Richard Mitchell, CIO at Eagleville Hospital – a behavioral health treatment and educational organization in Pennsylvania, discusses the need to prioritize the various types of hospital data as a cybersecurity initiative.
Question: What tasks require the majority of your time as CIO?
Richard Mitchell: Security infrastructure monitoring and new product awareness are time consuming tasks. You can have the best security tools and apps available, but if you aren’t watching them then you wasted your organization's financial resources and put it at risk. And these tools are constantly evolving, getting better, and ultimately outdated by newer or different technologies and processes. So being aware of this is critical.
Q: What do you see as the next big cybersecurity threat hospitals should look out for and why?
RM: I have always thought about the "priorities" or level of importance of specific information. Particularly when it comes to [protected health information], do I really care if the fact that I had an appendicitis attack or a diagnosis of hypertension gets breached? Yes, to a degree, but if the information concerning my mental health diagnosis were to be compromised, that seems to me to be so much more significant of a PHI data breach.
So, are our cyber security initiatives a one size fits all for our organizations? Or should we be more focused on the data that is more critical to our patients and employees, financial information and mental health information that can cause harm if it were stolen. Is all data the same? Most hospitals have several data management systems, some are cloud and some internal, and these systems need to be prioritized regarding their level or security needs and awareness of this communicated internally.
Q: What do you consider to be the most important aspect in hospital data protection?
RM: Priority and oversight. Due to financial constraints most hospitals don’t put enough value to this endeavor. Are you going to upgrade the cardiac [catherization] lab, or buy a new IT security system? The choice is usually for what can make money.
Q: How do you train clinicians and front-line staff to protect patient data and avoid cyberattacks?
RM: It is a constant internal marketing effort to educate and instill awareness to all hospital staff about IT and PHI data security. And it isn’t always the clinicians and front-line staff. The security awareness of back office billers, receptionists and systems support personnel are key to the solution.
To learn more about hospital and health system cybersecurity, as well as the key trends for CISOs, register for the Becker's Hospital Review 4th Annual Health IT + Revenue Cycle Conference Sept. 19-22, 2018 in Chicago. Click here to learn more and register.