CHIME23: El Camino Health CIO on Security Leadership in Healthcare

HEALTHTECH: How does attending the CHIME23 Fall Forum benefit you and your organization?

MURO: What I find most valuable at CHIME is connecting with healthcare CIOs regarding a wide range of topics impacing technology leaders. I also collaborate with non-healthcare CIOs in our unique and innovative Silicon Valley community. It’s intriguing because we all have the same issues and pressures, even in very different industries. I value networking because you often can find a solution to a problem when checking in with your peers either in industry or out of industry. At CHIME, they are bringing healthcare CIOs together to build relationships and support each other. I enjoy the educational sessions at CHIME and the opportunity to meet with our vendor partners during focus groups. We’re talking to them about how they can help us and, at the same time, we’re learning about future plans and roadmaps for their product offerings. I find CHIME a great time of networking not only with peers, but also our vendor partners in which we share what is top of mind for all of us. This type of collaboration is so critical for leaders in the healthcare technology area.

I appreciate the education, networking and the digital health checkups that we’ve done through CHIME to understand how well we’re doing to transform healthcare. CHIME offers the Digital Health Most Wired survey, which provides healthcare organizations feedback regarding what they are doing well in addition to key areas for improvement. In fact, we’re developing goals right now for my team, and I’m reviewing the survey results and identifying, “Where were our gaps? Where were our areas of opportunity? Let’s use this information to create a focus for improvements within the next year.” So, it’s been very beneficial in many ways.

HEALTHTECH: Can you give some background about El Camino Health and why cybersecurity is so important for the organization?

MURO: We were one of the first hospitals in the country to implement an electronic health record, over 50 years ago. As we’re in the heart of Silicon Valley, Lockheed Martin approached us in 1969 to develop this platform together. We worked with them for several years to design a computerized physician order entry system, which back in those days was unheard of. We overcame many challenges to implement this leading-edge platform in 1972. We also have Fogarty Innovation Institute on our Mountain View campus, demonstrating that passion for innovation is in our organizational DNA.

Due to our location in the Silicon Valley, we’re taking care of high-tech patients who have higher expectations of the care that they receive. They really understand how technology should work and how innovation is so critical.

We are pressured in many ways to meet those demands. While innovation is wonderful, it also is an area where we must spend time assessing cyber risk. As we’re thinking about new technologies, it’s critical that we’re validating vendor capabilities to protect the health information of our patients. How will we be able to protect the data of our patients and make sure that while we’re innovating, we’re also ensuring that we’re doing this in a very safe and secure manner?

DISCOVER: A penetration tester shares where to make healthcare security improvements.

HEALTHTECH: What are some of the biggest cybersecurity challenges that healthcare leaders face today?

MURO: One of the most challenging aspects of our job is the fact that healthcare is expected to keep up with the latest and the greatest cybersecurity tools and technologies, but some of our vendor partners providing the products and services that we use don’t always stay up to date.

Medical devices must go through a very lengthy FDA approval process, and by the time they get through that process, they often experience challenges with keeping components such as operating systems supported to meet patching requirements. They must manage the balance between making sure that a product or service has completed the very stringent approval process, and keeping their product up to date within the life cycle process. As we’re all in this new world of frequent updates for operating systems, these vendors are tasked with keeping their products up to date and yet making sure that they meet those FDA requirements. It’s an ongoing challenge for some of the firms and the organizations providing the technology we rely upon.

We’re constantly working with those partners to keep their technologies and systems up to date. It’s something that we’ve had to really push and encourage. I’m seeing a difference in the market. The FDA has played a part in that piece with some of the medical equipment devices, but it’s so critical with healthcare that not only are we providing the latest products and services but we’re also making sure that they have the latest cybersecurity technology and protections in them. Therein lies the challenge: We’re building the plane while we’re flying it. It’s critical that our eyes are focused on both fronts: innovation and protecting the organization.

HEALTHTECH: How is the evolving cybersecurity landscape impacting your role as CIO?

MURO: It’s important that we make sure we have great partnerships with companies that can help protect us. We form those great relationships and there are many new tools and technologies that are also critical.

I meet with partners, we talk about what technologies they provide, and I make sure that we’re really taking advantage and optimizing those systems, which is so important. We additionally have the resonsibility to demonstrate resiliency. How do we make sure that we have redundancy in our technology? How do we make sure that we can take care of patients no matter what comes our way? That’s really what the role of the CIO is today: to make sure that we’re prepared and ready for whatever might occur in the future.

HEALTHTECH: How would you recommend other healthcare IT leaders approach risk management to keep their organization secure?

