Keeping Seattle Children’s ‘House’ Secure

For Eric Gilyeat, working in IT Security is a bit like working for the cyber division of the CIA.

Seattle Children

Seattle Children’s IT Security program protects not only the organization’s physical environment, but also the environment where data lives. Please note: This picture was taken before the start of the COVID-19 pandemic.

“You have to actually enter the mind of a possible attacker,” says Gilyeat, manager of IT Security at Seattle Children’s in charge of engineering and incident response. “It’s almost like playing spy vs. spy. You have to think how the adversarial could attack you and figure out how you would stop it. But first, you have to see it to stop it.”

Recognizing and proactively stopping threats to Seattle Children’s IT systems is what Gilyeat and his team do every day. It’s a job they take very seriously.

“We’re helping our patients and families by working behind the scenes to keep things secure — almost like a utility service,” he says.

Gilyeat and his team are just one part of Seattle Children’s nearly 40-member IT Security program designed to protect not only the organization’s physical environment, but also the environment where data lives.

“I like to describe our role as keeping Seattle Children’s ‘house’ safe,” says Gary Gooden, Chief Technology and Security Officer (CTSO). “Just like the lock to the door of your home, our team prevents outside forces from getting inside.”

Here’s a look at just a few of the ways the IT Security team protects Seattle Children’s.

Putting up a defense

In order to reduce risk to the organization, Seattle Children’s blocks internet traffic that originates from certain countries where there may be “bad actors” targeting healthcare organizations with phishing campaigns, ransomware and other malicious acts. This process — called geo-blocking — first launched in February 2020.

The geo-blocking rollout could not have been timed any better since cyber criminals often increase their attempts during natural disasters, political campaigns and times of uncertainty, like the COVID-19 pandemic.

On average, the Seattle Children’s email system receives about 14 million inbound emails per month, which are all inspected to ensure there are no potential dangers that could compromise the organization’s network. Of those 14 million emails, only about 1.2 million pass inspection and are delivered. In March 2020 (around the time the COVID-19 pandemic started), Seattle Children’s received about 30 million inbound emails and about the same number (approximately 1.2 million) were delivered.

Protecting the ‘house’ from within

Pediatric healthcare organizations are especially prone to hackers. The IT Security team has technology in place that continually assesses risks and inspects what is going on inside the organization’s network 24 hours a day.

A new type of antivirus software that should be introduced in the coming months will not only scan for potential computer viruses, but will also detect and flag any changes in how someone uses technology. For example, if someone who always works during regular business hours starts logging in around 2 a.m., this may be a sign that someone has compromised the system.

Seattle Children’s is also currently working on a project to better track medical equipment connected to the network to ensure hackers do not gain access to these critical devices that can impact patient care.

On average, the Seattle Children’s email system receives about 14 million inbound emails per month (approximately 1.2 million of those are delivered). The IT Security team is responsible for inspecting all inbound emails to ensure there are no potential dangers that could compromise the network.

Identity and access management

The IT Security team also assesses which job roles should have access to which technologies. This includes access to email boxes, distribution lists, file sharing, various software applications and more.

Since late 2019, this process of assigning and removing access has become a more automated process. The system reads job codes and department codes and automatically assigns access based on a person’s role in the organization. This ensures people do not have more access than they should, which could pose security risks.

“Before the automation, service ticket counts were really high and the team was scrambling to meet deadlines,” says Bryce Anson, manager of Identity and Access Management for IT Security. “Not only did the team feel the stress, but our customers felt the impact. It was not a great onboarding or offboarding experience.”

To date, about 60% of job roles have been incorporated in the automated system, with more work to come.

Cyber-physical security

The cyber-physical team within IT Security, led by Dylan Hayes, is responsible for managing and deploying the technology used to monitor the physical environment at all Seattle Children’s facilities. This includes the cameras, badge-scanning technologies at doors, badge readers at parking gates, emergency call boxes, duress buttons and intercom systems.

Monitored by Security Services, the camera system can help team members stay safe and become more efficient. Having cameras at the loading dock, for example, means Seattle Children’s team members can more promptly receive deliveries by being ready as trucks pull in. On the Psychiatry and Behavioral Medicine Unit, cameras can monitor patients to ensure they are not harming themselves or others and can alert care teams if they need to move other patients to safer locations.

“There’s so much value in a camera not just from a security perspective, but from an operations perspective,” says Hayes, manager of the Cyber-Physical Security Program.

Hayes’ team is currently involved with a pilot project to implement badge access on bedside medication storage devices and is also planning the rollout of a new visitor management system at Seattle Children’s facilities that will involve self-service kiosks.

Increased security in a telecommuting world

Teen girl looking at her cellphone

With so many workforce members telecommuting, IT Security is working on a project that will give team members easier access to the information they need when working remotely, while not compromising Seattle Children’s security.

Almost overnight, the number of staff and faculty members working remotely skyrocketed at Seattle Children’s because of the COVID-19 pandemic — from about 300 users a day to 4,000 a day.

Telecommuting poses challenges as people are logging onto their personal devices through their personal router and connecting into Seattle Children’s virtual environment. The inability to control, manage or configure a person’s personal router — and the fact that Seattle Children’s uses an increasing number of cloud-based applications — makes securing the technology a challenge.

In the coming months, the IT Security team will launch a single, multi-factor authentication sign-in for workforce members who are working remotely so they can more easily access the information they need to do their work without compromising Seattle Children’s security posture.

More work to come

Gooden has been at Seattle Children’s since April 2019 and is already amazed by the progress the IT Security team has made in such a short time — even in the midst of a pandemic. He is excited for what IT security will look like in the future as the team continues to roll out new safety measures.

“Security is everything,” he says. “If you diminish the importance of security, then you diminish the importance of your operation and are taking the risk of being compromised, facing hefty fines and suffering reputational risks.”