Breaking Out of the Security Mosh Pit: A Transformation in Healthcare IT
In the fast-paced world of healthcare technology, change isn’t just a goal—it’s a necessity. Jason Elrod, the Chief Information Security Officer (CISO) of MultiCare Health System, has seen firsthand the challenges and opportunities that come with modernizing legacy systems. He states, "Healthcare loves to walk backwards into the future," highlighting a worrying tendency within the sector to focus on past practices rather than preparing for future advancements.
The Challenges of Legacy Systems
Healthcare’s approach to information technology has often been chaotic. For businesses where system uptime is critical—24 hours a day, seven days a week—security teams typically take on gatekeeping roles. Rather than fostering innovation, these teams have traditionally been seen as the “Department of No,” focusing more on risk mitigation than the advancement of healthcare delivery.
MultiCare Health System, with its vast network of hospitals, urgent care clinics, and thousands of employees serving millions of patients, faced these challenges head-on. To navigate this landscape effectively, a new strategy was imperative—one that embraces innovation without compromising safety.
Jason Elrod’s Perspective on Healthcare Security
Elrod’s extensive experience as a healthcare CISO shapes his understanding of security dilemmas unique to this sector. He emphasizes several persistent operational realities:
Always-on Operations
Healthcare services must remain functional at all times. "When can you take it down? When can you stop everything and upgrade it?" Elrod asks, underscoring the constant demand for availability.
Life-or-Death Access Requirements
Quick access to medical information is vital; any delay can have serious consequences. Elrod notes, "We have to make sure all the information we need is available when needed, with minimal friction."
Expanding Attack Surface
The rise of telemedicine, remote work, and connected medical devices has broadened the threat landscape. “It’s like a bowl of spaghetti where each strand needs to communicate with others, but only the necessary strands should connect,” he explains.
Misaligned Incentives
Healthcare IT teams often prioritize speed and availability, while security focuses on compliance and privacy. This friction can lead to burnout and operational breakdowns.
But what if security could actually facilitate better patient care instead of hindering it?
Identity: The Key to Modern Healthcare Security
A pivotal shift occurred at MultiCare with the adoption of identity-based microsegmentation through Elisity. Elrod explains, "The biggest attack surface is the identity of every individual." This focus is crucial because it ensures that information remains accessible when needed, yet secure.
Traditional segmentation relied on complex technologies like VLANs and firewalls, creating an unwieldy network structure. The Elisity approach changed the focus to identity rather than network location, bringing several advantages:
- Dynamic Security Policies: These adapt to users, workloads, and devices wherever they are on the network.
- Granular Access Controls: Security perimeters can be tailored around individual assets.
- Existing Infrastructure Utilization: This method allows for microsegmentation without necessitating extensive hardware investments or complex reconfigurations.
From Skepticism to Transformation
Elrod faced initial skepticism when introducing Elisity’s solution. His technical team questioned the feasibility of integrating such a solution with their existing systems. Yet, the tangible benefits soon dispelled doubts. “When you see a solid solution doing what it promises, opinions change,” he recalls.
The outcomes were promising:
- Quick implementation that didn’t disrupt operations.
- Real-time policy adjustments that previously took weeks to process.
- Improved visibility across fragmented environments.
- An enhanced security stance without sacrificing system availability.
Fostering Collaboration Across Teams
One surprising advantage of identity-based microsegmentation was its ability to transform team dynamics. Elrod explains that the previous adversarial relationships gave way to collaboration. “It changed from ‘How do I get around you?’ to ‘How do we work together?’”
With a shared focus on mutual goals, IT and security teams are now aligned rather than competing. Both teams benefit from the same tools and dashboards, leading to a more cohesive strategy.
Enabling a Culture of Yes
The implications of this transformation extend across healthcare providers. Elrod notes that easing concerns around access and compliance paves the way for faster decision-making. “We can operate at the speed of need rather than bureaucracy,” he states.
Advantages for Clinical Staff
- Speed of Service: Teams can respond swiftly to needs.
- Tailored Network Segments: Providers can have personalized network access based on identity.
- Enhanced Trust: Confidence in the security and functionality of systems allows teams to focus on patient care.
Integrating Security and IT Operations
The divide between security and IT operations is diminishing as more organizations recognize the benefits of integration. Research indicates that poor communication between these teams often leads to security vulnerabilities. Entities with a collaborative framework report 30% fewer significant security incidents.
For healthcare institutions, where the stakes include patient safety, the integration of security and IT operations is crucial. A study noted that healthcare facilities enduring ransomware attacks with siloed operations experienced increased patient mortality rates. This stresses that cybersecurity isn’t merely an operational issue—it can directly impact lives.
Financial analyses support this trend as well, showing substantial returns on investment for integrated operations.
A Bridge to the Future of Healthcare
For Elrod, identity-based microsegmentation represents more than just a technological shift; it’s an essential step toward a progressive future in healthcare IT. He acknowledges that while the technology of the past served its purpose, there is now a critical need for solutions that align with current demands.
As organizations continue to balance security with the need for smooth patient care, fostering a culture that prioritizes both security and operational efficiency will be key. The shift to identity-based microsegmentation has proven that security can evolve from a barrier to an essential component of modern healthcare, creating an environment where "yes" is the default response while maintaining compliance and safety.
To learn more about how identity-based microsegmentation can transform your organization and foster a culture of approval, consider exploring the resources available through Elisity.
