This Week Health
November 27, 2024

The “Beginning of the Journey”: CISO Erik Decker on How Standardization and Collaboration Can Boost Security

When Hollywood Presbyterian Medical Center was hit with a ransomware attack in early 2016, it rocked the healthcare industry and forced leaders to take a closer look at cybersecurity efforts. Although Hollywood was able to get back online within a few days – after forking over $17,000 in bitcoin – the damage was far from done. Ransomware’s reign was just beginning.

Fortunately, it was also the start for a renewed focus on improving risk management. After the dust had settled from the initial ransomware event, a group of advocates gathered in Washington DC to ask a critical question: “How do we solve the problems we’re starting to see?” The answer – or at least, the start of that answer – is in identifying the most prevalent threats and developing “practices that everyone should be implementing to mitigate those threats,” according to Erik Decker, VP and CISO at Intermountain Health

Erik Decker

The result was HICP (Health Industry Cyber Practices), a framework created by the 405(d) Task Force to help healthcare organizations of all sizes more effectively prepare for and fight cybersecurity threats. The strategy? To outline the five most common threats and provide 10 best practices that are tailored to meet the needs of various organizations based on size and scope.

Beginning the journey

“We built different volumes,” said Decker, who has co-chaired 405(d) for nearly three years. “If you’re a small organization, the way you do those practices is actually going to be very different than if you’re a large integrated delivery network like Intermountain.”

Even more significantly, the framework signaled “the beginning of the journey to standardize healthcare cybersecurity practices,” which is no easy task considering the number of stakeholders involved.

But while this has been a challenge in some sectors, cybersecurity seems to have found the secret sauce through four pillars that have been able to collaborate successfully: The President’s National Infrastructure Advisory Council, Critical Infrastructure Policy Advisory Committee (CIPAC), The President’s National Security Telecommunications Advisory Committee, and CISA Cybersecurity Advisory Committee.

Government & industry “together”

Through this partnership, the work put forth by CIPAC is “codified into presidential directives, executive orders, and the National Defense and Authorization Act,” he said. And so, “when we come together, we create products or work on strategies with HHS and ONC,” along with the National Security Council of the White House. “We’ve interacted with all of them on the challenges that healthcare faces in terms of cybersecurity,” added Decker. It’s been “one of the great examples of how industry and government can work together.”

That collaboration played a key role in the development of the Health Industry Cybersecurity Strategic Plan (HIC-SP), “a call to action for organizations throughout the healthcare ecosystem to implement foundational cybersecurity programs that address the operational, technological, and governance challenges posed by significant healthcare industry trends over the next five years.” The goal is to help transition from “the critical state that we’re in now” to a stable condition by 2029 by harnessing the collective experiences of leaders from across the spectrum.

Defining the outcome

A big part of that came in the edict that was issued to build cybersecurity performance goals. At first, said Decker, the thought was to plug in HICP, but “HICP is too big. The a-ha moment for me was that CPG has goal statements inside of it. The goal is the magic sauce – it defines what should be done. It doesn’t tell you how to do it. HICP tells you how to do it,” he added. “When we started doing this, it was ‘let’s refine the goals. Let’s define the outcome that we’re trying to achieve with all of this, and then mash it with HICP.’ That's exactly what we did. And it has fit in nicely.”

That piece has become critical in the development of CPG, particularly as more guidelines and regulations have been introduced in the past few years to help safeguard data. “We don’t want another set of lists,” said Decker. “We don’t want something that’s going to confuse what we’ve told the industry for the last 6 years. They need to complement one another.”

“Purposeful” language

They also need to be published using language that can be understood by all types of individuals, not just cybersecurity professionals. “We’re trying to hit multiple audiences and approach non-IT and non-cyber people to drive awareness and drive momentum,” he said. “You can’t use a bunch of jargon that people can’t understand.”

At the core, any framework should center around one basic tenet: hygiene. “We’ve got to get cyber out of the back room and into the clinicians’ understanding. Cyber safety is patient safety,” he said, citing a tagline from HICP. “If our systems are down for a prolonged period of time, it could cause safety issues. And so, keeping that hygiene up is patient safety.”

And it’s what can hopefully prevent the next ransomware event.

Contributions

Want more from this Interview? Enjoy the fulll episode on your favorite listening platform

Healthcare Transformation Powered by Community

© Copyright 2024 Health Lyrics All rights reserved