Guardians of Patient Data: Jackie Mattingly’s Journey to Protecting Healthcare Information Security

Protecting sensitive patient information is an integral part of providing safe and effective healthcare. With breaches becoming increasingly common, healthcare organizations must prioritize robust cybersecurity measures to avoid disastrous consequences. In episode 80 of The New CISO, Steve interviews Jackie Mattingly, CISO of Owensboro Health in Kentucky, who shares her experiences and valuable insights on how hospitals can protect patient data from breaches and cyberattacks.

In this article:

• Finding a passion for technology
• Embracing technological advancements in healthcare
• Adjusting to Owensboro Health’s 24/7 environment
• Upgrading the hospital’s technology infrastructure
• Entering the security world
• A malicious outsider makes clear the danger of treating security as an afterthought
• Implementing security awareness training
• Conclusion

A passion for technology becomes an InfoSec career

Jackie’s fascination with technology began at a young age, thanks to the Oregon Trail game. She shares, “I’m a gamer, so I was really fascinated about that. And then I just loved technology. Computers were just starting to take off.” Her interest in computers led her to pursue a degree in computer science programming.

After completing her bachelor’s degree, Jackie had a job lined up at a bank’s IT department. However, following the bank’s acquisition, she decided against relocating to North Carolina and began seeking other opportunities.

She took a job at a news station, where she worked with a Mac and HTML code for the first time. Jackie recounts, “It would take me 10 minutes to reorient myself to the Mac so that I could get the clicks right and type right and get the job done.” Jackie’s transition into information security began when she took on the role of Interim Privacy and Security Officer for Owensboro Health in 2017, eventually becoming the full-time CISO in 2019.

Gaining more experience in healthcare and medical device security

Jackie’s experience in healthcare expanded when she joined a radiology and diagnostic imaging center. Exposure to cutting-edge technology in the medical field allowed her to further develop her skills. Her journey with the imaging center eventually led her to Owensboro Health when the center was acquired by the hospital.

As Jackie learned, securing medical devices on the network is a critical aspect of information security in healthcare. Healthcare organizations must implement strong security measures, despite challenges such as HIPAA regulations and vendor restrictions.

Adjusting to a 24/7 hospital environment

Transitioning to Owensboro Health required Jackie to adapt to a 24/7 environment. She remembers that  “it was a big culture change. Nothing I wouldn’t change though.” She learned to balance system availability and work-life balance while being on call.

To manage the demands of a 24/7 environment, Jackie and her team implemented a rotation system for on-call responsibilities cross-training, and documenting their knowledge and experiences to provide support when needed.

Upgrading the hospital’s technology infrastructure

Jackie and her team helped upgrade Owensboro Health’s technology infrastructure, including upgrading to IP telephony and VoIP, and implementing fiber and gigabit switches. They collaborated with a consulting company to complete the ambitious project over the course of a year.

Entering the security world

In 2012, Jackie found herself immersed in the world of security when the FBI visited her hospital regarding an employee stealing people’s identities. This experience piqued her interest in the field, leading her to shift her focus towards cybersecurity. She became a senior security analyst in 2013, a satisfying role that involved developing proactive solutions to protect patient data.

Learning from a malicious outsider

A large breach occurred when Owensboro Health acquired a hospital with inadequate security measures. Jackie explains, “Security was an afterthought. IT was an afterthought. The ink wasn’t written on the paper for just a few months and the FBI showed up and said, ‘Hey, all your data’s been exfiltrated out.’ So we had a large breach where we had a keylogger that was on their network and exfiltrating out the data.” Fortunately, the newly acquired hospital had not been connected to Owensboro Health’s network, so the breach was contained.

“Oh lord. I’m scared,” Jackie remembers feeling. The Office for Civil Rights (OCR) “came in and investigated. We were on the wall of shame,” she says. That motivated the company to invest in information security. 

“We started with the basics: find your assets, know what you have. We started out encryption because we hadn’t done encryption yet, so got encryption in place. And started building out a security team, building out a governance committee that we would take our risk to and here’s where we are and helping us prioritize along with the mission and the organization’s overall mission and strategic roadmap,” says Jackie.

Implementing security awareness training

Jackie shares her insights on training employees in security awareness. She emphasizes the importance of not being punitive while providing instruction, saying, “We all make mistakes. Not only do we all make mistakes as humans, but these malicious actors, they’re getting smart and savvy and they’re coming up with some pretty crafty stuff. So I don’t think it should be punitive.” She and her team maintain a positive approach by awarding departments that accurately alert on phishing simulations.

Conclusion

As healthcare organizations increasingly rely on technology for patient care, the need for strong cybersecurity measures becomes more critical. Jackie’s journey from IT manager to CISO highlights the importance of evolving and adapting to new security threats and technologies to protect patient data and ensure healthcare system safety.

Jackie believes that “being a CISO in the healthcare field is very rewarding because ultimately it’s about the patient and how to protect the patient’s data, and it’s patients safety and lives.”

Listen to the Podcast

To gain even more valuable insights from Jackie’s experiences with breaches and hospital patient information security, listen to the full episode or read the transcript.