Risk Management

Data Security Lessons Healthcare Can Learn From DoD

Dave Summitt Describes Applying Defense Department Strategies to Health Data Protection

One important information security lesson that the healthcare sector can learn from the Department of Defense is the value of documentation, says Dave Summitt, who has worked in both sectors.

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

When he made the transition from the defense sector to healthcare seven years ago, "I found ... there was a lack of security, a lack of hierarchical structure, a lack of documentation," says Summitt, who now serves as CISO of the H. Lee Moffitt Cancer Center and Research Institute in Tampa, Fla.

"If you need to get something done, it needs to be documented, and the workflow has to be correct to make sure it's done correctly," Summitt emphasizes in a video interview at Information Security Media Group's recent Healthcare Security Summit in New York. "If you don't have structure and you don't have it documented, then it's too easy for knowledge in an organization to be in just one person's head." That's why he stresses the need to carefully document any new process to protect an asset "so if any one person from my group cannot be there, someone else can jump in."

A New Mindset

Summitt says healthcare has made great strides in the past five years in improving security, "overcoming the old mindset of security as a cost center" and now seeing it as part of the integrated, essential processes organizations must implement.

In the interview, he also discusses:

  • Helping physicians, nurses and business leaders within the organization understand the value of security controls;
  • Educating senior leaders on the latest cyber threats and their potential impacts;
  • The role the founder of his healthcare organization plays in championing cybersecurity.

Before joining Moffitt, Summitt was CISO for UAB Health System in Birmingham, Ala., and an IT and network security manager and HIPAA security officer at Bayfront Health System in St. Petersburg, Fla. Earlier, Summitt had a 21-year career at the Department of Defense, where he held various positions, including the Naval Sea Systems Command's technical representative for a major missile defense program, security data custodian, information systems security officer, data and configuration manager and change control chairman for several military programs.


About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Howard J. Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 34 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network