Q&A with Intermountain Healthcare VP/CISO Erik Decker: CPGs Will Help Organizations Clarify Their Cyber Mission

Cybersecurity in healthcare is at a tipping point, poised to move from the voluntary to the mandatory, although not quite yet. For now, it’s still up to organizations as to whether not they want to comply with any specific framework or set of best practices. Of course, demonstrating adherence to 405(d)’s HICP should get some favorable consideration if things go south, and a lack of basic controls will get you laughed out of your cyber-insurance provider’s office, but technically it’s still up to you. And, for now, that will continue with the release of HHS’s HPH-CPGs – a set of essential and advanced best practices that should serve to help organizations cut through the noise and plot a sound cyber course, according to Intermountain Healthcare VP & CISO Erick Decker, who also serves as chairman of the cyber working group of the Health Sector Council. In this interview with healthsystemCIO Founder & Editor-in-Chief Anthony Guerra, Decker discusses why the CPGs are important, how most attacks happen, and what security professionals can do about it.

LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE. 

Bold Statements

… an example is 92 percent of organizations have put multifactor authentication on email, on the email portal, so that sounds like a good number, except for the fact that phishing and credential attack via social engineering is the number one attack that hits organizations. So if you don’t have multifactor authentication on your email system, and all you have is a password protecting your account, it’s going to get hit and people are going to use that account to impersonate you and do more attacks.

… part of the problem in cybersecurity is it’s so big and there’s a lot of noise; there’s a lot of vendors in the space, a lot of people trying to get your attention and talking about, ‘this is the most important thing to do.’ If you don’t have sophisticated cybersecurity professionals, it’s hard to understand what actually is the most important thing to hit first.

If you’re doing everything that you’re supposed to be doing, you’re absolutely right that you are a victim in this case and you should not penalize the victim. I completely agree with that statement. If you’ve ignored it and you’ve grossly ignored it, I don’t know, I mean, in this day and age, that’d be like walking outside in negative 5-degree weather in shorts and T-shirt and getting upset that you got hypothermia.

Anthony: Welcome to healthsystemCIO’s interview with Eric Decker, Vice President and Chief Information Security Officer with Intermountain Healthcare. I’m Anthony Guerra, Founder and Editor-In-Chief. Erik, thanks for joining me.

Erik: Thanks, Anthony.

Anthony: All right, Erik, a little bit about your organization and role, if you want to start off with that.

Erik: Intermountain Health is an integrated delivery network located in the mountain west regions. So we’re primarily based in Utah, Nevada, Colorado, Idaho and some other states, minimally around that area. An integrated delivery network means that we’ve got both the health plan and the provider side, the healthcare delivery service. So we cover about a million lives under our health plan and quite a bit of lives on the delivery side of care.

Anthony: All right, very good. I know your main job is only one of the things you do. So if you want to briefly list the most important indust...