'CIO of Year' on Defending Against HackersUniversity of Michigan's Schade Spells Out Security Priorities
Bolstering defenses against phishing, malware and remote attacks, as well as broader implementation of encryption and a rollout of multifactor authentication, are among this year's information security priorities at the University of Michigan Hospitals and Health Centers, says CIO Sue Schade.
Schade has been named the John E. Gall Jr. CIO of the Year by the College of Healthcare Information Management Executives and the Healthcare Information and Management Systems Society. Schade will receive the award during the HIMSS15 conference in Chicago.
While the recent hacking attack on health insurer Anthem Inc., which exposed personal information of up to 80 million individuals, hasn't swayed UMHHC's information security priorities for 2015, Schade's plans prove very timely, considering what happened at Anthem.
The insurer has said a phishing attack targeting a small number of its employees is believed to have been a launching pad for hackers who broke into an unencrypted database containing personal information.
UMHHC's health information security plans for 2015 are an outgrowth of a recent security risk analysis that was performed by a third-party professional, Schade says.
"I felt we needed to strengthen our security program and have someone look very closely at it," she says. "We've gotten that assessment, we've gotten the gaps identified, we have a set of recommendations, and we're going to be laying out our plans and timeline," she says in an interview with Information Security Media Group.
"The focus will include increased protection against phishing and malware, so that we're more prepared for what we see in the industry as a rise in remote attacks."
The academic health system is also investing in expanded use of encryption. And it's planning to implement two-factor authentication as part of the rollout of a new identity management system, the CIO says.
Adding a CISO
The ongoing effort to fortify data protection will also include hiring a CISO for the first time, says Schade, who joined UMHHC at the end of 2012. "We have not had a dedicated role to date, so our [security] work has happened, but not at an optimal manner. So we're bringing in a dedicated person to lead those efforts."
Until recently, Schade says one of her primary concerns was the risk posed by an employee losing an unencrypted laptop or USB drive. But recent hacking attacks are raising new concerns.
"What I think we are seeing in the industry is a much, much greater threat of ... attacks, more bad guys focusing on healthcare and higher education. The problem there is the scale. The scale is at a whole different level. The Anthem breach with 80 million records [being exposed] - you're not going to see 80 million records [compromised] if someone loses a laptop ... or an unencrypted flash-drive."
In the interview, Schade also discusses:
- The special challenges that academic medical centers face compared with other healthcare organizations that are not part of a university or research environment;
- The issues involved with securing home-grown applications;
- Why multi-factor authentication is important in healthcare settings.
Schade was recognized as CIO of the Year by CHIME and HIMSS, in part, for her leadership in implementing electronic health records, says Russell Branzell, CHIME president and CEO. "Sue is truly one the great and influential forces in health IT," he says. "Her vision and passion for healthcare transformation have made an enduring impact on our industry, and she continues to serve as a vital and credible source of knowledge and inspiration to her peers."
Schade joined the University of Michigan Hospitals and Health Centers in November 2012. The institution includes three hospitals with a total of 990 beds, plus more than 120 clinics. In her role, Schade provides direction and oversight to information technology initiatives at UMHHC, works closely with the CIO for the University of Michigan Medical School and collaborates with the University of Michigan CIO on shared infrastructure initiatives. Schade has nearly 30 years' experience in healthcare information technology management. Before joining UMHHC, Schade was CIO at Brigham and Women's Hospital in Boston, which is part of Partners HealthCare.
Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.