It wasn’t too long ago that the most pressing matter for CIOs was Meaningful Use. Across the country, the discussion was, ‘how are we going to do this?’ Fortunately, most organizations have put implementations in their rear view mirror. But now, there’s another gargantuan task on the horizon: protecting data.
It’s arguably the top priority for healthcare CIOs, and for good reason. According to the Healthcare Industry Cybersecurity Task Force — a group of leaders tasked with assessing the state of security and identifying recommendations — cybersecurity is in “critical condition.”
The good news? Some of the brightest minds and most influential leaders in the industry are focused on solving the problem. A few weeks ago, a group of leaders from CHIME and AEHIS gathered in Washington D.C. to call on policymakers to aid the industry in improving the current state of cybersecurity. Among the speakers was Cletis Earle, CIO at Kaleida Health and member of CHIME’s Board of Trustees. Recently, Earle spoke with healthsystemCIO.com about the enormous challenge CIOs and other leaders face in keeping data secure, how health IT leaders are working with federal agencies to increase transparency, why it’s critical to exercise caution with cloud computing, and the opportunity the industry has to push the cybersecurity conversation forward.
Gamble: Hi Cletis, thanks so much for taking the time to speak with healthsystemCIO.com. I’d like to talk about the briefing held a few weeks ago in which leaders from CHIME and AEHIS spoke with Congress about the findings from the Cybersecurity Task Force report. In your opinion, what were some of the biggest takeaways?
Earle: To give a little background, earlier this year, the Health Care Industry Cybersecurity Task Force released a report to Congress identifying the key challenges in protecting data and what they believe needs to happen going forward. Theresa Meadows (CHIME Board Member and SVP/CIO at Cook Children’s Health Care System) is one of the co-chairs, and she’s been working hard with other leaders to come up with some collaboration opportunities to improve cybersecurity. This team has spent long hours coming up with standards and methodologies when it comes to recommendations. CHIME supports their finds, and we believe it’s imperative that the federal government takes cybersecurity seriously.
We need to all get together and decide on a framework and how it will apply and impact the healthcare vertical, and how we can collaborate with the federal government to come to some remediation strategies around security. We understand that much of the work has been done, and we don’t want to let it fall by the wayside because of all of the other priorities in Washington, D.C. and around the country. We want to continue to keep that at the forefront, because there’s so much good discussion and dialogue that has come out of it. We don’t want to lose momentum.
Gamble: One thing that was emphasized in the report is the need for action on the part of software developers and manufactures. From the CIO’s perspective, is that a tricky line to walk as far as talking to developers about the security measures they have in place?
Earle: We’ve been, let’s just say, circling the wagon around medical device manufacturers, the FDA, and HHS. Many of our healthcare organizations are at a point where we’re challenged on how we’re taking care of our legacy devices. Some organizations have close to 300,000 medical devices within their purview — how do you support that if you’re not getting true support from the actual device manufacturer?
These are the types of things where we’re asking HHS to help us out, via the FDA, to help mandate some criteria from these manufacturers to ensure that these solutions aren’t putting us at risk. We need to build transparency around these devices. We need a better focus on focus on, this is what’s happening — how do we get the FDA and HHS to help the HDOs have better plans in place in the event of a cataclysmic attack? Wannacry and NotPetya, of course, are examples of that. We know that if these tools are used against us, it’s going to be very difficult to try to remediate that. Because, as I mentioned, there are thousands and thousands of devices we would have to support in order to make that happen, and at the end of the day, it would impact patient care. So we’re screaming at the top of our voices to say, ‘we need help, and we need some greater transparency efforts from the federal government.’
Gamble: And it seems there are always more challenges to deal with. A few weeks ago, Secretary Price stepped down, which throws another wrench into things.
Earle: Right. When you think about it, what we’re dealing with is the coordination of regulatory frameworks around medical device cybersecurity. You have multiple agencies — the FDA, OCR, ONC, and FTC — looking to secure these devices. We’re all trying to figure out how we can collaborate with each one of these gargantuan agencies to come up with a collective strategy.
With the departure of our HHS secretary, it creates more challenges because it’s not clear who is setting the direction. When a major branch of the government doesn’t have leadership in place, it doesn’t make it easy when you try and navigate the coordination among all of the regulatory bodies I talked about. In essence, you won’t have a regulatory framework you can tap into to circle around the healthcare cybersecurity world.
Gamble: I’m sure you’re all keeping an eye on what happens there, but I guess in the meantime, you just have to keep plugging away.