MURO: We have put in place an opportunity for any staff member to raise their hand when they feel that there is a risk in the organization. Years ago, when the airline industry was having some real issues with safety, it enabled a high-reliability approach in which any team member could stop a plane from taking off. This meant any employee on the tarmac raising a concern was taken seriously if they noticed a safety issue. We’re trying to instill that same thought process, that anyone can raise a concern which will be reviewed and addressed. We have put in place the capabilities for communication, documentation and remediation of safety concerns which are tracked and monitored within a risk register.

I have also established security governance to define organizational leadership's accountabilities and role in managing cybersecurity risk. When participating in the governance process, participants discuss how to manage those risks effectively, and make sure we have the supporting infrastructure to reduce risk appropriately. This has been a very new approach for us, which keeps everyone on the same page. Security is no longer just an IT responsibility. It’s the responsibility of the organization in which everyone plays a part, from the employee all the way up to the leadership team.

HEALTHTECH: Considering technology adoptions in healthcare, including the growth of artificial intelligence, is there anything that worries you from a cybersecurity perspective?

MURO: You mentioned AI and this certainly is top of mind for our organization and the health industry. We expect AI will improve efficiency through automation, however it will also enable malicious actors in the attacks against healthcare. It is important we are arming the organization through the use of improved tools and workflows to stay ahead of the evolving threat landscape related to AI. A key focus involves thinking through our procedures, our policies on AI, and how we’re going to protect the organization.

READ MORE: Cybersecurity risk assessments help healthcare stay one step ahead of cyber threats.

HEALTHTECH: Are you seeing patients concerned about the privacy and security of their patient data, or are patients not as directly engaged in healthcare cybersecurity?

MURO: In this market, what I’m finding is that patients expect that we’re keeping their data safe, and we have their trust. Therefore, it’s important that we are trustworthy and that we are keeping their data safe and secure. We take things very seriously here. If we have any type of a patient concern, we investigate it. As a high reliability organization, we complete root-cause analysis to understand, remediate and reduce ongoing risk for security incidents or concerns.

It is helpful that patients trust us, which contributes to the accessibility of their information. If a patient has concerns regarding the safety of their information and opts out of sharing their data within the EHR, their information may be unavailable or limited when the patient is treated at a healthcare organization, especially if they required care at another location. The lack or delay in the availability of patient information could impact the care receive by the paitent, which highlights the importance of maintaining patient trust regarding data privacy.

HEALTHTECH: How can CIOs and CISOs benefit from effective partnerships? What does that collaboration look like from your perspective?

MURO: It's so important that CIOs and CISOs are effective partners. CISOs are tasked with understanding the security landscape, geopolitical issues, the risks and the vulnerabilities. When they raise awareness of technical risk, IT is the group that does the work to address those issues. It’s so important that when we’re setting priorities that we’re working together to determine prioritization of our very limited and valuable resources.

My team values working with the cybersecurity team, and it’s such an important partnership. We are one group that comes together, assesses what’s most important, and we move in that direction. One of the areas we’re focusing on in the establishment of an effective partnership is the process for bringing in new products and services. The cyber team completes a security risk assessment to ensure that the vendor demonstrates good security policies and procedures and is a safe organization to work with. The IT team conducts a technical assessment with both teams compiling the data together to ensure a good outcome from the use of the product and service. Another example involves change management, in which changes require coordination and partnership between cybersecurity and IT to make sure that we’re validating and coordinating change well. The collaboration that we have between the CISO, the cyber team and the IT organization is invaluable.

HEALTHTECH: Is there anything else about cybersecurity in healthcare today that you’d like our readers to know?

MURO: We have so many challenges ahead of us as CIOs and healthcare leaders, including labor shortages. We’re thinking about how we can address these challenges through the use of automation. When automation is enabled and implemented, we have the responsibility to ensure the data is safe, secure and protected effectively.

Remote work has become such an important piece of our ecosystem during labor shortages. Protecting the worker and protecting the organization when someone is remote versus when we used to all be on-site has changed the landscape.

As we are innovating and driving transformation of the organization with leading-edge capabilities, we must at the same time ensure the organization is adhering to cybersecurity best practices and technology life cycle management. Thinking through the challenges that we have in our healthcare arena, which are labor shortages, cost pressures and economics, it is vital to invest wisely in cybersecurity and strategically prioritize the program initiatives. The mission of the organization can’t occur without a solid, effective cybersecurity approach and methodology. Those things are so important to align.

Keep this page bookmarked for our ongoing coverage of CHIME23. Follow us on X (formerly Twitter) at @HealthTechMag and join the conversation at #CHIME23.