Security Leaders In Focus: Scott Hawkins, Mater Health Services
“Coming at cybersecurity from a business process improvement angle gave me a different motivation for getting it right,” Scott Hawkins says. “That’s why user awareness is high on our agenda.”
Scott didn’t come to lead a cybersecurity team through the usual route of a technical background. After over seven years managing operational improvement for an insurance firm, he joined Mater in early 2011.
Initially responsible for service improvement, he led internal support services – including first-level ICT – for over 7,500 staff. In 2016, before becoming the lead for Cyber Security, he moved into the ICT team, reporting directly to the Chief Digital Officer in early 2017.
The special challenges of healthcare
The Mater Group is a not-for-profit organisation operating across four areas: healthcare, education, fundraising and research. Operating a network of hospitals and health centres, Mater is the state’s only nationally accredited hospital-based Registered Training Organisation and also operates a world-class research institute.
From Scott’s perspective, the prime concern is maintaining patient services across Mater's hospitals and health services. “In healthcare, patient care is mission-critical, so it’s vital our core delivery systems are resilient. Keeping those systems up and running is the principal role of our ICT team – and protecting them from cyber breaches is my particular team’s brief.”
Data security is also crucial. “We are continuously processing a lot of sensitive information. Loss of that data could not only impact patient care and research outcomes, but pose a huge privacy risk as well. Some organisations are more concerned about financial cybercrime, but for us it’s service interruption or theft of the private information of our patients, students and staff.”
Asked about what keeps him up at night, Scott says it’s watching cricket as the Ashes are on in England. “From a work point of view, it’s not so much fear of a breach as any threat to the continuity of patient care. It’s the worry that, here and now, are all our systems up to date? Because if we get it wrong, the impact on patient care could be significant. So we’ve been doing a lot to bring our cybersecurity systems up to the task.”
Scott gets great support from his team of in-house security specialists. “When I started out in this job I sought information from wherever I could – about everything from new threats to new technologies, and what’s working in cyber awareness.”
He says he gets the greatest external support from other CISOs. “I’ve built up peer networks – through both technology and healthcare forums – and they’re a great source of information.”
“I find the big technology conferences like Gartner’s ITSymposium/Xpo are good to attend, but the smaller ones are great! Two recent events that I attended were the Cybersecurity Leaders Exchange and Adapt. There’s a big focus on networking and sharing ideas, with peer presenters and lots of opportunities to chat.”
“Vendors are also really important within the cybersecurity ecosystem, and are a great source of valuable resources. Mimecast’s awareness solution is a perfect example, as well as their bringing security alerts to our attention. We also get news feeds from AusCERT and the Australian Cybersecurity Centre through our membership.”
The winning approach to cyber awareness
Scott says Mater is still relatively early on in its cyber awareness training program, but staff have proven very receptive so far. “In healthcare, there is already so much training to take in – new standards, procedures, best practices and legislative requirements. All while they’re working in an extremely busy environment. Avoiding cyber risks are just another thing for them to learn about.”
“Our approach is to start by talking about cybersecurity at home. When I walk into a room as someone from IT, their eyes are ready to glaze over, but getting them to check their personal email addresses on haveibeenpwned.com, seems to result in immediate engagement. Once they’re interested, I link it back to Mater and the security of their work email and passwords. They’re already well aware of the necessity of the critical systems we all rely on, as well as the importance of patient and employee privacy.”
Executive buy-in for the future
“We’ve come a long way in the past couple of years,” Scott says. “We’ve got excellent executive buy-in because we’ve done a lot to educate the various stakeholders and I’ve seen strong interest since I have been in the role". I have had success sharing more relatable risks such as simple human error, as opposed to trying to scare them with horror stories from outside threats. It’s easy to demonstrate how they could fall prey to such threats by accident themselves.”
Scott is also currently planning risk assessments on Mater’s critical systems. “That will also include third-party risks which is another significant threat. We’re also increasing our internal visibility as well this year – by increasing security monitoring within our own networks.”
Meanwhile, Scott and his team are continuing to educate people across the entire business. “At any given time, we have thousands of staff operating across many very different roles, which makes it an ongoing effort. The need for cyber awareness training won’t ever stop.”