A spate of well-publicized ransomware attacks has plagued the healthcare industry in recent years, increasing pressure on cybersecurity chiefs to safeguard healthcare operations and precious data from bad actors. Healthcare is an attractive target for digital criminals. The nature of data used by the industry makes it more vulnerable to cyberattacks than most other fields of business, says Dave Summitt, vice president of cybersecurity at Florida Cancer Specialists & Research Institute (FCS).
Healthcare organizations deal with more data types—including information related to patient care, insurance, and medical research—than enterprises in most other industries, he explains, leading to more points of vulnerability and higher consequences.
In a worst case, cybercriminals can shut down an organization’s technical systems, paralyzing its ability to function and causing harm to patients. “In the industry, there have been adverse outcomes including deaths,” Summitt says. FCS’ numerous locations also raise the challenge for its cybersecurity team. The organization has 100 locations throughout Florida and over 4,500 employees.
Summitt’s passion for protecting vital data and ensuring his organization serves patients’ needs is fortified by personal experience. “I’ve had nine individuals—family members and friends—diagnosed with cancer over the past ten years,” he says. “Eight have passed away.” FCS’ work to treat patients and find cures for the dreaded disease enticed him to sign on as head of cybersecurity for the organization in July 2022.
In his tenure to date, he has focused on two main areas: building organizational-wide awareness of threats with user training and ensuring the company is implementing proper security protocols. Users must be consistently educated on threats and the strategies cybercriminals employ to infiltrate networks, Summitt says. Something as simple as a user clicking on a link embedded in an email can be enough for a cybercriminal to worm their way into vital data stores. This strategy is cheap and easy to execute, making it attractive to bad actors.
“A threat actor wants to do the most amount of damage and get the most amount of money for the least amount of effort,” Summitt explains. His team uses a variety of methods to educate users; in some training sessions users are shown live maps of current attacks happening around the world. These tools, offered by cybersecurity vendors, help drive home the need for everyone in the organization to be vigilant.
The other chief area of concern is to ensure that cybersecurity is up to date with best practice protocols. Part of the challenge is getting buy-in from organizational leaders for investment in technology, personnel, and training. Many organizations have a tendency toward complacency, not believing that they will fall victim to a serious cyberattack, Summitt notes. They can be resistant to implementing new technology and security controls if users complain that a new approach reduces productivity. (This may be just a short-term consequence of implementing beefier security, though.)
It falls on cybersecurity chiefs to make the case to the C-suite and board of directors for robust cyber defenses. “You have to be a good communicator and understand the business,” Summitt says. That includes knowing which areas of the business are most critical to the mission and which systems are most vital to maintaining operations to get the best cybersecurity ROI.
Many IT specialists excel at the technical aspects of their work, but strong interpersonal communication doesn’t always come naturally to them. “You can have all the talent in the world, but if you can’t communicate well, you are not going to be able to lead,” he advises. Leadership skills can be cultivated, though. Summitt credits the teachings of leadership expert John Maxwell as a strong influence on his leadership style and approach.
Maxwell’s “servant leadership” philosophy is about “making sure that the people under you have what they need to do their jobs,” Summitt says. “You need to pave the way for them to do what they do best.”
Summitt also advises cybersecurity executives to look outside their departments for possible solutions to tough problems. For example, those working in data analytics might have valuable insight on data security that security-focused personnel wouldn’t be aware of. “I can talk to other CISOs [chief information security officers], but we have our blinders,” he explains. “Someone in data analytics might have an entirely different perspective.”
Seeking out new perspectives is part of the formula for maintaining vigilance in the constantly shifting arena of cybersecurity where bad actors continually change their strategies. Because cybercriminals look for the easiest targets to attack, companies that fall short in implementing good security standards are the most vulnerable, Summitt observes.
This challenge may cause some sleepless nights, but it also drives the VP to constantly sharpen the organization’s cybersecurity acumen. In healthcare, that is a must.
Before joining Florida Cancer Specialists & Research Institute, Dave Summitt launched the 3 Point Cyber podcast which discusses “cyber topics for the layperson” over fourteen episodes and features a range of cybersecurity experts.
A couple of episodes featured university students who were interested in the field, including members of a University of Tampa hackers club and a student interested in cybersecurity who wasn’t sure which aspect of the field would be most suitable. The latter discussion helped the student figure that out and can be instructive to others considering a cybersecurity career.
There hasn’t been enough time to record new episodes since Summitt became vice president of cybersecurity, but “I plan on picking it up again sometime in the future,” he says. “It was a labor of love.”
Ascend is a leader in global healthcare IT services and consulting, bringing diverse solutions to address the unique challenges faced by healthcare organizations. Ascend’s Cloud Services practice helps to streamline and integrate critical systems, enhance patient care, and lower operating costs; our Cloud Informatics practice assists healthcare organizations who want to wield their data as a competitive differentiator and a clinical asset, to improve oncology care with actionable, patient-ready insights. We seek to challenge the status quo, and shape a future where technology drives remarkable outcomes in healthcare.