Methodist Le Bonheur Healthcare CISO Steve Crocker on identity governance and cybersecurity

Methodist Le Bonheur Healthcare CISO Steve Crocker on identity governance and cybersecurity

Healthcare organizations are going through a time of tremendous change. To deliver care more efficiently, such organizations are increasingly investing heavily in digital transformation efforts, moving to cloud-based systems, and deploying electronic health records. These efforts are putting enormous strains on security and identity teams within healthcare organizations.

To discuss these trends, we recently caught up with Steve Crocker, chief information security officer at Memphis, TN-based Methodist Le Bonheur Healthcare. During our talk, we discussed his career, the nature of cybersecurity and healthcare, and the role of identity management at Methodist Le Bonheur Healthcare.

Here’s an edited version of our discussion.

Thanks for taking the time to talk with us today, Steve. Could you tell us a little about your current role at Methodist Le Bonheur Healthcare and how you got started in cybersecurity?

Yes – I’m the chief information security officer at Methodist Le Bonheur Healthcare, a non-profit system made up of 6 hospitals, many urgent care facilities, and about 100 physician clinics. Methodist hired me about three and a half years ago to build the organization’s first information security program. Prior to starting that program, there was a very decentralized approach to security which focused more on HIPAA compliance, rather than risk management. Centralizing security helped provide better oversight and governance and was key to getting the program started.

Prior to joining Methodist, I was the CIO for a mid-sized bank based here in Memphis and security was an integral part of my role there for 14 years. The banking industry has dealt with cybersecurity issues much longer than healthcare, and financial institutions tend to have more mature security programs.

Relatively speaking, healthcare has been a late adopter of technology, when you consider that it wasn’t that long ago that many providers were still using paper charts instead of Electronic Health Records (EHR). During the last decade or so, healthcare has seen a big surge in the use of technology innovation to help improve patient care. Some of that was encouraged and driven by government subsidy programs such as Meaningful Use, which paid healthcare organizations for quickly digitizing their records. Unfortunately, security was sacrificed for speed and the industry built up a lot of “technical debt” that will now need to be addressed. The industry’s lack of attention to fundamental security controls, combined with the high value of medical records on the black market, has resulted in healthcare being the most targeted industry for cyberattacks. This has led to many within the industry forced to play catch-up and manage these data security and patient safety risks for the first time.

There are many components to our security program at Methodist, and identity and access management is one of the key areas of focus. Healthcare identity management can be very challenging and complex since many organizations must manage large numbers of non-employed identities with no single source of truth. For instance, we are an academic medical system and the non-employed identity numbers are almost as high as our actual employee count. Among others, we manage identities for students, residents, community physicians, and their staff. In my opinion, identity is the new perimeter in healthcare. It’s now less about firewalls and securing the boundaries, and more about controlling access for many different user types, devices, and locations.

Do you believe having worked as a CIO provides you with a different perspective than many CISOs?

I think it does. In a lot of ways, information security’s role is to audit IT’s controls. Understanding what’s important to IT helps build better relationships. Their focus tends to be more on customer service, response times, and system uptime and we have to keep that in mind when working with them. At the end of the day, we still have to get the controls in place to keep the organization secure. But if we want them to care about our objectives, we have to care about theirs.   

Are there differences between the nature of data security in banking and healthcare organizations?

Yes – they are quite different. Both industries are highly regulated and handle a lot of sensitive data. There is definitely some overlap in approaches, but there are as many differences as there are similarities.  

A big difference is how they deal with data sharing and data protection. Banking tends to build virtual walls around their data since there is less need to share data with others and when they do share, it’s tightly controlled. Healthcare’s workflow is a lot different. Making data available and accessible between organizations improves patient care. In fact, the government can fine organizations that don’t support interoperability and get in the way of the free exchange of data. While this is good for patient care, it creates some very difficult challenges for healthcare CISOs. If you think about it, it almost seems counterintuitive: How do I share information with everybody and make it available to everybody, including the patient, and at the same time secure it?

Are there other ways healthcare is different from other industries?

You know, culturally there is a big difference. That’s one of the biggest issues that we deal with because cybersecurity is still so new in healthcare. It’s ingrained in the workflows in financial services, but is often still viewed as a barrier in healthcare.

The direct oversight from regulators also differs between industries. Banks are accustomed to having auditors and regulators in their office almost year-round. Due to funding challenges, the Office for Civil Rights (OCR) typically only performs audits of healthcare organizations when there has already been a breach or when there is a complaint filed. While there was often angst leading up to a visit by the regulators, it helped to keep banks prepared. It would be interesting to see how quickly the healthcare industry would improve if they knew the OCR was going to audit their security program at least once a year.  

The biggest difference between the industries though is the human component in healthcare. In our industry, the stakes are high and everything is now interconnected. We have to avoid endangering patient safety with cybersecurity controls. However, not having the right controls can also cause patient safety risks – such is the case with ransomware and missing security on medical devices. In fact, the US Department of Health and Human Services (HHS) Cybersecurity Taskforce presented a report to Congress in 2017, which stated that healthcare cybersecurity is in critical condition and this lax security is a patient safety risk, which is an argument I have long held.

You mentioned that you were hired to help centralize the security program. What are some of the challenges you face working to achieve that?

It’s mostly cultural and managing a large amount of change within the organization. Almost everything we do is new and managing all this change can be difficult. Clearly defining the scope of what an Information Security department does, and just as importantly – doesn’t do – is really important. Sometimes, the expectations are that InfoSec owns all risk remediation, which results in the misallocation of security resources. Educating on risk ownership and proper risk treatment is an ongoing process and has been especially challenging.

What are some of the most important initiatives you have underway now and planned for the year ahead?

There are many, but the one most relevant to this discussion is our Identity and Access Management program, and SailPoint is a key component of that program. Our goal is to make SailPoint the single pane of glass for identity and access management. That will take time to integrate the many applications we have so, we are prioritizing application onboarding based on risk. We started with Active Directory, EHRs, and our ERP systems and we are working our way out from there.   

We’re also focusing a lot of attention on privileged access and how those PAM tools can integrate with SailPoint. Leveraging the increased use of federated identities is also helping to simplify administration and governance. One of the most effective additions has been multi-factor authentication, and we are continuing to expand its use where it makes sense. As mentioned earlier, identity and access management is one of our top priorities at Methodist and we count on SailPoint to be the central hub for our IAM program.

NOTE: The views and opinions expressed in this article are those of the interviewee and may not necessarily reflect the views of his employer.