Sergey Nivens - Fotolia

Healthcare security, IT should be separate to be effective

What can the healthcare industry learn about security from finance, retail and manufacturing? Two CISOs who came to healthcare from other industries give their take.

When Stephen Dunkle left his security role in manufacturing to be CISO at Geisinger Health System, he felt like he'd jumped back in time 10 years.

Phil Alexander, who used to work for the National Security Agency, said he was stunned to see fax machines and beepers still in use when he transitioned to a role in healthcare security in 2013.   

The healthcare industry is not known for having the most up-to-date technology in place, and that includes security. But as healthcare organizations become more connected, cyber threats only continue to grow, putting healthcare IT departments in the position of playing catch up compared with other industries, Dunkle and Alexander said.

Alexander, CISO at North Mississippi Health Services since 2018, said during his time at the NSA, higher education and healthcare were seen as "the most unsecured places."

When he became director of information security at UMC Health System in 2013, he saw firsthand why healthcare was at the bottom of the list. "I did not know that fax machines existed anymore, I thought they were literally in museums," he said. "So, I was walking down the hall of a museum, but it was the hospital. I had doctors with pagers, and that was kind of a shock."

At the recent HIMSS Healthcare Security Forum in Boston, Alexander and Dunkle shared what they successfully brought from past experiences into healthcare, including separating IT and security teams.

Separate security from IT

Stepping into the world of healthcare security was a culture shock, Dunkle said.

When he joined Geisinger Health in 2015 as CISO, he was surprised by how many vendors the organization worked with that had a direct connection to the health system's network -- something he hadn't seen before in his security experiences in retail, finance or manufacturing.

"Nowhere have I ever worked ... would it be acceptable to do that," he said.

He found IT and security to be "synonymous" in healthcare. In his experience, other industries have learned to separate the two for better performance and increased efficiency. As a security professional, Dunkle said he has reported to CIOs, but IT and security are tasked with different missions and should operate separately to be effective.

The healthcare IT team is "service-oriented," attending to the technology needs of healthcare systems and clinicians so they can do their jobs more effectively, a job Dunkle said IT does well. While service does have its place, security teams tend to focus on risk management, he said.

"Service doesn't always win over security," Dunkle said. "Sometimes there's a point where you have to say, 'I wouldn't say no, but slow down.'"

Separating security from IT is a growing pain other industries have gone through, and, in doing so, have experienced the do's and don'ts that the healthcare industry can take advantage of, Dunkle said.

Policies and procedures

Alexander found a lack of policies and procedures in healthcare security compared with his previous experiences in other industries.

The U.S. government had "policies, plans and procedures for everything." In healthcare, that wasn't the case, he said.

A phrase Alexander heard frequently in healthcare IT is that the team functions as a "catcher's mitt," supporting the hospital, moving quickly and doing whatever leadership asks. Alexander said a governance process, not just for security but for IT teams across a healthcare organization, is necessary to ensure security.

"There were not a lot of standards at both organizations I worked at to put policies and procedures, governance in place," he said. "Once I instituted policies, plans and procedures in security ... then other IT departments looked at it and ... started adopting some of those tactics and procedures we had."

Dig Deeper on Electronic health record systems

Cloud Computing
Mobile Computing