In the rapidly evolving landscape of healthcare, the role of Chief Information Security Officers (CISOs) has become increasingly complex. Jason Elrod, CISO of MultiCare Health System, encapsulates this challenge succinctly: Healthcare loves to walk backwards into the future. And this is how we got here, because there are a lot of things that we could have prepared for that we didn’t, because we were so concentrated on where we were. This statement underscores the pressing need for a paradigm shift in healthcare IT security—a move from being perceived as the Department of No to fostering a Culture of Yes.
The Traditional Security Paradigm in Healthcare
Historically, healthcare security teams have operated as gatekeepers, prioritizing protection over innovation. This approach, while well-intentioned, often led to friction between security protocols and the imperative to deliver timely patient care. The inherent challenges in healthcare IT include:
– Continuous Operations: Healthcare facilities operate 24/7, leaving minimal windows for system maintenance or upgrades. Elrod highlights this by questioning, When can you take it down? When can you stop everything and upgrade it?
– Critical Access Needs: Immediate access to information can be a matter of life or death. Elrod emphasizes, We have to make sure all the information they need is available when they need it, with the minimum amount of friction possible.
– Expanding Attack Surfaces: The adoption of telemedicine, remote work, and connected medical devices has broadened the threat landscape, creating a complex web of interconnected systems.
– Conflicting Priorities: IT departments often focus on availability and speed, while security teams emphasize protection and compliance, leading to potential conflicts.
Embracing a Culture of Yes
To address these challenges, MultiCare Health System embarked on a transformative journey to integrate security seamlessly into their operations. This shift involved:
1. Investing in People: Recognizing that technology alone cannot solve security challenges, MultiCare prioritized building a culture that values security. This involved training staff, fostering open communication, and encouraging collaboration between departments.
2. Implementing Identity-Based Microsegmentation: Traditional network segmentation methods proved cumbersome and inflexible. By adopting identity-based microsegmentation, MultiCare was able to:
– Enforce Dynamic Security Policies: Policies that adapt to users, workloads, and devices, regardless of their network location.
– Establish Granular Access Controls: Creating security perimeters around individual assets to minimize potential attack vectors.
– Leverage Existing Infrastructure: Utilizing current systems to implement microsegmentation without extensive overhauls.
3. Automating Security Processes: Automation allowed for real-time threat detection and response, reducing the burden on human resources and minimizing the risk of human error.
4. Promoting Transparency and Accountability: By fostering an environment where staff felt comfortable reporting potential security issues without fear of retribution, MultiCare enhanced its overall security posture.
The Role of Leadership in Cultural Transformation
Leadership played a pivotal role in this transformation. By modeling honesty and openness, leaders at MultiCare set the tone for the entire organization. Regular exercises, such as Start, Stop, Continue sessions, encouraged staff to provide candid feedback, fostering a culture of continuous improvement.
Conclusion
The journey from a Department of No to a Culture of Yes is neither quick nor easy. However, by investing in people, embracing innovative technologies like identity-based microsegmentation, and fostering a culture of transparency and collaboration, healthcare organizations can enhance their security posture without hindering their primary mission: delivering exceptional patient care.
