Q&A with Intermountain Healthcare AVP/CISO Erik Decker: Sharing Security Best Practices Makes Us All Safer

Intermountain Healthcare AVP/CISO Erik Decker wants health systems to know that implementing a handful of approved best practices can go a long way to staying out of hot water.



LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE. 



Bold Statements

“ … when one of us fails then we can have catastrophic consequences across the board.”

“The adversaries have a lot of resources. They only have to figure out one way into an organization and we’ve got a million ways that we’re trying to keep our eyes on.”

“Frankly, if you implement the practices of some of these things that we produce out of that working group, you get relief under enforcement.”

Anthony: Welcome to healthsystemCIO’s interview with Erik Decker, Assistant Vice President and Chief Information Security Officer with Intermountain Healthcare. I’m Anthony Guerra, Founder and Editor-in-Chief. Erik, thanks for joining me.

Erik: Thanks Anthony. It’s a pleasure to be here.

Anthony: Let’s start off. You want to tell me a little bit about your organization and your role?

Erik: Intermountain Healthcare is an integrated delivery network located in the mountain states. Based in Utah, but having a presence in three surrounding states and really an 8-state strategy. So we’re about 25 hospitals, we have one virtual hospital, $11 billion in revenue, 43,000 what we call caregivers. We consider all of our employees to be caregivers and part of the care continuum, and up to 2,800 beds. We also have a plan, a payer plan called SelectHealth with a million members in that. So that’s what ultimately the integrated delivery network is all about. Our mission for Intermountain is to help people live the healthiest lives possible. That is what we focus on, really quality care at appropriate cost is the key thing.

So my role as AVP and CISO is to help protect this organization, protect the safety of our patients, the digital enterprise, the financial assets of the organization and the privacy and confidentiality, of course, of our patients and our member’s private information.

Anthony: Very good. You’ve always been pretty involved with a lot of different groups volunteering your time, your energies to engage and to help formulate different pieces of content that can help others do their job better. Where did that come from?  Have you always done that?  Did something  wake you up to that at some point and you kicked it into high gear?  Tell me about that and then tell me a little bit if you want to go into specifics about some of the main groups that you’ve been involved with.

Erik: Cybersecurity is kind of one of those things where we only do better when we’re all doing better. So we all have to be in this game. We all have to be protecting our assets and our people. And when one of us fails,  the “weak link in the chain” kind of concept, when one of us fails then we can have catastrophic consequences across the board. It’s also something that’s not really a competitive advantage. Like when I talked to my fellow CISOs that are out there, we openly share our tactics and techniques, because the mission of what we’re trying to do is noble. We’re trying to help people. It’s not about bottom line, that kind of stuff. There’s a part of me that’s just  always been that way. I learn best when I talk to my peers and I talk to other people. I like to hear from other people who have already gone through some challenges and learned.

So I’ve always felt that it’s best to have a good network and a good community to ...