Steve Crocker – Methodist Le Bonheur Healthcare
There’s a unique challenge when it comes to safeguarding data for healthcare providers. It must be secured according to risk and regulatory requirements, but at the same time, shared with other community care givers and vendors involved in providing patient care.
It’s almost counterintuitive—restrict access to sensitive, regulated data but at the same time, share and make it available to a broad group of individuals and organizations. To make it even more challenging, an individual’s medical record is a virtual gold ticket on the screen of a hacker.
So notes Steve Crocker, who spent much of his professional life overseeing cybersecurity for other industries before assuming that responsibility at Methodist Le Bonheur Healthcare, a Memphis-based nonprofit health system made up of six hospitals and 100-plus physician offices and urgent-care facilities in Tennessee and Mississippi.
As he explains, it wasn’t that long ago when much healthcare recordkeeping was still paper files. The industry’s change to an electronic health record was fast and security was not always baked in. While that’s changing, guidance from the 1996 federal HIPAA act can be outdated and focused more on privacy than modern-day security. Thus, healthcare CISOs often need to be more creative and innovative than their counterparts in other industries, Crocker says.
At Methodist Le Bonheur Healthcare, the process started with him identifying risks and building and fine-tuning a cybersecurity system that bears some similarities to what he used to oversee in his prior role with the former Magna Bank—now Pinnacle Bank—also of Memphis.
“There’s a lot of deja vu,” Crocker tells Toggle in December. “A lot of what we’re doing today is what we were doing in banking seven years ago.”
Only the stakes are higher, Crocker reminding that while financial services are about money and livelihoods, healthcare is about people’s lives.
A need to centralize
Chief information security officer since 2015, Crocker says he inherited a disparate infotech system short of governance and policies. But he’s quick to say that this wasn’t unique in the healthcare industry.
“It took a solid year just to get to know the players and figure out what exactly needed to be done,” he says. “The culture of healthcare is different and it took some time to learn how to navigate it.”
Now, as overseer of 19 staffers on three in-house teams—info-security risk management, identity and access management, and security operations—he points to progress on all fronts. Developing risk-management procedures “was an early win” and helped prioritize initiatives and “avoid adding unacceptable risk to the organization.” He also emphasizes the importance of security training for employees since most hacking results from the opening of fraudulent emails and links. Among other things, he tests the entire user base with periodic phishing simulations.
Then there have been the relationships that Crocker has built and nurtured with the board and executive team, enabling him to make the case for capital improvements. One early improvement was implementing an automated identity and access management system to help ensure that data is appropriately shared and accessed by qualified users who might be doctors, nurses, lab workers, students and residents.
Crocker chose Sailpoint as the foundation for identity and access management, and he’s integrating it with other applications, such as electronic health records, enterprise resource planning and multifactor authentication.
Modern cybersecurity, Crocker goes on to say, is less about firewalls and perimeter security and more about a holistic and layered approach which leverages things like zero trust network architecture principles. He appreciates being able to “bake” security in on the front end, rather than the less effective means of “bolting” it after the fact. He also feels the infotech department has been strengthened by last year’s hiring of a new chief information officer, Ron Fuschillo, who came to Memphis after IT roles at several hospitals, most recently Renown Health in Reno, Nevada.
Strength in separation
While some healthcare operations still combine the duties of CIO and CISO, Crocker stresses the need to separate the positions. Let the former lead overall IT strategy while the CISO identifies and mitigates risks. Having served in both capacities, Crocker understands that IT and cybersecurity are two entirely different disciplines, with oftentimes competing priorities. Separating the two is a strategy that Crocker believes is long overdue in healthcare.
“In healthcare, ransomware made cybersecurity a boardroom discussion, and not just an IT discussion,” Crocker says. “We don’t want to be in the situation where we have to divert or transfer patients to other hospitals and endanger patient safety.”
Crocker says Methodist Le Bonheur Healthcare is now better poised to withstand the new threats, but the job is never done. Cybersecurity evolves rapidly and so must security programs, he says. He prefers a healthy mix of experienced staffers and hungry up-and-comers. One way he does this is through an internship program with the region’s colleges.
“Some of the best talent came to us inexperienced,” he says. “But they had a passion for learning, and we didn’t just give them clerical work to keep them busy. We gave them meaningful work to help develop their skillsets. In at least three cases, we hired interns as full-timers.”
That also seems to have been the mindset of a much younger Crocker, whose University of Memphis degree was in business and accounting. Only he didn’t want the traditional path to being an accountant, instead starting his career doing double duty between IT work and accounting work for a nonprofit. IT would win out, with Crocker earning industry certifications including CISSP, CEH, PMP—and applying his skills in hospitality, manufacturing, defense and financial services before switching to healthcare over six years ago.
Crocker keeps up with the latest tech and cyber innovations through blogs and newsletters and, perhaps most effectively, by networking with other CISOs in all industries.
And when he’s not working or tending to homelife in Collierville with his wife and two children, you just might find Crocker on stage with his other passion. An accomplished rock musician, he hadn’t performed much during COVID-19, but is getting back in the game. It’s ideal for relieving on-the-job pressure and might even have something in common with cybersecurity.
“In music you have to practice to keep your chops up or you lose your edge,” Crocker says. “And security changes so often that you either keep up with the trends or you’re out of work.”
View this feature in the Winter II 2022 Edition here.
Showcase your feature on your website with a custom “As Featured in Toggle” badge that links directly to your article!
Copy and paste this script into your page coding (ideally right before the closing