Dave Summitt Describes Applying Defense Department Strategies to Health Data Protection

One important information security lesson that the healthcare sector can learn from the Department of Defense is the value of documentation, says Dave Summitt, who has worked in both sectors.

When he made the transition from the defense sector to healthcare seven years ago, “I found … there was a lack of security, a lack of hierarchical structure, a lack of documentation,” says Summitt, who now serves as CISO of the H. Lee Moffitt Cancer Center and Research Institute in Tampa, Fla.

“If you need to get something done, it needs to be documented, and the workflow has to be correct to make sure it’s done correctly,” Summitt emphasizes in a video interview at Information Security Media Group’s recent Healthcare Security Summit in New York. “If you don’t have structure and you don’t have it documented, then it’s too easy for knowledge in an organization to be in just one person’s head.” That’s why he stresses the need to carefully document any new process to protect an asset “so if any one person from my group cannot be there, someone else can jump in.”

A New Mindset

Summitt says healthcare has made great strides in the past five years in improving security, “overcoming the old mindset of security as a cost center” and now seeing it as part of the integrated, essential processes organizations must implement.

In the interview, he also discusses:

  • Helping physicians, nurses and business leaders within the organization understand the value of security controls;
  • Educating senior leaders on the latest cyber threats and their potential impacts;
  • The role the founder of his healthcare organization plays in championing cybersecurity.

Before joining Moffitt, Summitt was CISO for UAB Health System in Birmingham, Ala., and an IT and network security manager and HIPAA security officer at Bayfront Health System in St. Petersburg, Fla. Earlier, Summitt had a 21-year career at the Department of Defense, where he held various positions, including the Naval Sea Systems Command’s technical representative for a major missile defense program, security data custodian, information systems security officer, data and configuration manager and change control chairman for several military programs.