As vice president and CIO of Cook Children’s Health Care System in Fort Worth, Texas, Theresa Meadows must ensure cybersecurity is a top priority to safeguard the organization’s patients and 6,000-plus employees. We talked with Meadows about her approach to mitigating threats.
HEALTHTECH: What are the biggest cybersecurity threats facing your organization and the industry?
MEADOWS: The biggest threats we need to worry about today are phishing, ransomware, malware and viruses. Email, in particular, is where the majority of breaches start.
HEALTHTECH: How do these threats impact patient care, finances, workflow and reputation?
MEADOWS: Any cybersecurity issue can impact access to clinical or financial information or employees’ personal information. No. 1 is the patient safety perspective. When you have a situation with ransomware and can’t access patients’ electronic health records, it becomes a patient safety issue.
That can damage your reputation, and people in the community wonder, “Can they keep us safe?” With medical devices and other tools that are connected to our EHRs, there are a lot of opportunities for bad things to happen if we don’t pay close attention.
HEALTHTECH: What is your strategy for staying prepared in the face of constantly changing threats?
MEADOWS: We have tools to monitor security, such as network detection, intrusion prevention and special software around email. Our cybersecurity team’s top priority is password and access management for our 6,000-plus employees.
We also prioritize staff education, and conduct periodic phishing exercises to test and see if people have learned what we taught.
HEALTHTECH: What are your major cybersecurity projects and priorities for the next year?
MEADOWS: We are converting to a new EHR. During that process, we are reviewing identity and access management and putting in new tools and processes to ensure that appropriate roles and access are assigned.
We are looking to purchase a tool to automate some of that access. When we hire a new person, the system will automatically generate a user ID and password. And if that person leaves, it will automatically terminate access, so we don’t have to rely on human intervention.
The second biggest priority is to provide more ongoing security awareness education. Some of that comes from risk analysis. We are doing a risk analysis around how we would respond to an incident and whether everyone knows their roles. If we had a ransomware infection, do we know what we would say to staff and how we would handle it? What would our media response be? It’s role-playing for lack of a better term.
HEALTHTECH: The healthcare industry is an early adopter of Internet of Things technology. How are you securing medical devices?
MEADOWS: That is one of our bigger challenges. The medical device industry is just now catching up with cybersecurity. Today, we try to segment those things away from our critical network until we know and have an opportunity to ensure that they are safe.
The ability to update operating systems with patches has been a big sticking point in the medical device industry. Some device manufacturers have said if we were to patch, that would violate their approval by the U.S. Food and Drug Administration. But the FDA has come out pretty strongly in saying such actions would not violate a warranty.
It’s just getting device manufacturers to allow us to do basic security hygiene. We’ve been lucky that some allow us to do it.
HEALTHTECH: Let’s talk about the HHS task force. What are your key takeaways?
MEADOWS: We worked for more than a year and came up with six imperatives. One big issue is that healthcare is complex and has a lot of sectors with unique concerns. For example, the pharmaceutical industry has difficulty protecting its intellectual property, which is a lot different from us trying to protect patient safety.
We would love to see harmonization of all the different security regulations.
We also would like to see HHS appoint a cybersecurity leader to coordinate activities across government, so we are not contradicting each other with regulations. Development of the healthcare security workforce also needs to improve.
Cybersecurity is not unique to healthcare, but it’s harder for us to attract security professionals; we need better ways to attract those experts.
HEALTHTECH: In the final HHS report, you recommend that the industry customize cybersecurity best practices for smaller organizations. How urgent are such steps?
MEADOWS: It’s urgent because we are required by law to connect everyone together. A small organization can put our organization at risk just through the connectivity.
We asked for a look at modifying the Stark Law so we could provide technology services to smaller providers and that wouldn’t be seen as an inducement for referrals. It would be helpful to allow us to provide them software and services without fear of getting into trouble.
Another suggestion we offered is to use managed services providers. They can provide security services at a lower cost versus the smaller providers having to hire their own employees to do this work.
HEALTHTECH: How do you strike that balance between smaller and larger organizations and ensure security best practices?
MEADOWS: It’s one the task force struggled with. What needs to happen is we need a standard framework to start with. Then we can work to say these are the bare minimum requirements for a small to medium-sized provider. And if you can at least meet the baseline framework requirements, then you are in pretty good shape.
HEALTHTECH: What has been the report’s impact on the industry?
MEADOWS: It has had some impact. We have done a lot of education around it. We are still educating Congress about it. Things in government sometimes take time to gain momentum.
We offered a number of recommendations, but recommendations are no good unless you can put an action plan together. Now there are groups working on developing action plans for some of the recommendations.
HEALTHTECH: What have you learned and taken back to your organization from your task force experience?
MEADOWS: I learned a lot about medical devices and the FDA; in particular, that we can patch devices. It’s also helped with our leaders’ education process to get them to embrace security and the need for good security practices.
This Q&A is part of the IT Guardians at the Virtual Gate series of interviews with top experts in healthcare cybersecurity.