HEALTHTECH: What prompted the hospital to review its security protocol?
AMIRFAR: Security has become more instrumental in the years that I've been here. When I first came to the hospital in 2014, I would say computer viruses in general were more of a nuisance. By the time COVID-19 hit, those intrusions had become more sophisticated, nuanced, coordinated and, honestly, deadlier in terms of just bringing a hospital’s operations to its knees. We couldn’t wait for attackers to take the initiative, and then for us to respond. We had to be proactive and set up these defenses to make sure that we were never ground to a halt.
In July of 2019, we had a security issue on our network, so that was also a wake-up call for us — in that the security that we thought we had established was not robust enough — that we have to be up to another level, to make sure that whatever intrusions are out there are not compromising our operations, not compromising our patients’ health, our patients’ security, because we’re entrusted with valuable information that people want access to.
HEALTHTECH: What lessons did you learn over the past year that you hope to carry beyond the pandemic?
AMIRFAR: The pandemic has really accelerated a lot of our plans, a lot of things that we had to do really quickly. We always meant to do telemedicine. We always meant to have more secure and coordinated access for a lot of our employees and our consultants, our third-party companies that we work with who access our systems. To use an analogy, we knew we had to get into a deep swimming pool, and we had a plan of getting in by going from the shallow end one step at a time. But then COVID came, and we got pushed into the deep end, and we just had to learn to swim really quickly.
RELATED: 5 ways to update your healthcare incident response plan.
HEALTHTECH: How did you decide that Cisco was the right partner to work with for building and managing a security operations center?
AMIRFAR: When we started looking at an MDR solution, we knew we didn’t have the right expertise in house. We don’t tell the food and nutrition department, go buy a plot of land, plow it, put the seeds down, and then bring in the bounty that comes in off that — we’re not farmers. So we had an RFP [request for proposals] process. We found a lot of vendors that were interested. I think the follow-up phone calls are very helpful because you tend to get a feeling for the company, the way they respond to your questions or concerns. You start to understand whether they understand who you are and your problem, and what they can offer.
HEALTHTECH: What has been the feedback from your team members?
AMIRFAR: The team likes it. It frees up our people to do a lot of the things that we need for health IT: configure electronic health records, go to the end users and help their computer issues. We don't have to worry about security. Our other partners are also more secure knowing that Brooklyn Hospital is taking security seriously. And the fact that we haven't had any major issues since then has been very reassuring for us and for our third-party vendors.
READ MORE: Find out why healthcare organizations should consider zero trust.
HEALTHTECH: What advice would you have for other systems similar to The Brooklyn Hospital Center that have not yet overhauled their security system as you’ve done?
AMIRFAR: A lot of times, the first indication that you don’t have proper security is when you get compromised, and you don’t want that to happen. I know it’s hard to carve out time, and everyone’s busy with a lot of projects happening, but at least start the discussion within your department. Once you’re able to assess your security, take simple steps. And if you plan for disaster recovery, if you do all these things, if you do get compromised, you can recover quicker because you’ve thought about and gone through these exercises. You would have done disaster drills already, or you have plan B’s if anything goes down — you can maintain some kind of operational order.