Making it fun and gaining buy-in are key for this challenging task

Champion Healthcare Technologies provides tissue and implant tracking solutions to hospitals and health systems. Its products and services help organizations manage tissue and implant tracking to ensure compliance, optimize efficiency and improve safety for implant patients.  Charity Carney is the Vice President of Security and Compliance. She joined the company when it was still small and has been on board to witness the company’s incredible growth. Always a top priority for the company, information security is now more critical than ever. In addition to working in a highly regulated field, the responsibility of protecting Champion’s data along with the personal and private information of patients is vitally important. We talked to Charity about her approach to security awareness and the risks she faces with her team. How did you break into cybersecurity?  Charity: I’ve had a computer in my hands since I was eight years old and have always had a love affair with technology. I’ve always been that person at the organization who was a subject matter expert — the person everyone asks to fix things when they stop working. I went from retail management to project management, and later, technical product management because of my interest in technology. I started at Champion Healthcare about five years ago. As their Director of Software Engineering, I kept the team focused on technology in the product development process to ensure our products were well made — and importantly, secure.  Tell me about your work at Champion.  Charity: It was a small company when I first started but we’ve really grown since then. There’s a lot of trust between the various departments and people. Sometimes when you go into a new organization, it can be difficult to earn that respect. But I was able to build their trust by always pursuing the same thing in all my projects — to protect Champion, our patients and our patient’s data. Tell me about Champion Healthcare Technologies.  Charity: Champion Healthcare provides software designed to help hospitals with compliance. Imagine you’re in a hospital and have received a knee or hip replacement, a defibrillator or a pacemaker. Anything implanted into a patient does something very regulated by the FDA and joint commission in most states. Our software takes that compliance burden off of the hospitals and helps them track the life cycle of that device or implant. That includes from the time it’s received at the hospital dock to the time it’s implanted in the patient and when the patient goes home. Let’s say the medical device is recalled. Our software is designed to handle the chain of custody, but it also can quickly notify the hospital if they have a patient affected by the recall. Then they can go in for treatment as quickly as possible.  What are the security risks facing your team? What’s your threatscape like? Charity: We’re very focused on protecting PHI and PII. Our industry is highly HIPAA regulated, so we need to be very diligent about protecting the data entrusted to us. Our systems don’t contain a ton of data and that’s by design. We don’t want to store PHI and PII — we try to avoid as much of it as we can and still help the hospitals get the job done. With regulations like GDPR, various U.S. states are now rolling out privacy requirements and regulations of their own. We need to be very cognizant of this in healthcare, especially because we might have data on health information, diagnoses or implanted products. It’s up to us to keep it secure. How do you use security awareness and training to keep that data safe?  Charity: You need to keep your people as sharp as you possibly can. Making sure your employees are aware of the latest cybercriminal tricks and techniques is really important. You can spoon-feed them little niblets of the latest information whenever something relevant comes up, but you need to also have at least one focused campaign a year to make sure you’re compliant with training requirements.  You need to “check the box” when it comes to compliance, but we believe it’s important to do more than just due diligence. We need to be actuators of change and spread the word about security awareness across the organization. And you’re making progress? Charity: Oh yes, absolutely. Some employees will now come to me and ask questions about security topics we’ve never discussed before. It’s really important that they know they can approach me at any time with questions. That’s been my mantra. I’d rather they ask me a hundred questions that don’t really have anything to do with security than miss the one thing that was critically important.  When we first rolled out the Infosec IQ phishing simulations, employees would ask questions like, “If I click on this, am I going to fail the simulation?” I’d say, “I don’t know. You’ll have to just try it and find out. What do you feel like doing?” So we made it a bit of a game and had some fun. Now, we’re launching an even bigger program to incentivize the security behaviors we want.  Have you experienced the “repeat offender” challenge? How do you manage it?  Charity: Everybody does. Everybody has at least one or two employees who are not as technically savvy as they could be. We have veteran employees who might not have a lot of computer experience. We also have some new people who might have sharper technical skills, but lack familiarity with HIPAA requirements. They all have varying skill levels and expertise areas. With repeat offenders, you have to understand how to coach them and change how they think. And we’ve seen progress with that approach at Champion Healthcare. We’ve been able to really groom those repeat offenders into actual security champions. If you had one insight to share with a colleague or a peer in a similar line of work, what would that be? Charity: Make employee security awareness and training as interesting as you can. Sometimes there is nothing sexy or fun or entertaining about security, but it’s really, really important. So I promise them that I’ll do my best to deliver training material they’ll care about. I want them to care. Not only do I want them to avoid getting phished, I also want them to hunt for situations that look or feel suspicious. I want them to turn from the hunted to the hunters.  I’ve made training big and loud and fun and ridiculous. I’m talking about video podcasts and shark masks and making everything as big and crazy and loud as you can. That is what makes training fun and memorable. I want to entertain people, but I also want them to get the message that I’m sending. If I can make it memorable, I can get results.