Earle: Exactly. We want to make sure at the end of the day, we’re aligning our privacy and security policies. With all the complexities around privacy, we want OCR to help relieve some of the punitive actions associated with it, because in order to be successful, it’s clear that we need to establish collaborative measures in sharing information. Oftentimes when you try to collaborate, you have to worry about punitive action, and it becomes problematic. In essence, it turns into a scenario where you have to look at safe harbors or other types of tort reform in the event something happens. How do we, as providers, protect ourselves when it comes to security? How do we share information without fear of revisal? These are the things we’re working on; and we understand that we can’t go in this alone. And when we do work with other organizations, we should not be penalized. That’s another thing that some of these agencies are going to have to help us with.
Because at the end of the day, all of us want to improve our cybersecurity hygiene. If we’re going to do that and be successful at it, we need to be able to tie in all of those agencies, as well as the processes that healthcare organizations are using, and come up with a collective approach.
Gamble: What are some of the steps CIOs and other leaders can take to improve cybersecurity in their organizations? Education seems to come up a lot, and actually, in a piece recently published by CHIME, Theresa Meadows talking about using physician champions to help educate others on the importance of cybersecurity. What are your thoughts on identifying “champions” with a passion in this area to help build awareness?
Earle: It’s a great idea — Theresa hit the nail on the head. It’s very similar to the approach we took years ago with implementing EMRs in finding the right champion; finding the right balance between how you continue to help protect your organization, and sharing the vision of what’s happening so that there’s an increased level of awareness throughout the organization and the community. Because as you can imagine, as we continue to share data with other care providers, the digital footprint becomes problematic. The fact is, you’re only as strong as your weakest link. Some of the organizations you might be collaborating with just for the general practice of clinical operations and delivery may end up putting us in jeopardy, and so it’s important to get the message to the right people and the right stakeholders.
Gamble: As we see more movement to the cloud, that seems to add another layer of complexity to what’s already a thorny issue.
Earle: It does. Many organizations are moving toward that by hook or crook; some of vendors are forcing us to go to the cloud, whether it’s email, Office Suites, or what have you. But we’re still cautious, because there has to be clear guidelines on why and how data is shared to the cloud. We’re taking our time, because if we’re just talking about general data being pushed up to the cloud, we have to ensure that PHI don’t go to certain countries, and that gets into the dynamics associated with how those cloud-based strategies are housing that data. It’s not necessarily moving to data centers or servers that may not respect intellectual property or protected health information laws. These are some of the reasons why we’re cautious when it comes to the cloud. You have to actually dip your toe into it to see if there’ are very strong security controls when it comes to that data.
Gamble: With the CHIME Fall Forum just a few weeks away, are you hoping there will be a lot of discussion around cybersecurity among attendees?
Earle: I do, and I think there will be. I keep bringing back the EMR, but I remember right before Meaningful Use became a thing, that was the only thing we talked about as CIOs. We were terrified. But we talked a lot about whether we could do it. I was always optimistic that we could accomplish it, and the proof is in the pudding. We have, to some extent, implemented EMRs and created an electronic footprint among the clinical institutions.
Now, any time you talk to a CIO, one of the biggest things they’re concerned about is security. It’s way up there on the list, and I’m sure we’re going to have some very exciting dialogue regarding security. We have quite a few speakers who are going to talk about the challenges we’re all experiencing and share some best practices, including some CISOs. One of them is Karl West from Intermountain Healthcare, who has been a key part of the dialogue in Washington DC when it comes to security reporting. We’re very excited to have these experts help share their vision, foresight, and processes to allow us all to learn from each other.
Gamble: And as far as the casual conversations among colleagues, I imagine cybersecurity will come up quite a bit.
Earle: That’s what we’re hoping for. The interesting thing, though, is when you go to events like CHIME, you feel like Debbie Downer when you bring up cybersecurity. You hear all these incidents and you start to think, ‘what can we possibly do to protect ourselves?’ And you realize that no matter what you controls you put in place, bad actors are going to be out there, and sometimes they’re going to be one or two steps ahead of you. It becomes depressing, but we know that the great security engineers we have in place are helping to protect the house. And we’re very optimistic that our teams will help protect us.
I know my team is helping as we speak. Kevin Gilbert is our CISO at Kaleida Health. He comes from a different vertical, and brings a ton of value. I think if organizations haven’t invested in a chief information security officer, hearing from people like Kevin and Karl will convince them they need to hire one, or at least leverage other professionals to be able to tap some of that knowledge.
Gamble: I’m sure. It sounds like it’s going to be a great platform for discussions on cybersecurity and other key issues. Thanks so much for your time, and your perspectives on such an important topic. I hope you speak with you again soon.
Earle: Absolutely. Thank you.