There’s no shortage of scenarios that can conjure fear in even the most seasoned leaders. For Kate Pierce, it’s a cyberattack that causes North Country Hospital to go offline. Not because it would mean losing patients to a competitor, but because it could mean losing patients.
“We have to be able to offer care,” she said during a recent interview with Kate Gamble, Managing Editor at healthsystemCIO.com. “There’s not another facility for 40 miles. We can’t just say, ‘sorry, we can’t take you. Our network is down.’”
For Pierce, who holds both the CIO and CISO roles at the Newport, Vt.-based organization, having the right plan – and people – in place to prevent cyberattacks is the ultimate goal. It’s not an easy one, particularly given the limited resources and access to talent faced by most rural organizations.
During the discussion, she talked about the creative thinking her team is utilizing to stay one step ahead of bad actors, the critical lessons they learned with UVM suffered a data breach, why North Country will never leave the cloud, and how she manages the competing priorities of her dual roles.
LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE.
- After its EHR vendor pulled out of the healthcare vertical, North Country was forced to “go back to the drawing board and figure out what we were going to do.”
- One of the key criteria in the search for a new vendor partner was cloud capability. “Because we were in the cloud already, it wouldn’t be feasible to bring everything back in house.”
- North Country has adopted a three-pronged approach to cybersecurity focused on providing educating and tools, creating a culture of security, and thinking outside the box by partnering with other organizations.
- For remote organizations, being able to maintain a secure network is vital. “There’s not another facility for 40 miles — we can’t just say, ‘sorry, we can’t take you.’”
- Although the CIO and CISO role are often in competition with each other, they can also go “hand in hand.”
Q&A with North Country Hospital CIO/CISO Kate Pierce
Gamble: A lot has happened since the last time we spoke. Your team is implementing CommunityWorks from Cerner, which was scheduled to go live in May. What has that process been like, particularly in terms of training?
Pierce: We had a five-week period where we trained end users. Cerner has a dual approach. For staff, they use a ‘train the trainer’ model. And so, they’re training our staff, and we have subject matter experts that have been trained by Cerner as well as some super users. We have a variety of groups across the organization that are training in different areas.
That schedule was put together by one of our CIS staff members. The big challenge we face is bringing staff up from their daily work in order to attend the training and participate in the education.
With the shortage in nursing — and really across the board — it’s one of those areas where we (both North Country and Cerner) have had challenges resourcing the project. But I think we’re in a good spot right now. We’ve got a plan in place and I’m confident we’re going to be successful.
Gamble: There’s so much going on right now; I can imagine it’s really difficult to pull physicians and nurses away from what they’re doing. What’s the approach to making sure they’re trained?
Pierce: It’s been an organizational effort. We didn’t have a lot of choice with the timing of it. Our current vendor had decided to exit the hospital EHR market, and so we needed to go back to the drawing board and figure out what we were going to do.
It’s been a priority for the organization. They’ve done a great job at ensuring we have the staff we need to move the project forward successfully. It takes a lot of strong partnerships and a staff that’s willing to go above and beyond.
We have some very dedicated individuals here. I’ve seen our VP of nursing take shifts on the floors; it’s been very all-hands-on deck to ensure the success of the project.
Gamble: And this is a unique situation. You’re not trying to fix or change something that’s been working fine. It’s more like, ‘we need to do this.’ Does that make it a little bit easier?
Pierce: I don’t know if it makes it easier — maybe a little bit more palatable.
Selecting a vendor: “We’re looking for true partnership”
Gamble: That’s a better way of putting it. How did you approach the selection process? I’m sure being on a single platform was something you wanted.
Pierce: We actually have been on a single platform, and it’s cloud-based. And so, when we came to the realization that we needed to move away from the vendor we had been using, we formed a committee and established some goals for the project.
The first goal was to remain on a single platform. In the selection process, we look for things like system efficiency and performance, user satisfaction, and vendor staying power. That’s big — we’re looking for someone who is not going to be exiting the market anytime soon.
We were looking for a true partnership with our vendor, and some maneuverability. As a critical access hospital, we don’t know what the future holds for us. We hope to stay strong, and so one of the key things we look for is to maintain our IT costs at a sustainable level. Because we were in the cloud already, it wouldn’t be feasible to bring those servers and everything back in house; we just don’t have the resources or manpower to sustain that. And so, we only looked at vendors that were hosted or cloud based when we did our selection process.
Gamble: So obviously the cloud strategy had worked well for you.
Pierce: Yes. We’ve gone with a cloud first strategy, and I can tell you that my IT manager has said he will never go back, because now he sleeps at night. When you think about the resources that these large EHR vendors have versus a small critical access hospital, we really can’t provide the same service to maintain and secure those servers.
One of the added incentives is not having to deal with the security risks that would come with bringing servers back onsite. In this environment today, you’re expanding on your resources when you’re adding all those security features.
Cybersecurity: “It’s a moving target”
Gamble: That segues nicely into an area I’d really like to talk about, which is cybersecurity and the challenges it poses for small and community-based organizations. What are you doing to deal with some of those challenges?
Pierce: One of the biggest challenges with security, as everyone knows, is that it’s a moving target, and it has required more and more resources over the last few years. And we’re not alone — it’s the same across the board, whether you’re a small facility or large facility; the difference being that in a smaller facility, when you’re expanding your resources, you’re giving up something else in another area.
Three-pronged approach to securing data
Everyone in our IT department wears a multitude of hats. We’ve taken a three-pronged strategy in how we approach our security, and we’ve had a pretty strong program in place for at least the last 10 years. We’ve done a lot to provide our IT staff with the tools and the education they need to ensure we have a secure network. That’s our first prong.
