Gabe Stapleton is vice president, security and enterprise technology, and chief information security officer at Strive Health, which provides specialized, technology-enabled care services for patients with chronic kidney disease and end-stage kidney disease. He recently spoke with Healthcare Innovation about best practices in cybersecurity in his fast-growing and geographically disperse company.
Healthcare Innovation: We’ve interviewed Strive Health execs before, so I think I understand the business model, in terms of partnering with providers and payers on value-based care for kidney patients. But from a health data security standpoint, how is it different being in your role there at Strive vs. if you were a hospital or health system chief information security officer? Are there different issues?
Stapleton: Yes, 100 percent. At Strive we are working more with data and less the patient-facing issues that a hospital would have to deal with. We don't have to secure rooms. We don't have to secure infrastructure and all the medical devices in the hospital, or having secured areas and making sure everyone's disposing of their paper properly. There are a lot of niche details that go into working in a large building with lots of people coming in and out all the time.
HCI: Do you have to work through data-sharing agreements with payer or provider partners to make sure everyone's comfortable with the level of security and privacy regarding the data?
Stapleton: Yes, that is a standard part of the day. A lot of the focus is around ensuring that our partners are comfortable with what Strive is doing as a security program, where they're trusting us to take care of their patients’ data, and we need to make sure that we can prove that we can uphold our end of the deal, and do what we need to do to protect that data.
HCI: Strive has been growing pretty rapidly. Does that create challenges about onboarding people and getting those new employees the training that they need?
Stapleton: Since we're a startup, being able to put the right processes in place to make sure that people are trained as part of their onboarding is important. There are definitely some different niche things that come along with hiring 300 people a year. I think we've done a really good job of prioritizing that in the first couple of weeks before we give access to anybody. We have a big emphasis on training and making sure everyone knows their responsibility for what they have access to.
HCI: And are a lot of those people working remotely from home or in outlying areas rather than in your main offices?
Stapleton: Yes. We're a remote-first company. We do have employees who go into offices, but they're almost the exception at this point.
HCI: We recently reported on a survey of 650 healthcare IT security execs, and one of the findings was that although people were still very concerned about ransomware, they were maybe even more concerned about cloud compromise. Does that ring true for you? Is that a concern of yours?
Stapleton: I think everything is concerning when we're dealing with cloud infrastructure and people working remotely. We have to really know what we're doing and know the technology that we're implementing and make sure that it's secured well. We have to apply good monitoring practices. I think ransomware, in the last couple of years, has quieted down. With COVID, and everyone going to work from home, they're not having the central infrastructure that makes it easy for ransomware to propagate. So at Strive it's not been one of my top concerns because we are in such a disperse environment where everyone is working remotely and we don't have a central network that everyone's connecting to like we did in the older days of technology. But with the return-to-work emphasis that's been starting to happen, it seems like it's going to be a bigger emphasis next year. I think that ransomware could see another heyday.
HCI: What are some ways that you stay abreast of latest developments in cybersecurity? Through associations or talking to other CISOs?
Stapleton: I'm a part of a few organizations. ISC2 is a big one. They are a certification company, but they also have a big community and a lot of training that they put out. And H-ISAC [Health Information Sharing and Analysis Center] is another good one. One of the top groups that I follow is Black Hills Information Security. They have a lot of good, cost-effective training and resources that they put out. They put out a lot of tools and they're really there to be a part of the security community and make sure that everyone has the resources they need to do their job well.
HCI: I read that Strive’s Care Multiplier platform has maintained a HITRUST CSF certification. First, could you describe what the Care Multiplier platform is and then what's involved in getting and maintaining a HITRUST certification?
Stapleton: Our Care Multiplier platform is really the nuts and bolts of what we're doing here at Strive in trying to bring in patient data to analyze it and make some predictions and use data science to determine how we can best care for our patients, how their disease will progress over the next couple of years so we can intervene and provide the right care at the right time at the right place. That's our big goal with the data platform. HITRUST certification is what we believe is the best-in-class security framework today for what we're doing. It gives us a good framework to give our partners and our downstream entities, even our patients, a little bit more peace of mind knowing that we have this certification. We've maintained that for three years now.
HCI: Is it challenging to demonstrate to HITRUST that you're meeting its requirements?
Stapleton: I think we spend well over 2,500 hours per year just to maintain that certification, with all the periodic audits and checks that happen throughout the year, as well as just the big bulk of work that goes into doing that semi-annual certification. It's probably three months of my team's time just dedicated to collecting evidence on the infrastructure and making sure that we're in alignment with HITRUST and planning any fixes that may be needed. So that's a big lift, but it's worth it to make sure we are still where we want to be.
HCI: What about organizations like small rural hospitals or physician practices that don't have a lot of resources to hire a CISO or maybe even a CIO, but they might be targets as well. Any recommendations for them?
Stapleton: There are a lot of controls that they have to abide by. I think the hard part is that the majority of time in those small practices, it doesn't happen. So they could be liable for a lot of things that they don't even know about because they don't have the money to hire a dedicated security person. I think there's an opportunity in that space for some type of virtual CISO to come in and give them some framework and to make sure that data is aligned with HIPAA.