The Need
As the only standalone children’s hospital in the state, Children’s Hospital of The King’s Daughters (CHKD) plays a vital role for families in Virginia. Joseph Hooks joined the organization’s Information Services team in 1997, became CTO in 2010, and added corporate information security officer (CISO) to his title in 2012.
Recently, the security aspect of his role has taken on new significance. It started with the need to ensure secure external connections for more clinicians and a slew of new medical devices. At the start of the pandemic, the human side of that equation grew exponentially. At the same time, the hospital saw an explosion of threat vectors, including spear phishing campaigns and money-transfer requests directed at top executives. Indeed, Google reported a 350% increase in active phishing websites between January and March of this year.
In the midst of this escalation, it’s easy to lose sight of basic cybersecurity tasks like cybersecurity event monitoring and annual HIPAA risk assessments (RAs). Although RAs are required by HHS Office of Civil Rights and are the first things asked for in the event of a breach, hospitals are not required to report on their completion nor on the progress being made to mitigate problematic findings.
Hooks has observed healthcare organizations in his area and around the country experience breaches and pay significant fines. He also knows how easy it is to begin tackling high-priority items identified in an RA only to get pulled away by new initiatives needing new solutions or integrations directly related to clinical care or facility operations.
Additionally, a scarcity of talent and high salary expectations make it difficult for CHKD to recruit and retain Information Security staff. Recruitment problems combined with increased cybersecurity attacks mean an inability to meet the current demand.
When the security firm CHKD was using to manage their SIEM sold that part of its business to a company that didn’t provide adequate visibility or produce satisfactory reports, Hooks turned to the organization’s EHR vendor, Cerner for a recommendation.
The Solution
Hooks and his team now work with Cerner’s cyber security partner, Fortified Health Security, to provide a purpose-built healthcare focused managed SIEM solution that correlates and aggregates security events, alerts on critical events and incidents, and a team that provides remediation recommendations and guidance.
Additionally, he contracted Fortified to conduct a yearly RA along with monthly calls to identify which gaps have been closed and which high profile items will be tackled next. He utilizes the partnership while working collaboratively with other members of the Corporate Compliance team to include the Health System’s privacy officer.
Hooks finds that having consistent, in-depth data to bring to executives and managers not only demonstrates the progress being made in closing the gaps and protecting patient data, but also forms the basis for discussing resources.
Essentially, the RA process is used by Hooks and his team as a way to identify and talk about risk, how to measure progress, and address the potential need for additional resources with other departments and (most importantly) the C-suite and the board. This has proven essential in creating alignment between IT/security and the rest of the organization.
The Outcome
Hooks says outsourcing the SIEM, SOC, and RA functions are definite wins. The monthly calls ensure the team is working to close the gaps identified by the assessment and guarantee that if CHKD experiences a breach, demonstrating a current plan being actively worked on will be a very simple matter.
The additional monitoring and analysis have been a tremendous help to Hooks’ team, alleviating stress and opening up schedules. Having someone to turn to for advice or aid during an after-hours event, rather than having to rush back to the hospital, is a boon to the heavily burdened team.
For Hooks, providing top-notch cybersecurity and outstanding connectivity to CHKD clinicians is a personal point of pride. His daughter was treated at the hospital from birth for various conditions and again as a toddler undergoing brain surgery. She is now a healthy, active 13-year-old, but Hooks still approaches everything his team is asked to do with the kids it will affect in mind.
“Nothing has been as effective as the contract with Fortified to provide the ongoing risk assessment,” said Hooks. “Everyone in the industry is concerned with having OCR knock on their door and say: Show me your risk assessment and what you’re doing about it. We can do that—we can show the progress we’re making. We’re not sitting idly by hoping we skirt an issue.”