COVID-19 was a shock to the health care sector that required provider organizations to quickly support the influx and sudden shift to remote work, as well as swift adoption of remote care technologies. This week, a HIMSS21 discussion highlighted how two major U.S. health systems successfully achieved those necessary emergency care goals.
On Wednesday evening, Stephen Dunkle, Geisinger Health System chief information security officer, and Kathy Hughes, CISO and vice president of Northwell Health shared how their security team tackled enterprise needs after the initial shock of the pandemic wore off.
In short, collaboration, patient safety, and business operational needs, alongside risk management became the driver of the pandemic response. The challenge then became this: how could the security team become more tactical, and how could the health system continue operating in the new highly remote environment?
Health care in particular faced heightened pressure as the number of cyber incidents continued to rise during the rapid shift to remote care. Hughes and her team leveraged previously prepared and practiced disaster recovery plans, leaning heavily on productivity, effective communication, and collaboration.
For Dunkle, the normal organizational aspects fell to the wayside when the pandemic hit. Executives threw their support behind the security team, as an all-hands-on-deck approach would provide the most effective plan for tackling these new challenges.
At Geisinger, the executive team engaged the cybersecurity team with all efforts, fueling communication channels that had workforce members checking in with security before making a change to ensure it was an acceptable process.
“I’ve been in this profession for many years, but never anticipated what we encountered here. There were so many moving parts,” said Dunkle. “But everyone understood the stress involved in this, so we listened much better.”
Risk management is of equal importance amid COVID-19, and sometimes more of an imperative than security itself. But with this new reality, patients come first, Dunkle added. “If we’ve communicated the risk and we’ve advised the team, the right thing is to do what’s best for the patient and the organization, while mitigating risk as much as we can.”
By adopting this mindset, Geisinger was able to be very nimble in a time where the situation bore much uncertainty. Dunkle noted bureaucracy has been pushed aside in the last year, as well, driven by the need for partnership and thinking outside of the box.
Engagement and communication also proved vital at Northwell Health, where Hughes’ team worked to better support its remote workforce. With 76,000 employees, ensuring collaboration with senior management from IT and outside the department enabled the health system to better tackle some key technology and communication gaps.
Hughes leveraged email and systemwide infographics that explained to staff what to do in certain situations, alongside intranet communication, screensavers, and videos to engage with staff about the areas of concern. The security team continued to employ phishing training, as well, particularly as attackers continued to target health care workforce members.
Awareness and training was at the front and center of every effort.
“It was important for all different areas of the health system to have one voice across the user population, so all departments collaborated on these efforts,” said Hughes.
"Nothing is normal”
Around the country, all businesses are adjusting to the “new normal” and what it means for workforce members, operations, and even security. For health care entities, the complex challenges continue to fluctuate.
“I think the new normal is that nothing is normal. We’re at a point where, what worked yesterday might not work today. And that’s okay,” said Dunkle. “That’s our new normal. We need to be very adaptive and understand that change is just our way of life, from a professional standpoint.”
As with most things, some individuals can deal with the fluidity of the environment better than others, but Dunkle stressed that the workforce is adjusting to the new way of doing business.
From a security perspective, that means patient care comes first and that security may not be the key priority. The security team now considers itself a service organization “that happens to be in the security business,” explained Dunkle. “Part of our role is to ensure security works for the organization.”
The goal now is to provide the health system and clinicians with needed tools and support and then improve on security in the future. Dunkle’s team relies on collaboration with the care team staff to understand some of their challenges and areas of friction, and then provide the necessary, secure solutions. Those same processes were applied to telehealth.
Northwell Health intends to maintain a largely remote workforce, at least for the IT and security teams. The effort began before the pandemic to ease some of the challenges faced by commuting and other workforce challenges, including the previous adoption of Microsoft Teams for communication purposes.
In fact, the health system already had much of the remote infrastructure in place to support a remote workforce, which made the pandemic-induced shift seamless. Hughes explained it was a matter of increasing capacity and communication, then extending the model to the entire organization.
The pressure points were then just educating users on how these remote functions worked, the need to improve phone call communications, and increased planning around the logistics.
In terms of remote care, Northwell Health had a telehealth solution in place prior to COVID-19. Once the national emergency was declared, Hughes’ team quickly worked to expand the access and work toward better vetting the platforms.
The efforts have proven successful for both the patients and the workforce, which means Northwell is actively expanding on these implementations to better support a remote workforce and patients who may also be seeking a more efficient use of time for health care needs.
The formulas worked at both Geisinger and Northwell Health, allowing the organizations to come together to face COVID-19 and the related challenges head-on.
“I never felt we had a true divide between clinical and IT before COVID-19. We always prided ourselves on listening to what they needed and always involved their input,” said Hughes. In doing so, her team was able to help another health care entity during the October cyberattack wave.
Overall, it took collaboration between IT and clinical to make it happen. For other organizations looking for similar successes, Dunkle stressed that it takes planning ahead and anticipating threats, while working hard on the intel. “We can win this game by being ahead of the curve.”