Getty Images

Health CIO: IT Must Be Core Business Element to Tackle Security Challenges

At Xtelligent Healthcare Media’s Privacy and Security Summit, health CIO Michael Archuleta stressed the need for IT to be a key business element if the sector hopes to overcome cybersecurity challenges.

If healthcare hopes to overcome cybersecurity challenges and inefficiencies, the overall security posture must evolve by building a strong foundation around cybersecurity that advocates for incorporating employees, executives, and management as part of the cybersecurity structure.

On Tuesday, Michael Archuleta, Chief Information Officer for Mt San Rafael Hospital, kicked off Xtelligent Healthcare Media’s Privacy and Security Digital Summit with a keynote centered on the evolution of cybersecurity threats in the healthcare sector.

While the overall security process and technology has evolved over time in healthcare, it’s moving at a sluggish pace when considering other industries.

“It becomes a major problem when we see eCommerce, oil and gas, and many other industries more advanced than healthcare when it comes to digital innovation,” he said.

“Healthcare is doing the most important work: we should be the ones continuing to innovate, with better processes and efficiencies to take care of patients,” Archuleta added. “We should be moving forward with innovative elements and the reprioritization of security as a key part of business competencies.”

The problem with cybersecurity in healthcare is that providers need to reprioritize information security technology within the enterprise and make it a critical element of operational strategies to truly create successful outcomes, Archuleta explained.

IT must be incorporated as a core component of the business to truly drive a revolution across the enterprise.

For Archuleta, security is like building a home. Without a strong foundation, the structure will eventually crack. Then everything that’s built on top of the foundation will collapse over time. As such, healthcare needs to continue to renovate the entire organization.

By looking at the IT evolution, digital transformation is a cultural item change that can enable providers to evolve, prioritize, and reinvest in initiatives needed within the industry.

COVID-19 forced healthcare organizations and companies around the world to innovate and support employees working from home. But healthcare was already facing a range of challenges before the pandemic, some of which were created by their own missteps and deficiencies.

Data previously found that 24 percent of healthcare employees have never received cybersecurity training, while 93 percent of all entities have experienced a data breach of some sort.

At the same time, administrators consider cybersecurity to be a top focus. So where’s the disconnect?

“The industry, as a whole, has adopted brick and mortar theologies in healthcare. It’s over,” Archuleta said. “The acceleration of digital transformation and incorporation of IT innovation... healthcare is at a critical inflection point, moving into the digital age of healthcare.”

“We are digital companies that deliver healthcare services. This is the day we’re living in,” he continued. “We need to evolve and bring security into the C-Suite side of the conversation, which will be a critical element moving forward.”

To get there, providers need to stop focusing on security as a cost center. Instead, IT and security need to be revitalized as a tech innovation. To Archuleta, this can result in a “business revolution to continue to accelerate your organization.”

IT has traditionally acted as a ticket and order taker, rather than a value maker. At this critical moment, chief information officers need to ask whether they are just CIOs or transformational officers that drive the organization’s acceleration into the new digital age in healthcare.

“If we can take the massive amount of experience gained from this unique challenge, really cultivate processes and continue to invest in digital transformation initiatives that will allow us to keep innovative and profitable, and focus on patient safety and outcomes, these will be the critical elements moving forward,” Archuleta said.

As a whole, the industry is continuing to face the same challenges seen in the past, such as phishing -- the source of the majority of security incidents. Archuleta stressed that with a quarter of employees not receiving basic cybersecurity awareness training, it’s a serious issue.

Healthcare entities need to focus on building a strong human firewall, which he explained is the crux of what brings the security culture into an organization. Technology is just one part of security. While technology service plays a critical role, the entire organization needs to be re-engaged to make a difference.

“If our culture wasn’t built to incorporate IT and security as the core component to the overall organizational strategy, we will not be successful in moving forward,” Archuleta stressed.

“Healthcare is doing the most important work: We should be the ones continuing to innovate."

Adding the healthcare’ challenges are its heavy reliance on outdated or unsupported systems, many of which are utilized by medical devices -- and directly connected to patients and their care.

Medical device security isn’t just about securing data, Archuleta stressed that it’s also a matter of life and death. IoT and medical devices just touch the surface of the endpoint risks in healthcare.

Entities have a long way to go, beginning with gaining a full, accurate inventory of all devices operating on the network.

“Inefficient legacy systems pose a serious risk to healthcare infrastructure security, as a whole,” he said. “We need to implement intelligent security that focuses on endpoint devices, assessment management, as a whole, to create a hawkeye view of what we have in our environments.”

“If you can’t see or identify it, how do we create a security process to protect them? It’s a problem this industry continues to face: medical devices are very a legacy process,” he added. “If you can successfully execute an intelligence strategy, it allows your organization to actively determine any exposed devices that will assist in developing a plan to ensure security within our environment.”

And that begins with identifying the weakest link within the process, which continues to be medical devices, the cultural aspect, and overall weak infrastructure, he added. It’s becoming a major problem.

Further, entities that fail to remember the basic elements, including the strong human aspect, are failing to understand their state of readiness when it comes to cyberattacks.

To get there, providers need strong passwords and multi-factor authentication. Without it, one successful phishing attack can lead to a massive security incident.

But at the end of the data, moving the needle on security begins with a focus on people, then the policies and technology to support them. Administrators can get the board of directors involved by asking how an incident would impact the financial, operational, and reputational levels. 

Archuleta stressed those leaders should not speak as a tech or cyber professional, but as an individual that sees the alignment between business and technology to create an operational plan for the enterprise.

“Patient data breaches are a major national crisis: Security has to matter to everyone,” Archuleta said. “ There’s a new way to do cybersecurity. We need to learn from overall processes. And if there’s a failure point, it’s really a learning opportunity.”

Next Steps

Dig Deeper on Cybersecurity strategies