Christopher Plummer, Dartmouth Health: ‘Everyone working in hospitals: Cybersecurity is your job, too’

What does your role as senior cybersecurity architect entail?

It’s a very broad role. I’m trying to keep pace with cybersecurity threats all across the globe, not just in healthcare. Really, anything that’s happening on the planet could potentially happen to us.

My role is not only to digest that every day, but also to understand how we mitigate those things in the context of an academic medical center or a large health system. That includes keeping pace with a breadth of cybersecurity tools and solutions that are out there to help. It’s also about understanding the people and processes involved in augmenting those.

It’s tough to take a day off in cybersecurity, because that could be a big day. You’re kind of permanently plugged in, but you do it because it’s fascinating work.

Is it common for health systems to have a dedicated cybersecurity program? Is Dartmouth Health doing something different that other systems could benefit from?

I would venture to say that all hospitals have a program at this point. The real question is whether they have dedicated cybersecurity resources.

I’ve heard the number fluctuate [when it comes to how many U.S. hospitals lack a dedicated cybersecurity employee]—maybe it’s 75% or maybe it’s in the high 90s. But I’ve had conversations with many hospitals, and I’m fairly comfortable [saying] it’s certainly in that upper three-quarter range. That’s a frightening prospect, considering how deep a cybersecurity program in a hospital really needs to be. That’s getting done by committee in organizations that lack full-time resources, and it just further strains folks who are there to do other work.

We’re very fortunate to have dedicated cybersecurity resources at Dartmouth Health.

Filling cybersecurity positions has been a challenge across industries, including healthcare. How has Dartmouth Health dealt with the national cybersecurity workforce shortage, and what strategies have you found to be effective?

The work of cybersecurity [requires] institutional knowledge that takes years to cultivate, and it’s hard to outsource that. It’s tough to pull in somebody fresh from the outside who’s really only here on short-term engagement. It goes back to retaining our skilled employees.

I don’t think there’s a hospital in America that has not taken a look at salary. Trying to be as competitive as possible on salary is important. It’s also about what we can extend in terms of flexible work options. I think initially there was some trepidation because you’re talking about patient data flowing out of a hospital and maybe into somebody’s house where they’re working remotely. That was really hard to come to terms with, but I think we’ve done it for the last few years. I think all hospitals have done it, and it’s something that we could extend.

Download Modern Healthcare’s app to stay informed when industry news breaks.

Another strategy is thinking about career advancement. [It’s important for systems to consider] how we can train you, how we can educate you, and how we can make you a highly skilled person who will be a fantastic cybersecurity resource. Then, importantly, how we can recognize that work you do.

The work of cybersecurity in a hospital is often in the shadows, but we must recognize the work of anyone willing to wake up every day and come to work in a hospital.

What are the incentives for health systems to adequately prioritize cybersecurity?

I think the biggest lever we’ve seen in the last few years is cybersecurity insurance. That has been a mainstay of any hospital’s cybersecurity program. Cybersecurity insurance has evolved over the last few years in terms of its expectations of what a hospital security program looks like. So that’s been an important driver for change in every hospital and has directly influenced hospitals’ awareness of cybersecurity programs and staffing.

The work of cybersecurity [requires] institutional knowledge that takes years to cultivate, and it’s hard to outsource that."

Given the number of healthcare data breaches, what advice would you give health system leaders about preparing for and responding to cyberattacks?

Employee retention is number one. Your people are everything. You can’t defend your house if no one’s home. It’s just that simple.

We also have some cybersecurity pillars that are not often talked about. Things like asset management, vulnerability management, identity and access management, supply chain management, and third-party risk management are cornerstones of a security program, and they’re very hard to solve. Unlike email protection or endpoint protection, which are places where hospitals bleed out profusely if not addressed, these other pillars are not necessarily solved by products. They require people to run those solutions.

Providing that you have a good handle on some of these critical areas like email and endpoint security, it’s about creating that great foundation—starting with asset management—and building your program from there. Otherwise, if the foundation is not good, then the program will not operate at the skill level that it needs.

I think information shares are critically important, especially in organizations where you’re the sole cybersecurity full-time employee. You need to know someone else is out there going through what you’re going through.

Generating regional information shares has been so powerful for us. In New England, we have a regional information exchange among hospitals at the cybersecurity level. Hospitals can remain competitive. But for us to manage risk in hospitals, we can’t have any secrets around what’s working and what’s not working.

Do you expect the threat level to increase, decrease or remain about the same in the short term?

I think it isn’t going anywhere. The nature of hospitals is that we consolidate out of necessity for a number of reasons. When hospitals consolidate, they become more complex. And when hospitals become more complex, their attack surface increases, because there’s so many more things to look at and consider. Unfortunately, I don’t think it’s going anywhere, but as long as we have good folks ready to do the work, I think we’re well prepared for it.

What’s your message to everyone else working in healthcare? What can those outside of information and technology departments do to help promote cybersecurity?

Cybersecurity is a formal department in most hospitals, but it really is an embedded function of everyone’s job. Cybersecurity cannot happen unless everyone is doing it. We can certainly be the ones who process the signals of cybersecurity and understand when things are going sideways, but we can’t be secure if everyone does not adopt that mentality that they are a cybersecurity person, too. That is so powerful, and we see that in our organization. It’s a really important message that I think needs to pervade. Everyone working in hospitals: Cybersecurity is your job, too.