The need for more training and education to change the InfoSec culture.

By  Erik Devine, CISO, Riverside HealthCare


I’m coming up to my 6 years of information security of healthcare, after 17 years of financial information security.  It seems I enjoy the pain of moving from one regulated industry to another.   The years of State and FDIC IT Audits, only to find that HHS and other governing bodies will start their security audits within Healthcare IT sooner or later.  Two totally different worlds…but there has been a huge benefit in having the financial information security experience and how it can brought to healthcare.  Is healthcare security behind the times?  Well that’s dependent on your system and culture.  I’m fortunate enough to work for a culture that supports my Information Security strategies and objectives.    I’ve been to many conferences, only to find that its the same story; how do I sell my ideals to senior management, and what is the first thing any CISO should do within healthcare.   I always find myself looking at the new technologies…what tools can I implement to enforce our policies, keep the employees, patients, and data safe, and also how can I make sure my team has the right information at the right time.  My dad always said you can’t be an artist, without the proper paintbrush.  In many ways he’s right…but what it really comes down to is….do I even fully understand what it means to be an artist?  That might be the first question to answer.

Education leads to understanding.

Education and training really are the keys to a successful Information Security Strategy.  In the end, you’re trying to change or create a culture in your business.  This culture probably will be foreign to some, and with that, comes resistance.  Training and education can open so many minds, and so many doors for an easier transition into the culture you want to build.  5 years ago, I thought education and training would be what certifications can my staff achieve and for how much, (oh how narrow my vision was).  If we are leaders, then we have to look at the whole picture.   Entire staff education, management & leadership education,  even the board of directors education is key.  We have to start reaching out to community that includes where you live and fellow healthcare systems, even educate and train the businesses that are integrated into your world, is a great step in the right direction.   It might be more powerful than any technology that one implements.

It can’t be the same dog and pony show to all groups either, it must be tailored so each group has an understanding and how they play such an important part in keeping the data and processes secured from process and workflow to budgets and technology.   I must admit, it can be challenging to have 3000+ employees become “infosec” aware, than just the few that work in the Information Security Department.   If you succeed, your strategy, implementation and increased budget just became easier to achieve.

Instead of fighting with the providers, nurses and clinical staff (that are trying to save lives), help them understand what you’re trying to accomplish; in terms they understand.   Explain what workflow changes will they see, or why you are implementing the policies/technologies that you are implementing.  Let them have a voice if they so choose.  Will it be an uphill battle…probably, but the hill might not be as steep as it once was.  Simply communicating on the auto-lock screen from 60 minutes to 15 minutes, even can save a few phone calls to the help desk, and frustration throughout the organization.   Happy employees, creates happy customers, and in healthcare, it happens to save customer lives as well which can be more important than the revenue (sorry to all the CFOs and financial people out there).

Yes, its pretty basic philosophy, but maybe healthcare is in the position that it is in, because not enough education and training has been implemented.  Really its a win win, you’re securing your data and infrastructure , and employees can use the same education for their personal use as well!  I’ve had many conversations with the CEO and CFO, and help them understand the need for Information Security.   It won’t happen over night, if you try to change the world in a day, lack of trust may be a factor.   So over time; open the doors and create the relationships needed, through face to face meetings, educate all the employees on what you have to accomplish on their terms, and build the trust with surrounding healthcare systems.  Remove the silos and start to change that culture so basic phishing attacks are not taking healthcare systems down.

One thing I learned moving from financial to healthcare, is healthcare truly is a community.   We use many resources and give many resources that are sometimes found outside our four walls, and in the end its to better a patient’s outcome.  Its been a fun 5 years in healthcare, and its just beginning.  I am enthusiastic to really be a part of that community to listen and educate wherever I can.