“You Have to Be Able to Adapt”: The Keys to Securing Data During (and After) a Crisis

For the past few years, the leadership team at Westchester Medical Center has worked to create a culture in which “everyone is engaged and aware of the security parameters,” and “everyone thinks of security first.” And it seemed the efforts were paying off for the 10-hospital system — until March. When Covid-19 hit, priorities changed for the New York-based system.

“We had to focus on doing whatever it took to make sure providers could deliver care,” said CIO and CISO Steven Goriah, during a recent webinar.

It was the same story across the country, as leaders strove to keep a close eye on security risks without compromising care continuity. Not an easy balance — particularly when care delivery changes dramatically, and all of a sudden, CISO must go against every instinct and green-light concepts like self-service password reset services.

However, as the old saying goes, drastic times call for drastic measures. In the webinar, Goriah and co-panelists Phil Curran (CISO and CPO, Cooper University Health Care) and Wes Wright (CTO, Imprivata) discussed the extraordinary efforts put forth by healthcare organizations to ensure patients could receive care during the pandemic; the implications of these initiatives, particularly from a security standpoint; and what needs to happen going forward.

IT’s “amazing” push

According to Goriah, the IT team at WMC went above and beyond, working to create 70 percent more beds and deploying $3 million worth of new technology monitors, while also getting 7,000 remote users up and running. “Everything was an urgent need, and my team came through with flying colors,” he said. “We were the glue that held it all together.”

At Cooper University Health Care, located in Camden, N.J., a key objective for the IT team was to help patients stay in touch with their families, which can be particularly challenging for those in low-income areas. And so, in addition to rolling out monitoring technologies within hospital rooms, the organization purchased 150 iPads and collected another 50 through donations to enable patients to communicate with their loved ones.

“Our ability to get things done was just amazing,” noted Curran. So amazing, in fact, that it has raised the bar. “There’s no going back; our senior executives have seen what we can do.”

Similarly, Goriah’s team accomplished so much in such a short period of time that it changed the expectations of both leadership and clinicians.

There is, however, a potential downside. “When you’re making decisions on the fly, you’re not always taking a systematic approach,” he said. “You’re not applying the appropriate governance.”

Not because the desire isn’t there, but because there simply isn’t time, especially when patient volumes are increasing exponentially, as are the demands being placed on both clinical and IT staffs. In these cases, leaders need to apply the minimum viable product (MVP) philosophy, according to Wright, which means solutions are released before they’ve gone through all of the usual rigor and testing. The idea is that when resources are at a premium, it’s better to have a product at 60 percent than to wait until it is 90 percent ready.

That approach, while necessary during a crisis, cannot – and should not – be sustained over time. Because when it is time to push projects up to the front burner, leaders want to be able to move forward without having to deal with the consequences of cutting corners.

Chameleon leadership

One way to do that, according to Goriah, is by focusing on lean principles. “You have to try to be nimble while still having certain governance controls and processes,” he noted. “You have to be a chameleon. You have to be able to adapt to a changing environment.”

It also means staying on top of cybersecurity threats, which, as IT and security leaders know, are constantly evolving. Wright, who spent 25 years on the provider side before joining Imprivata, believes end user education is a critical priority, and urges CISOs and CIOs to pay close attention to it, particularly as the remote workforce remains strong in numbers. When individuals work from home, “they aren’t getting that peer reinforcement and the constant reminders” to look out for phishing emails. And the more lackadaisical people become, the easier it is for social engineering tactics to succeed.

Goriah agreed, adding, “There are people out there trying to capitalize on vulnerabilities that exist inadvertently or naturally as we move the perimeter.” As care delivery models evolve to meet consumer demands, security strategies need to do the same, and tools like identity and access management need to be top of mind. “We have to focus on how we can protect our data, protect our patients, and restore that trust. The new normal is scary.”

The challenge is that, in many cases, security isn’t an area that typically moves quickly, noted Curran. “Our security people are used to the old ways. They’re used to the slow plodding way of getting things done. But they need to be adaptable and flexible, because if we don’t keep up, we’re going to be left behind. And if we’re left behind, we put the organization at risk.”

And it’s not just provider-side leaders who have to embrace their inner chameleon; vendors need to step up as well, said Wright. For Imprivata, that meant pivoting from a model of onsite training and implementation work to a virtual approach, which wasn’t easy for everyone. It was, however, necessary.

“We were forced to move fast. Now we’re going to find out what vendors can make that pivot and which ones will be left behind,” he said.

Finally, if leaders want to build a strong security culture — whether a pandemic is happening or not — they need to look within themselves, said Goriah. “You have to be that change agent,” he said. “You have to be able to drive change across the enterprise; not just within your IT security silo or with your vendor, but throughout the organization.”

To view the archive of this webinar — Securing the Ever-Expanding Healthcare Enterprise Through Identity Governance (Sponsored by Imprivata) — please click here.