Intermountain Healthcare Balances IoT Adoption And Security Vigilance - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IT Leadership // Security & Risk Strategy
11:05 AM
Connect Directly

Intermountain Healthcare Balances IoT Adoption And Security Vigilance

Intermountain, a Salt Lake City healthcare provider, innovates with Internet-connected patient devices, but clamps down on security exposures when it sees them.

6 Secrets 100 Winning IT Organizations Share
6 Secrets 100 Winning IT Organizations Share
(Click image for larger view and slideshow.)

Intermountain Healthcare is an insurance program, but it's also a chain of clinics, hospitals, doctors, and clinicians in Salt Lake City and the rural areas of Utah and Idaho.

Due to its widely distributed patient base, it is a pioneer in telehealth -- long-distance diagnosis and treatment supported by mobile device transmission. That makes it reliant on a variety of Internet-connected devices.

"I have to make sure that path is safe and secure," Chief Information Security Officer Karl J. West told attendees of the InformationWeek Elite 100 Conference May 3 in a session on what constitutes world-class security. The event was held at the Four Seasons Hotel in Las Vegas.

That's easier said than done when a hospital is frequently the target of ransomware attacks capable of freezing up data systems, like the one that struck Hollywood Presbyterian Medical Center in Los Angeles for 10 days in mid-February. The institution ended up paying the hackers $17,000 to release their systems.

"We followed that event closely... They were at the point where they were diverting patients to other hospitals," said West, a move that disrupts patient admissions -- the lifeblood of any solvent hospital.

Security to protect against such attacks needs to be consistently applied throughout the organization and supported by staff with a high degree of awareness of the stakes. That often means a re-education process. "Five to ten years ago, people knew more about the air conditioning system than the security system."

Intermountain Healthcare Chief Information Security Officer Karl J. West
(Image: InformationWeek)

Intermountain Healthcare Chief Information Security Officer Karl J. West

(Image: InformationWeek)

To promote that awareness, he doesn't preach security consciousness only to the IT staff and upper management, but also to the entire Intermountain staff of 30,000.

"I meet regularly with a number of people, the chief nursing officer, the chief medical officer..."

Security properly applied doesn't come cheap. "Everything (connected to security) has a cost associated with it. You need to have an organizational shift to understand how this model works."

West ran through a 14-point checklist with attendees, citing things that any organization serious about security must attend to. While the list contained standard cautions about the need for hard-to-guess passwords and the need to make sure security patches are applied to an organization's servers, it also recognized the dawn of the of the Internet of Things in the medical profession.

"We are doing all we can to innovate and help patients," which includes putting sensing and monitoring devices on patients who are being discharged. By giving doctors data in real-time after the patient has gone home, the medical staff has a much more realistic idea about whether the patient is on the path to recovery or not.

Such monitoring allows the doctors to discharge patients a day or two earlier than they might be inclined to otherwise, and it reduces the risk that the patient will need to be readmitted, a process that drives up the cost of treatment. "Return to care cases are reduced 70%" by the move, he said.

[Think Hollywood Presbyterian was an isolated incident? Read Multiple Hospitals Hit in Ransomware Attack Wave.]

The implementation of new data collection and transmission paths, however, must be matched by an assessment of risks to patient safety and the hospital's reputation should that data be compromised.  Protections must be implemented equal to the risks, even when there's a cost involved.

One protection is to segment the network so that the most sensitive information is kept inside the most secure network segment. The participation of third-parties, a common factor in hospital operations, demands periodic reviews of partners with a risk assessment and, if necessary, a change in the terms of the contract with the partner.

CISOs must know where the data is, how it's generated, who analyzes it, and the path that it follows into the hospital's data store. A data dictionary can capture and maintain much of that information as a permanent record.

West said, "If another device is introduced, then the protections must be same. That's a key security priority for us."

Charles Babcock is an editor-at-large for InformationWeek and author of Management Strategies for the Cloud Revolution, a McGraw-Hill book. He is the former editor-in-chief of Digital News, former software editor of Computerworld and former technology editor of Interactive ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Susan Fourtané
Susan Fourtané,
User Rank: Author
5/7/2016 | 1:45:00 PM
Re: Intermountain has extra incentive on device security

Yes, mastering device security is just one third of it. To have a secure system they need to also master network and cloud security, plus data encryption. 

Charlie Babcock
Charlie Babcock,
User Rank: Author
5/6/2016 | 8:18:23 PM
Intermountain has extra incentive on device security
The fact that so much of the customer base is spread out in rural areas makes mastering device security an absolute priority. An Intermountain is doing that, based on what Karl West had to say.
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

How SolarWinds Changed Cybersecurity Leadership's Priorities
Jessica Davis, Senior Editor, Enterprise Apps,  5/26/2021
How CIOs Can Advance Company Sustainability Goals
Lisa Morgan, Freelance Writer,  5/26/2021
IT Skills: Top 10 Programming Languages for 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  5/21/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll