As the CEO of a major healthcare delivery system, I am often asked what keeps me up at night.
One of the many things on that list is a security breach. Cyber-security is a big deal for all of us, whether individuals or as employees of St. Luke’s. There are steps we all need to take to protect privacy and security, in personal business affairs, as a health system, and as St. Luke’s employees.
Today’s guest blogger is Dr. Marc Chasin, St. Luke’s Health System chief information officer, with his observations about St. Luke’s state of readiness and resources that can help you protect sensitive information.
Risk means different things to different people. There is upside risk as well as downside risk.
In clinical practice, physicians manage risk with every encounter they have with a patient. I often weigh the risk of providing a patient with a certain treatment and the possibility of them developing a side effect.
As a practicing physician, my approach was to include my patients in these decisions, empowering them to participate in life-changing decisions. As I transitioned into my chief information officer role, I was introduced to a different type of risk, one that I am still reconciling in my mind.
This type of risk is much broader and can impact a community, not just an individual patient and family members. It’s the risk surrounding the security of St. Luke’s patient, partner, and employee data. I have had the good fortune to work on this post with Reid Stephan, our director of IT security, who in my opinion is an expert in this area.
St. Luke’s is becoming an accountable care organization, and our technology landscape is varied and complex, encompassing seven hospitals, including three critical access hospitals, and hundreds of care settings spread across 22,000 square miles in southwest Idaho, eastern Oregon, and northern Nevada.
Technology enables communication and collaboration between these various locations, our workforce, our partners, and our patients, and the secure use of our technology will play a pivotal role in helping St. Luke’s achieve its goal of accountable care.
Our Information Technology (IT) department is responsible for a wide array of technology that facilitates the creation, transmission, and storage of information that is essential to delivering health care.
This technology includes servers, personal computers, network equipment, telephones, and applications. In addition, we provide services that support the use of devices owned by our workforce, our partners, and our patients. At any given point in time, there are thousands of devices communicating on our IT network from internal and external sources.
These factors combine to create a very real risk. Just as the human body will experience illness despite all efforts to prevent it from happening, IT systems and networks will experience cyber-security incidents despite all preventative efforts.
A cyber-security incident could be caused by an inadvertent action, such as losing a laptop, or it could be caused by a cyber criminal seeking access to our data for nefarious purposes.
St. Luke’s patients, partners, and employees are potential targets for cyber-criminals, and so our IT security strives to prevent, detect, and contain cyber-security incidents by using layered security controls and focusing on user awareness training.
Here’s an example. We know these criminals can try to hack into our organization by tricking people into divulging information that will grant them access to our network. For example, employees or others affiliated with our organization may receive phone calls or emails from people they don’t know, asking them to provide sensitive information such as user names and passwords associated with electronic health records. Divulging this information would allow a criminal to access the St. Luke’s network and potentially access sensitive information. Our St. Luke’s employees will never ask users of our electronic health systems to reveal a password.
Patients, partners, and employees are St. Luke’s most important line of defense, as is true for other healthcare systems and organizations. Here are ways that everyone can be a cyber-security defender:
Be educated about phishing.
David C. Pate, M.D., J.D., is president and CEO of St. Luke's Health System, based in Boise, Idaho. Dr. Pate joined the System in 2009. He received his medical degree from Baylor College of Medicine in Houston and his law degree from the University of Houston Law Center.