Q&A: Jacki Monson on Cybersecurity ‘Threat Hunting’

The chief privacy and information security officer of Sutter Health reveals how healthcare organizations can pre-emptively address data privacy issues.

For Jacki Monson, vice president and chief privacy and information security officer at Sutter Health in Sacramento, Calif., successful security is a patient safety necessity. Here, we talk to Monson about Sutter’s upcoming projects and priorities.

HEALTHTECH: What are the biggest cybersecurity threats facing your organization and the industry?

MONSON: We are most concerned with cyberattacks of all sorts, whether it’s ransomware or malware.

HEALTHTECH: How do these threats impact patient care, finances, workflow and reputation?

MONSON: I see cybersecurity as a patient safety issue. If you want to provide the best care possible to patients, you must keep them safe. In order to do that, you have to protect them and their information.

HEALTHTECH: What is your strategy for staying prepared in the face of constantly changing threats?

MONSON: Our cybersecurity team is constantly threat hunting, and if they find potential threats, they work with engineers to address them before an attack happens.

We share information with other organizations and participate in various task forces to obtain threat information. We also have a 24/7 monitoring service. If there is a legitimate threat, they notify us and we go into incident response immediately.

HEALTHTECH: What are your major cybersecurity projects and priorities for the next year?

MONSON: We are focused on biomedical devices and third-party risk management. We are conducting audits, and if our partners are vulnerable, we work on alternatives that might work from a security control standpoint.

HEALTHTECH: Let’s talk about the HHS task force. What are your key takeaways?

MONSON: The task force truly evaluated all the risks of the healthcare sector and identified the most important cybersecurity problems. Healthcare is sick because we have not made threat protection the highest priority and many vendors didn’t contemplate information security when they built their information technology.

We are now backtracking to address it, but it’s always harder to respond reactively.

A cybersecurity leadership role in HHS is important. I think HHS is playing more of an active role in the most recent threats. What we’d like to see is a more proactive stance, not just when we have a potential incident going on. We need to be proactive all the time. We think having someone to facilitate that would substantially benefit both the government and the public and private sector of healthcare.

Another area that is important is biomedical devices and vendor risk management. We continue to work with them to come up with the right level of security to protect biomedical devices. Today, healthcare providers are facilitating discussions with vendors to come up with solutions. That’s really challenging when you are under a cyberattack and might have 15 different biomed companies that you have to work with to sort out which patch you need to apply to protect their devices. We don’t always have that time, so having more cooperation is important.

HEALTHTECH: Throughout the report, special attention was paid to small and medium-sized organizations. You recommend that the industry customize cybersecurity best practices for smaller organizations. How urgent are such steps?

MONSON: It is urgent. The small physician practice is no different than the small and medium-sized hospitals that are struggling with the same things. They may not have the money to afford the right technology to protect their organizations. Changing the law is one way.

One option discussed was a “cash for clunkers” type of program, through which organizations could trade in their old technology for new technology, or get discounts so they can afford to upgrade technology.

HEALTHTECH: How do you strike that balance with security best practices between smaller and larger organizations?

MONSON: It’s all about protecting the patient. I don’t think it should be any different. The big providers have an obligation to help the small and medium-sized providers as much as we can, but at the end of the day, we can’t compromise patient safety.

HEALTHTECH: What has been the report’s impact on the industry?

MONSON: The industry is paying attention to it, but we are not getting the attention we need to tackle the challenges.

HEALTHTECH: What can be done?

MONSON: The private sector can review it and start incorporating the changes and suggestions we made. As for the public sector, we need help in getting the attention of Congress, the president and others to make sure this is prioritized.

HEALTHTECH: From your experience on the task force, what have you learned and taken back to your organization?

MONSON: Healthcare is unique as an industry. We have to work together to solve these problems. It’s not about pointing fingers or a blame game. We as an industry and the government have to pull together to solve cybersecurity as a group. What I’ve taken back to my organization, of course, are the recommendations, and if we are not doing them already, we are working on what we can. The biggest thing we’d love to do is help the small and medium-sized organizations or the physician practices that are associated with us.

This Q&A is part of the IT Guardians at the Virtual Gate series of interviews with top experts in healthcare cybersecurity. 

JON JAY CABUAY
Oct 20 2017