Deborah Gash: How St. Luke's Health System tackles data security

Editor's note: This is part one of a two-part Q&A with Deborah Gash, vice president and CIO at Kansas City, Missouri-based St. Luke's Health System. In part two, Gash discusses how her organization is responding to new regulations for physician quality data reporting amid the shift to value-based reimbursement.

LAS VEGAS -- Cybersecurity is a hot topic among attendees at this year's meeting of the Healthcare Information and Management Systems Society--especially on the heels of two recent ransomware attacks. 

FierceHealthIT caught up with Deborah Gash (right), vice president and CIO at Kansas City, Missouri-based St. Luke's Health System, at the show to talk about a variety of health IT issues. Not surprisingly, data security and guarding against hackers was one of them. 

The risk of a breach "is a focus for us," she said. "You hear about all these stories and you don't want to be one of those organizations."

Gash, who was one of FierceHealthIT's 2015 Influential Women in Health IT, told us how her organization is investing in data security and protecting its health IT systems. 

FierceHealthIT: What changes have you made at St. Luke's to get ahead of data security risks?

Deborah Gash: We elevated the view of security in our organization. We created a chief information security officer. We revisited our security strategy, using a third party to assess and tell us where they thought the opportunities were. And we're investing in new capabilities to try to increase the layers of protection that we have.

It's not about whether you're going to be breached or not. If people are after you, they're going to get in. That's a given. What you try to do is make the organization as difficult as possible to get through; put as many barriers as you can in place to make sure you're not the low-hanging fruit.

FHIT: Where are the greatest vulnerabilities and risks?

Gash: The weakest point in any organization around information security is human behavior. Is that malware or is that ransomware going to get into your organization by someone clicking on a link in an email message? Educating people around the right and wrong behaviors is really critical.

We use a program that allows you to send emails out to your staff. If an employee clicks on the link in the email, it tells them immediately that it was phishing and educates them about what you should and shouldn't do.

FHIT: How do you act on the information those kinds of tests reveal?

Gash: We get a report, but don't use it in a punitive way. Those who do report it to us or that don't click on it get a "kudos" to say "You did the right thing, congratulations." That's gone over well. We have seen a lot of suspicious emails come to us. We have a link in our email program to report a phishing alert. That helps us to take that back to the organizations that provide us with security protection and tell them it got through and that they need to create a rule to stop it.

FHIT: What financial investments have you made to keep your data and systems safe?

Gash: We have doubled our investment in security as percent of total IT budget. It was at about 3 percent--now we're at 6 percent. Even now, every time I meet with my board, the members are asking "Are we doing everything that we can?" We're constantly looking for the new thing. Monitoring services--that's the next big thing for us.

Editor's note: This interview has been edited for length and for clarity.