password. We need to ensure that we are not sharing them and using complex passwords. Two-factor authentication should be implemented to ensure that the person who is using the credential actually is secured and understood to be the person who should be using the credential. The two-factor authentication may not be an SMS message but may be an application that does the authentication.
Another piece of awareness is around how ransomware gets into the organization. So, the most common form of compromise comes through email, which means that I have gotten an attachment or link and I click on it. And clicking the link takes to me a compromised website, and so from that compromised website there could be malware that is loaded to my computer, there could be a file that is implanted at that point, and whether or not that occurs is going to be a factor of what kind of endpoint protection is in place in that environment to prevent that infection from occurring.
Do you have any advice on talking to employees about the importance of cybersecurity?
Well, I see it as a multi-pronged approach. You must have executives who are engaged and interested in the education process. An organization that lacks that, lacks the ability to move anything else forward. Let’s assume the executives are on board.
The second issue is people’s availability and their time. In a healthcare environment, we are focused on treating the patient and getting them in and out the door in a safe and healthy manner. The educational process will take time away from doing that, so there may be time slices where there are educational opportunities. There may be times where physicians get together for regular meetings, and I ask our executives to give me a few minutes in that meeting to just to bring some specs up. I will ask operational directors to give me an opportunity to speak to their groups. I put together a monthly newsletter that I send out to the organization to provide information security tips. Those information security tips are focused on not only the corporate level but aimed at them from a personal level too. Because, really, when you think about our environment today, our personal lives and our corporate lives are intertwined, since we’re all working remotely. So, I try to provide them tips on how to do that. I think there are a number of different companies that sell training modules that are entertaining. There are some companies that have humor based educational training.
Also, we certainly do phishing testing. We send people a phishing email message, and we try to construct good ones, and then if they fail, they have a brief moment to read education. We “slap their hand” a little bit, we make them change their password if they fail one of the tests. People like to keep their password as long as they can, and if they have to change it, it’s a little bit of a pain to help them remember.
So, the educational piece around what you need to do to protect yourself and the company is the best starting point.
More and more institutions are talking about the importance of cyber insurance; do you have any thoughts on that?
I don’t have a lot of knowledge on the payout of cyber insurance, because the risk may be there, like any other piece of insurance. If you don’t have all of your steps in place that entitle you to get cyber insurance, because the goal of the insurance industry is to not have to pay out anything, they aren’t going to sell insurance to someone who doesn’t meet those requirements or steps.
Go to the auto insurance industry as an example, if you are horrible driver, you have accidents left and right, you have DUIs—you can’t get auto insurance and the same thing is true about cyber insurance.
The reality is that cyber insurance is often required by companies that we do business with, they say, “Do you have cyber insurance?” And we ask our third parties if they carry cyber insurance. It’s just the cyber insurance payouts we don’t hear a lot of information about that.
It is a necessary evil, just like a lot of other insurance. The bigger issue is, I’m not saying it isn’t necessary, but I hope you are doing the steps that you are representing to the cyber insurance company to obtain the insurance.
Do you have any final thoughts for leaders on cybersecurity today?
Don’t open that email! There are two things that I am very passionate about, protecting your credentials and being smart about email. Especially awareness of email protection—that is the number one path into the organization.
