Information security officer reflects on health care technology changes in his 43 years at MUSC | MUSC | #emailsecurity | #phishing | #ransomware


Richard Gadsden Jr. has spent a lifetime on the Medical University of South Carolina campus – literally. His father, Richard Gadsden Sr., Ph.D., was a biochemist and clinical pathologist with a long and distinguished career at MUSC, and Gadsden Jr. grew up on campus, hanging out at his father’s office and lab.

His path, however, lay not in the lab but in a then-unheard-of career: information security. And after a distinguished career of his own, Gadsden will retire Aug. 7 after 43 years at MUSC, including serving as interim chief information security officer.

He admits to having mixed feelings about retiring at this moment, because of how health care is poised for change.

“We have the tools now to fundamentally transform the way that we do business, the way that we treat patients and help them manage their health, the way that we educate our students, and the way that we conduct our research,” he said. “We’ve got tools to make fundamental changes in how those functions are achieved, and we have the ability to imagine entirely new ways of doing business, entirely new ways of serving our constituency. It’s very much an exciting time. I’m actually kind of sad that I’m retiring!” 

“We have the tools now to fundamentally transform the way that we do business, the way that we treat patients and help them manage their health, the way that we educate our students, and the way that we conduct our research.”

Richard Gadsden Jr.

Betts Ellis, chief of staff at MUSC Health, praised Gadsden for his contributions.

“He has been a role model for MUSC’s values, including integrity, respect and teamwork,” he said. “Richard has been a stabilizing force over the years as Information Solutions has faced leadership changes, as MUSC has undergone incredible growth and as the technology world has become increasingly sophisticated and complex.”

Gadsden didn’t plan to go into information security. He was a newlywed, finishing up his math degree at the College of Charleston, which he expected he might follow with a doctorate and then a career teaching math, when he got a job as a computer programmer in the Laboratory Information Center in 1978.

The lab was one of the first clinical departments on the MUSC campus to automate – for example, having test results flow through a central computer system and reported out to the attending physician.

Gadsden had taken a few courses in computer programming at CofC, but they didn’t immediately interest him. Writing computer programs in the real world was different, though. Now he was solving problems for people, figuring out how to make connections happen. He was hooked.

Back then, there wasn’t much specialization in the field, so Gadsden ended up also taking on the duties of what a cable technician would do today, helping to connect the lab system in the Quadrangle A building – now the site of Hollings Cancer Center – to the hospital.

“We ran cables through the elevated walkway into the hospital, up and down the halls and corridors and out to the nursing units so we could put green screen dumb terminals at the nursing units for the staff to look up results,” he recalled.

 
The systems in MUSC’s main data center shut down and covered in plastic in preparation for Hurricane Hugo’s arrival in 1989. Nowadays, information technology is so critical to MUSC’s mission that it wouldn’t be shut down. Instead, a core team shelters in place during hurricanes to keep the system running. Photo provided

From that first computer programmer job, he was promoted to manager of academic computing systems. Very quickly, computing began to change as networking caught on. MUSC connected to BITNET, a network that connected universities and supported such interactions as electronic mail. Most of the early users, Gadsden said, were tech people exchanging information with their counterparts at other universities.

There was another watershed moment in computing: “Things really started changing with the introduction of the personal computer,” Gadsden said.

Early on, information security focused on internal security controls to ensure that no one physically on campus could access sensitive information they weren’t supposed to have. But by about 1990, networking meant that people had to start taking a wider view of information security.

“When we first connected to the internet, it wasn’t long before we had people from outside the institution breaking into our computer systems. The first attack that I can remember was on a computing system that was used for biomolecular computing research. We discovered there was someone in Sweden who appeared to be logging into that computer and running commands, and we didn’t have any authorized users in Sweden,” Gadsden recalled.

To put a stop to this, MUSC installed firewalls and other controls. Nowadays, Gadsden said, you can buy a powerful enterprise-class firewall straight off the shelf, and most new devices even have built-in firewalls. Back then, firewalls were more DIY, and MUSC used open-source code to build its own firewalls.

