Q&A: Mark Jarrett on Security Best Practices for Small and Large Health Systems Alike
Dr. Mark Jarrett, senior vice president and chief quality officer at Northwell Health in New Hyde Park, N.Y., believes that large health systems should have more leeway to help smaller organizations meet their cybersecurity needs. Here, HealthTech speaks with Jarrett about how government can help stimulate such efforts.
HEALTHTECH: What are the biggest cybersecurity threats facing your organization and the industry?
JARRETT: Ransomware has now become the biggest threat because it prevents access to electronic information. You may have data backed up, but it still results in downtime.
Identity theft has become a major issue. People can sell stolen identities, and those who buy them can receive care based on the false information. They can get a coronary bypass surgery and $75,000 worth of care, and no one will pay for it.
Another area I worry about is denial of service. If a nefarious person or nation-state executed a large denial of service, all our systems could go down.
Not only would it be a problem for delivering care because you wouldn’t have electronic records available, but you wouldn’t even be able to communicate. Even if you went to paper, most of us have phones, which are Voice over IP-based. And people are using texting and email. All that would be knocked out.
Hackers also pose a risk to medical devices, such as intravenous pumps in a hospital, pacemakers or insulin pumps.
SIGN UP: Get more news from the HealthTech newsletter in your inbox every two weeks
HEALTHTECH: What is your strategy for staying prepared in the face of constantly changing threats?
JARRETT: As a large health system, we’re fortunate to have an extensive staff to work on cybersecurity.
We can afford to maintain a large number of contracts with companies that provide firewalls and other tools. We also have remote backup of all our systems. Teaching cyberhygiene is also critical.
HEALTHTECH: What are your major cybersecurity projects and priorities for the next year?
JARRETT: Staff education is a big one because phishing is a major problem.
We also must maintain vigilance and obtain as much information as we can to be prepared — especially after WannaCry. We also must look closely at software updates.
We must develop better protocols to make sure we can run more efficient tests.
We’re also running tabletop drills.
HEALTHTECH: The healthcare industry is an early adopter of Internet of Things technology. How are you securing medical devices?
JARRETT: We only purchase equipment that runs software that can be patched. We’re also trying to phase out any equipment that has software that’s no longer supported.
It’s a matter of recognizing and getting rid of outdated tools and replacing them. That’s not easy because equipment is a capital expense and often still works fine, but it’s necessary because of the software vulnerabilities.
HEALTHTECH: Let’s talk about the HHS task force. What are your key takeaways?
JARRETT: The biggest thing is that half of healthcare is still done by mom-and-pop shops, small practices and small critical-access hospitals who can’t afford or find the right cybersecurity resources in terms of people. What we talked about is that the government should loosen some of the anti-kickback statutes to allow regional consortia of large health systems to provide cybersecurity support to small physician practices and small hospitals that don’t belong to a system.
It’s really trying to figure out how we can leverage the expertise of a large system with the resources to help others without it being a conflict of interest or a kickback.
We also discussed the huge number of legacy systems. We have to figure out how to give hospitals the capital to retire some of these systems and implement newer technology. Places may have old medical management and lab systems that work, but they’re outdated. To rip them out and deploy something new costs a lot of money.
But it’s not just the cost of software that’s the issue. It’s testing and making sure it works without breaking everything else.
Somebody gave the example of what the government did with “cash for clunkers,” when three car manufacturers were running into economic problems. The program was designed to encourage people to buy new cars and stimulate sales. I don’t know if that’s the answer, but we have to think outside the box. As long as we have so many legacy systems and this patchwork of software, it’s going to be harder to protect them.
HEALTHTECH: How do you strike a balance with security best practices between smaller and larger organizations?
JARRETT: It’s not easy. In the task force, we suggested a single, comprehensive approach. It can’t be a separate approach.
HEALTHTECH: What has been the report’s impact on the industry?
JARRETT: There is now a task force looking to see how we can implement our findings. That doesn’t mean it will happen tomorrow, but I think we’re headed in the right direction.
We would like to go faster, but due to financial and intellectual capital, I don’t know if we can. It’s not like the financial industry, where you have very few people who have to look at people’s records. In healthcare, the whole goal is to give lots of people access.
Think about how many people enter a patient’s medical record. When you’re at a hospital, you have nurses, patient care assistants, pharmacists, radiologists and doctors. We are a different industry. The key to good healthcare is open access, but it has to be protected open access.
HEALTHTECH: From your experience on the task force, what have you learned and taken back to your organization?
JARRETT: I brought back more sources of information and contacts that we can interact with to make our system stronger.
This Q&A is part of the IT Guardians at the Virtual Gate series of interviews with top experts in healthcare cybersecurity.
