Demystifying Network Integrity: A Q&A with Cybersecurity Chief Judy Hatchett

Healthcare lives and breathes on patient intelligence. So does Judy Hatchett. Her job is to make sure that only those who are using it for the good of patients have access to it. It’s a tall order. But one she has well in hand.

Judy Hatchett is Vice President and Chief Information Security Officer at Surescripts, and securing data is her passion. That’s a good thing, because as I said during the COVID-19 pandemic, if you’re passionate about data—or securing it, in Hatchett’s case—Surescripts is the place to be.

I recently sat down with Hatchett for a conversation about her work to protect the integrity, confidentiality and availability of the data on our network for those who rely on it.

Our interview has been edited for length and clarity.

Sow: You were interviewed about network integrity a few years ago, in 2021, in honor of the annual Data Privacy Day on January 28. Data Privacy Day highlights best practices for data protection. What, if anything, has changed in this space since then?

Hatchett: Two things come to mind: (1) the increase in data breaches and (2) how data is no longer contained within the four walls of the data center. Healthcare has been and continues to be under attack by bad actors, who attempt to disrupt the industry with ransomware or Distributed Denial-of-Service (DDoS) attempts. And the pandemic shifted how people work and collaborate, which caused many tech vendors to pivot away from offering on-premises solutions. Instead, they’re investing their development dollars into Software as a Service (SaaS), Infrastructure as a Service (IaaS), or Platform as a Service (PaaS) solutions.

Sow: You’ve told me that when it comes to information and cybersecurity, every decision you make is from a risk perspective. Can you elaborate on that? What’s an example of making decisions through the risk perspective?

Hatchett: When somebody says, “Hey, I want to download software on my machine,” if the software isn’t part of our standard catalog, my team will do research on the software, review data rights, and review past cyber alerts on the software. My team also looks at the volume of non-standard software to recommend, and whether to install it on a Surescripts-managed device or not. This is just a small example. But we review any non-standard request that comes in through a holistic, enterprise-risk lens.

Sow: Our Network Integrity Framework lays out our commitment to protect and improve the access, security and performance of the Surescripts network and the data it carries. How would you define network integrity?

Hatchett: It's making sure that we know who is on our network, why they're on our network and what they're doing on our network. It’s the job of me and my team to also ensure the confidentiality, integrity and availability of the data and the network. And we rely on our partnership with our IT organization to accomplish this.

Sow: How does our Network Integrity Framework benefit the healthcare professionals and organizations who participate in the Surescripts Network Alliance?

Hatchett: Our Network Integrity Framework guides us in our efforts to keep the network secure—and all this flows through as a benefit to every participant in the Network Alliance. We put a lot of effort into making sure the people on our network are supposed to be on our network. We hold people accountable for identity proofing, for making sure their connections are secure and “least privilege.” We make sure they’re following our integration standards.

Sow: Speaking of network security, I think I’ve heard you characterize security as your “baby.” And when it comes to your baby, how are you keeping it safe and well-cared for?

Hatchett: My team leverages people, technology, automation and processes to monitor, detect and react. It’s critical that my team knows what “normal” activity and traffic patterns look like. We maintain continuous feedback to protect the network and the data it carries.

One of my many responsibilities as CISO is to make the enterprise comfortable to come forward when something doesn’t seem right. “See something, say something” is a guiding principle for me. Employees are often referred to as the weakest asset, because they can make mistakes, but I consider them my strongest asset. We can train to detect and alert—sometimes better than any tool out there.

Sow: When you say, “See something, say something,” what does that mean? What if it’s just a minor blip?

Hatchett: Me and my team welcome each and every notification. We treat them all as real situations. Our investigative process is run end to end. When it turns out to be a nothing event, those are the best days, and a great training experience.

Sow: In late 2020 you were appointed as Commissioner of the Electronic Healthcare Network Accreditation Commission, or EHNAC, a self-governing organization that advances healthcare through standards and accreditation. What’s your role there?

Hatchett: It took me a handful of meetings to understand my role. I’ve been in many advisory roles, but as the commissioner, I needed to fully understand EHNAC’s mission to improve data security in healthcare and see what I could offer from a cybersecurity perspective. It’s not something I take lightly, because here I represent all participants in the Network Alliance, from technology vendors building electronic health records (EHRs) to health systems and pharmacies and so on. They have me in their corner—and they don’t have to get directly involved with EHNAC themselves to see their interests represented.

Sow: Imagine you’ve just retired and you’re looking back on your career. What’s one thing you would like to have accomplished?

Hatchett: That I helped to maintain excitement and drive for people in cybersecurity. It can be a stressful, high-burnout field. And there’s just not enough diversity in cybersecurity. Many feel that they’re not technical enough to be in this field, but they have an interesting skillset when it comes to problem solving. You don’t have to be 100% technical. There are many paths in cybersecurity, many opportunities to do important work.

Where trust matters most, we’re on it. Go deeper on network integrity.