Privacy and Security by Design

Cyberattacks in healthcare have increased by 500 percent over the past several years. Jacki Monson of Sutter Health is leading the charge to stop them.

When she was a child, Jacki Monson would wander the halls of the hospital where her mother worked in healthcare administration. “I spent as much time there as anywhere else,” Monson recalls, noting that as a little one she was used as a “test baby” during pediatric initiatives.

This was long before cyberattacks became a demonstrable threat to hospitals. After all, it took the healthcare industry quite some time to begin storing records digitally. As recently as ten years ago, medical files were still kept in cabinets. And while having patients’ information go digital has been beneficial for hospitals, doctors, and patients, EMRs unfortunately weren’t created with security as a top priority.

“If you would’ve asked me five years ago if the technology was going to constantly suffer from cyberattacks, the answer is that it would’ve been very unlikely,” Monson says.

Jacki Monson, Sutter Health

Now, as the chief privacy and information security officer at the nonprofit health network Sutter Health, Monson has seen firsthand the importance of security in the realm of healthcare. She notes that cyberattacks and security breaches have increased exponentially over the past several years, especially now that biomed devices are also becoming subject to attacks.

“Healthcare is pretty vulnerable because the technology was never designed with security in mind,” she says. “It’s always much harder to go backwards and try to redesign that password that’s already been implemented—the one everybody is already using.”

When it came time for college, Monson decided to pursue law instead of healthcare, but she soon found herself interning for the general counsel of her mother’s hospital. During her internship, she worked on HIPAA law in addition to general compliance, an experience that helped ignite her passion for healthcare and issues of privacy and security. Her career eventually led her to a role at the Mayo Clinic as the organization’s chief privacy officer, where she worked for two-and-a-half years before yearning for her next big challenge.

Her next undertaking came at Sutter, which offered her the opportunity to help build out the company’s privacy program at a corporate level. “Most people would probably be scared by that,” she says, “but I viewed it as a dream opportunity to actually—from start to finish—design a program instead of having to work with one that’s already been developed.”

Monson developed a model suited specifically to Sutter and, after two years, had built a sizable, fully functioning privacy program. In fact, the program was so successful that senior management offered Monson the opportunity to extend her reach to the company’s information security as well. By fusing together the consistencies she found between both cyber and insider threats, Monson says she’s been able to provide a more holistic view of the risk landscape and possible incidents. Privacy informs information security and vice versa, she says.

Another key to Monson’s long-term success is her focus on being proactive instead reactive. Reactiveness, she says, tends to be the go-to mind-set for people in cybersecurity because of the constant threat of breaches and the need to resolve them as quickly as possible. Monson, however, believes that a reactive approach is ultimately going to be quite costly to the healthcare industry and that it could impact the safety of patients.

A proactive approach, though, centers around working to meet business needs while also ensuring that all privacy and information security requirements are met, a process she calls privacy and security by design. This means clearly articulating these requirements to those leading Sutter’s myriad initiatives. That can apply to the facility department’s remodeling efforts or to Sutter’s partnership with a company that uses smart glass technology to help chart information in patients’ medical records. By building a strong foundation at the beginning of a process, Sutter won’t need to backtrack in the future. Unlike the healthcare technology of the past, these new initiatives are being designed with security in mind.

What’s important, then, is the ability to be proactive and reactive simultaneously. “You have to be able to respond to cyberattacks or privacy breaches while, at the same time, seeing that light at the end of the tunnel of what proactive looks like,” Monson says. The benefits of a proactive approach in terms of strategy and technology can result in what Monson describes as a job that can ideally be
80 percent proactive and 20 percent reactive.

Monson credits her ability to balance the proactive and reactive elements of her job to the senior leaders at Sutter, who she says are forward-thinking and supportive of her team’s vision. “In that aspect,” she says, “we’re paving the path that other large organizations are following.”

Given that Monson and Sutter are exploring new territory for healthcare privacy and cybersecurity, Monson has found herself drawing inspiration from other industries. “The financial sector, for example, is much more sophisticated than healthcare in a lot of these spaces,” she says, “so we’re always seeing what we can glean and learn
from them.”

Monson also emphasizes and celebrates the creative mind-set of her team, who she says work together to find the best ways to manage a new or trending issue that’s different from previous issues.

Building that strong foundation is important to her on both a professional and a personal level. Her mother has been with the same hospital for forty-three years, she says, and it’s clear that the same level of commitment runs in the family.

“I’m passionate about healthcare because I grew up in that space. I’m passionate about providing the best care possible to patients,” Monson says. “My work directly impacts the safety of the patients. If you’re not keeping your patients’ information secure, then you’re not taking good care of the patients.”