The second is educating the entire facility. We’ve got a pretty robust education program for our staff, including blogs and ongoing training. They never know when they’re going to receive that popup that says, ‘you’ve been phished’ and ‘this is what you should have done.’ We know it takes a village to make us secure and that the staff is the weakest point in most security programs. You can do everything right technically, but if you haven’t properly educated your staff on what to do, then you’re still at risk.
We’ve done a lot to create a culture of security. I get emails from everyone from housekeeper to nurses and doctors and even the CEO saying, ‘I should have seen this’ after getting a phishing email. The entire organization needs to be aware of what’s happening in the security world.
The third thing we’ve tried to do is think outside the box. We can’t get stuck thinking that the only way to provide security is to bring onsite that have a background or education in security. We have to think of other ways to supplement what our staff is doing.
One way is by partnering with other facilities. Vermont actually has a statewide organization of CIOs and CISOs that meets monthly to talk about security. We’ve had presenters come in and speak. We’ve also done a lot of information sharing. When we’re looking for staff, we consider different options, like ‘can we do this with managed services? Is there another way we can bring on board staff that have some security background? Those are the three prongs.
Taking advantage of free cybersecurity resources
Gamble: One of the themes we hear about in our interviews and webinars is the competition for talent — especially cybersecurity. Other industries are offering remote jobs and competitive salaries, which makes it really though.
Pierce: Definitely. We can’t compete with larger facilities, especially when it comes to salary and incentives, when we’re located in a remote part of Vermont. But we have to be able to offer care. We have to keep our network secure. There’s not another facility for 40 miles — we can’t just say, ‘sorry, we can’t take you. Our network is down.’ We have to have a plan in place.
We’ve also taken advantage of a lot of resources that are free. If you start thinking outside of the box and expanding your scope, you’ll find that there’s a lot out there. CISA, for example, provides a lot of free resources for facilities like ours. In fact, last year we invited them to our organization, and they facilitated our tabletop exercises. It’s great to have someone with that breadth of knowledge come in and help advise us on things like our downtime procedures, what our incident response plan looks like, etc. There’s a lot they’ll do free of charge. They do penetration testing. They do risk assessments. There are a lot of tools out there if you look in the right spots.
Gamble: That’s great to hear. I think a lot of people aren’t aware of the free resources that are out there. That can make such a big difference having CISA come and help with security.
Pierce: For sure. We even had the FBI come in and do security training for different levels of our staff. There was one that focused on leadership training, and one specific for IT that was more technically based. There was another for our physicians and associate clinicians. They’ve done a great job helping us. It’s one thing for me to get up and say, ‘you better watch out; there are risks,’ and it’s a whole other when it comes from the FBI and they say, ‘these risks are real.’ These organizations are your partners in this. They’re doing a great job trying to get the word out. You just have to be open to it.
Gamble: That’s pretty powerful. I’d definitely listen if someone from the FBI came in to speak.
Pierce: Exactly. There’s some legislation coming down the pike that people should watch out for, and there are cybersecurity grants that are working their way through the pipeline. We’re going to keep our eye out for them and try to make sure we have the resources we need to keep us safe. CHIME has done a good job too of putting together a list of security resources. They have a webpage with a list of sources you can use, and things like daily news feeds and free webinars that organizations like CISA provide when there’s an alert.
It’s one of those things where you’re trying to look at it holistically and say, what can we do that’s going to benefit us that only costs us our time?
Culture of cybersecurity
Gamble: You mentioned creating a culture around cybersecurity. That wasn’t the case 5 or 10 years ago — it seemed to fall on the shoulders of IT or security. Has it been a long-term goal to create that culture?
Pierce: Yes, but it doesn’t happen overnight. You have to start somewhere, and you make progress every year. In 2011, I formed an information security team at North Country as part of my master’s program. It’s something I’ve always been passionate about.
We took that and made it our security governance. We’ve updated our policies and procedures. Every year when we do our risk assessment, we take that and form a strategic plan around security. We use the NIST framework, and everyone is involved. With everything from tabletop exercise to downtime procedures, there’s a whole organizational awareness.
Learning from UVM’s crisis
Sometimes, it takes a nearby incident to further the cause. It’s like the saying, ‘never waste a good crisis.’ When University of Vermont Health Network had their breach in 2020, it helped us raise awareness to what we needed to do and what our risks were. It freed up some funding for us to advance some of those tools we felt we needed to keep us safe. You want to use everything you can to ensure no one gets onto your network.
Gamble: I’m sure that had to be a big wake-up call.
Pierce: For sure. It’s the largest tertiary care center in Vermont, and we provide a lot of joint services with them, so it impacted us in a lot of way. It also impacted our patients; some of them go to UVM.
It had a ripple effect throughout the state, and it really hit home. After the FBI did a presentation to our medical staff, the CEO was in my doorway saying, ‘whatever we need to do, get it done.’ And so, I think it definitely pushed us along.
Dual CIO-CISO roles
Gamble: Right. Now, you have both the CIO and CISO roles, which may not be rare in small organizations, but I’m sure it can be difficult. Talk a little bit about the challenges you face in having both of those roles.
Pierce: They do sometimes compete with each other. I’m trying to push out new tools, and sometimes security is seen as a barrier. I’m trying to implement them in a secure way to make sure that nothing increases our risk. And so, I think they go hand in hand, but it helps to understand the IT strategy. I manage both the IT and security strategy, and make sure they complement each other.
Gamble: So you’re only fighting with yourself on some days.
Gamble: Going back to the association Vermont has, I think that’s so important. I’m sure you’d recommend joining something like that so people can share best practices.
Pierce: For sure. We’re all in this together. No one wants to see their site attacked or see any of their colleagues go through that. In Vermont, I guess we’re far enough apart that we don’t see each other as competition. We see each other as friends, and we share a lot. Maybe that’s unique to this rural state.