The challenges of internet security piqued Gadsden’s interest. There was no information security office, and no one in charge of information security, so Gadsden started learning and doing. Eventually, he built a team responsible for coordinating this need across the MUSC enterprise.

 
Gadsden typing in the final shutdown command on MUSC’s VAX-11/785 superminicomputer, which had served for a decade to support academic computing services, to host MUSC’s first email system, and initially served as MUSC’s connection to the BITNET network. Photo provided 

Information security has only gotten more complex since those early days. More systems became computerized. MUSC began expanding its physical presence, first off the Charleston peninsula into surrounding communities and now, across the state. It entered into affiliations with other hospitals and clinics. And smartphones and other internet-connected devices became ubiquitous.

“We’re carrying more computing power in each of our phones now than existed across the entirety of MUSC when I started working here,” Gadsden said.

The changes, Gadsden said, mean that “security really has become everyone’s responsibility.”

Information security was in the national spotlight earlier this year when Colonial Pipeline fell victim to a ransomware attack, and gas stations up and down the East Coast ran out of gas. The CEO testified before Congress that attackers were able to gain access because the virtual private network system in place didn’t require multifactor authentication.

Health care systems have been victims, too, with more than 500 health care facilities being hit by ransomware last year. The University of Vermont Medical Center was hit in October. Leaders there say no personally identifiable information was taken, presumably because the IT team quickly took down all systems, including email and electronic health records. But it took a month to clean the system’s 5,000 computers, and in that time, the medical staff reverted to paper records. In addition, about 300 employees were reassigned or furloughed because they couldn’t do their jobs during the downtime, and some patient procedures were canceled or postponed.

Gadsden said that everyone – employees, students and even patients – must be conscientious about security. That means installing updates on time and thinking before clicking. With new federal regulations, patients now have immediate access to test results and visit reports. But, Gadsden said, patients should carefully consider how to safeguard that information if they pull it from the MyChart patient portal and upload it to an app or website.

“The one thing that really does concern all security professionals is the growing complexity of the environment,” he said.

The overnight transition to “work from home” last year, after Gov. Henry McMaster declared a state of emergency as the COVID-19 pandemic ramped up, was another information technology and security challenge, but Gadsden said it was one that MUSC was well prepared for. 

“The one thing that really does concern all security professionals is the growing complexity of the environment.”

Richard Gadsden Jr.

MUSC already had the core systems in place, including VPN and two-factor authentication, that could handle the rapid addition of thousands of users, he said. There were a few incidents, due to employees using unsecure networks, but the team is already looking at the next generation of technology to support a remote workforce even more securely, he said.

Similarly, MUSC Health was in a good position with telehealth, he explained, since it already had advanced telehealth capability when COVID began.

As Gadsden prepares to retire, he’s excited to see what lies ahead for health care technology. Epic, the electronic health record platform that MUSC Health uses, was a major change for the health system. There are, however, disparate types of EHR systems in use across the nation, and the enthusiasm of a decade ago to get them to exchange information has tempered a bit as people have realized how difficult that will be. Nonetheless, Gadsden believes it will happen.

“The ability to exchange information more seamlessly over these national networks, between disparate systems, that’s going to continue to evolve and improve. That’s one of the important things the future will bring,” he said.

Gadsden’s own future is full of possibilities. He said he and his wife will probably take a year or so to adjust to retirement, while they decide if they want to remain in Charleston; move to western North Carolina, where they have extended family and a second home; move to the West Coast, where their son has settled into Silicon Valley life as a software engineer; or maybe move somewhere completely unexpected.

Ellis said the retirement is well-deserved. He noted the strong family legacy that Gadsden Sr. and Jr. leave at MUSC.

“His dad was a sterling gentleman and devoted nearly 50 years to MUSC. Richard is his dad all over again,” Ellis said. “Here we have father and son who collectively have devoted nearly 100 years to MUSC. I know Richard’s dad is looking down on him with great pride. Job well done.”





Original Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

thirty two − twenty six =