Five Questions With: Gaylon Stockman

As the newly appointed CISO at Lifespan, Gaylon Stockman is now responsible for securing the data and computer assets of the state’s largest health system.
Named to the position in early April, Stockman comes to the Ocean State from the midwest, where he had been corporate information security officer for UnityPoint Health in Des Moines, IA.
There, he developed an enterprise-wide security framework for a health network that includes 24,000 employees, 15 hospitals and 280 clinics. Stockman also served as adjunct professor at William Penn University where he focused on business leadership, programming, HIPAA compliance and information security.
tockman earned a bachelor’s degree in computer science from Mississippi College in Clinton, MS., and his master’s degree in business administration from the American Public University System in Charlestown, W.V.

PBN: What appealed to you about the opportunity to join Lifespan as CISO?
STOCKMAN:
Lifespan is a dynamic organization that is growing and I like to be part of a progressive and growing team. There are many opportunities to be a champion for change and the management team at Lifespan is welcoming and embracing that change. I also found the people to be very appealing. New Englanders are great people who have been very open and receptive. Lifespan’s reputation is well-known and far reaching, and I am proud to be a part of the Lifespan team and family.

PBN: How do you feel your past experience in similar roles in other hospital systems has prepared you for success at Lifespan?
STOCKMAN:
As with most roles, there are always lessons learned throughout your career that help you continually improve upon the things you have learned. I have had a varied career inside and outside of health care. Having been a part of systems of comparable size to Lifespan and systems that are larger allows me to bring the knowledge and lessons learned to help improve our processes and security posture at Lifespan.

PBN: What will be your approach to determining where to focus your attention in your new role?
STOCKMAN:
My role is all about risks; specifically risks that an organization like Lifespan faces. Since we are a health care institution and the custodians of sensitive patient information, we are required to examine the risks and threats to protected health information or PHI. In the field of security, there are always risks and we will want to identify ours and tackle the most significant first to ensure the maximum protection of PHI and the organization’s assets.

- Advertisement -

PBN: What are the biggest information security challenges facing hospitals and how are they different to those faced by other businesses?
STOCKMAN:
Hospitals face many of the same risks that other businesses face, but because of the sensitivity of the information we are protecting – the health care information of our patients – we may look at those risks differently. Currently, the largest risks to health care are hackers, malware, phishing, mobile devices and the end user, with the incidences of hackers, malware and phishing growing more quickly. Data is a great motivator for those who wish to do harm to our systems. They see money and the financial reward as their main motivator. The proliferation of mobile devices poses another major challenge. With patient care being first and foremost, physicians need faster access and mobile devices allow for a convenience of access that is ultimately beneficial to the patient. But that benefit doesn’t come without its risks–the device could be lost or stolen or the device could be compromised. And, it’s the amount of data that could be potentially stored on those devices that are most concerning. That is why we adhere to strict rules about the use of mobile devices by our staff, employing a variety of security techniques. Additionally, end user training about good sound security practices is always key. The end user is just one line of defense in protecting the organization and the PHI we are responsible for protecting.

PBN: Does the Affordable Care Act have any implications for health care information security?
STOCKMAN:
The Health Insurance Portability and Accountability Act, or HIPAA, and the Health Information Technology for Economic and Clinical Health Act, or HITECH, were in place well before the ACA and those guidelines still are the crux for protecting PHI. The ACA does expand on some of the HIPAA rules that are currently in place, some of which deal with the security and transmission of information. To be prepared for changes in the future, we will continue to work on implementing best practices for the organization. The goal is to have the right controls in place while attempting to not be overly burdensome to the performance of patient care. This is always a delicate balance. We will adhere to the HIPAA and HITECH standards and also implement other industry standards such as the National Institute of Standards and Technology, International Organization for Standardization and Payment Card Industry.

No posts to display