CIO Interview with Jim Nelms, CISO at LabCorp

Safeguarding patient healthcare information is critical. It’s never a question of if an attack will happen, but when. As the CISO of medical testing giant LabCorp, Jim Nelms has some clear ideas about how to approach this challenge.

jim nelms headshot 2

Can you describe some of the unique challenges to securing sensitive patient healthcare data?

Financial data is volatile and recovery is easier. Healthcare data is static—protecting that is critical because it’s unchangeable and irreplaceable. Medical devices are now like the Internet of Things. An infusion pump is just a computer that puts medicine into your body. And now, new regulations like GDPR and the California Consumer Protection Act are invasive. They have integrated privacy and security, which may sound the same, but they are really different. Security is binary: is data safe or not? Privacy is more a legal opinion as to whether appropriate use of the data is maintained. We take that extremely seriously.

LabCorp recently experienced a ransomware attack. How did you discover that attack so quickly?

We are attacked every day, just like every other corporation—about 16 attacks a day, in fact. There are a couple of things we do to quickly contain and minimize the impact of attacks and protect data. I was pleased with the way we executed our response plan, but more important than the response was our level of preparation. We have tight integration between IT and security operations so we can move quickly. This was not a breach—it was a service interruption. As a preemptive measure, we shut down services or links to protect the confidentiality and integrity of the information.

How do you protect medical devices and the information they generate during clinical trials?

We have an independent scanning and penetration program that models our risk levels. It shifts decisions from being an IT to a business decision based on the criticality of the information, the system resiliency, and the risks to the business or patients. We also divide operations technology and information technology. For example, in diagnostics, we separate machines that process test tubes from machines that do word processing. We treat them differently from a network and security perspective so we have multiple levels of segmentation. We also consider security a journey, not a destination. We can’t use 20th century solutions for 21st century problems.

How do you safely move healthcare information between partners and meet regulatory and voluntary agreements?

As you move information from one company to another, there’s a custody transfer process. We have zero tolerance for exposure of patient information, so we rely on stringent frameworks to do so. In May of this year, LabCorp became SOC 2 certified so we provide that to our suppliers and customers. And that’s just the compliance side. Our objective is not just to meet the minimum requirements, but to be on the leading edge of information security. It’s “show me the money” time. We have adopted a trust-and-verify approach because the consequences are too severe if one of our vendors or hospitals makes a mistake that reflects poorly on LabCorp.

What sort of changes do you see coming in the future for the healthcare industry and for LabCorp itself?

We have a strong alliance with the National Health ISAC (Information Sharing and Analysis Center). We are developing strong frameworks and protection mechanisms. We have worked with vendors to develop software to address the unique challenges of processing patient healthcare information. Protecting this information is the collective responsibility of the whole community. One company can’t solve it for everyone—even a company as large as LabCorp—so we have partnerships with large healthcare providers. We share ideas so we all move forward with the power of multiple companies, instead of just a single company.