Dr. Sam Amirfar, Brooklyn Hospital Center’s CIO and Chief Medical Information Officer

Jun 03 2021

Q&A: How The Brooklyn Hospital Center’s Security Focus Prepared It for the Pandemic

The hospital’s chief medical information officer tells HealthTech that a partnership with Cisco strengthened its ability to deliver high-quality care to patients.

The security challenges that healthcare systems across the U.S. face were already of major concern before the COVID-19 pandemic hit. The Brooklyn Hospital Center had taken significant steps to improve its cybersecurity posture just in time to face the health crisis.

The hospital, which has been serving its community for over 175 years, turned to Cisco Systems a few months before the pandemic to build and manage a security operations center. The Cisco Customer Experience team helped build a Managed Detection and Response (MDR) infrastructure. Those experts actively monitor the hospital’s systems to identify and respond to threats in real time.

The partnership has allowed the hospital to focus on delivering care, setting up an onsite tent facility to safely test and screen patients during the pandemic.

“We are a health IT department, but we are not the networking security IT professionals that can run a 24/7 shop and keep intrusions out constantly,” says Dr. Sam Amirfar, the center’s CIO and chief medical information officer. “We just don't have the manpower and expertise to do that properly. We realized we had to look for resources outside.”

Amirfar spoke with HealthTech about how the hospital’s security transformation helped it focus on what’s important during the pandemic: delivering the best care for patients.

HEALTHTECH: What prompted the hospital to review its security protocol?

AMIRFAR: Security has become more instrumental in the years that I've been here. When I first came to the hospital in 2014, I would say computer viruses in general were more of a nuisance. By the time COVID-19 hit, those intrusions had become more sophisticated, nuanced, coordinated and, honestly, deadlier in terms of just bringing a hospital’s operations to its knees. We couldn’t wait for attackers to take the initiative, and then for us to respond. We had to be proactive and set up these defenses to make sure that we were never ground to a halt.

In July of 2019, we had a security issue on our network, so that was also a wake-up call for us — in that the security that we thought we had established was not robust enough — that we have to be up to another level, to make sure that whatever intrusions are out there are not compromising our operations, not compromising our patients’ health, our patients’ security, because we’re entrusted with valuable information that people want access to.

HEALTHTECH: What lessons did you learn over the past year that you hope to carry beyond the pandemic?

AMIRFAR: The pandemic has really accelerated a lot of our plans, a lot of things that we had to do really quickly. We always meant to do telemedicine. We always meant to have more secure and coordinated access for a lot of our employees and our consultants, our third-party companies that we work with who access our systems. To use an analogy, we knew we had to get into a deep swimming pool, and we had a plan of getting in by going from the shallow end one step at a time. But then COVID came, and we got pushed into the deep end, and we just had to learn to swim really quickly.

RELATED: 5 ways to update your healthcare incident response plan.

HEALTHTECH: How did you decide that Cisco was the right partner to work with for building and managing a security operations center?

AMIRFAR: When we started looking at an MDR solution, we knew we didn’t have the right expertise in house. We don’t tell the food and nutrition department, go buy a plot of land, plow it, put the seeds down, and then bring in the bounty that comes in off that — we’re not farmers. So we had an RFP [request for proposals] process. We found a lot of vendors that were interested. I think the follow-up phone calls are very helpful because you tend to get a feeling for the company, the way they respond to your questions or concerns. You start to understand whether they understand who you are and your problem, and what they can offer.

HEALTHTECH: What has been the feedback from your team members?

AMIRFAR: The team likes it. It frees up our people to do a lot of the things that we need for health IT: configure electronic health records, go to the end users and help their computer issues. We don't have to worry about security. Our other partners are also more secure knowing that Brooklyn Hospital is taking security seriously. And the fact that we haven't had any major issues since then has been very reassuring for us and for our third-party vendors.

READ MORE: Find out why healthcare organizations should consider zero trust.

HEALTHTECH: What advice would you have for other systems similar to The Brooklyn Hospital Center that have not yet overhauled their security system as you’ve done?

AMIRFAR: A lot of times, the first indication that you don’t have proper security is when you get compromised, and you don’t want that to happen. I know it’s hard to carve out time, and everyone’s busy with a lot of projects happening, but at least start the discussion within your department. Once you’re able to assess your security, take simple steps. And if you plan for disaster recovery, if you do all these things, if you do get compromised, you can recover quicker because you’ve thought about and gone through these exercises. You would have done disaster drills already, or you have plan B’s if anything goes down — you can maintain some kind of operational order.

Photography by Yvonne Albinowski