Philip Curran, Chief Information Assurance Officer and Chief Privacy Officer, Cooper University Hospital
Phil Curran headed straight from high school into the U.S. Air Force. He was stationed in Florida with the 1st Special Operations Wing for a number of years before being assigned to run a black program for the Pentagon from 1996 until he retired in the year 2000.
“My military job assignments were often classified,” says Curran. “Throughout my entire military career, my parents thought I was a clerk. That’s all they needed to know.”
While serving his country on active duty, Curran attained his bachelor’s degree in Computer and Information Systems from what is now known as Troy University in Alabama. Then he received his Masters of Strategic Intelligence through what’s now the National Defense University.
Following his military career that spanned two decades, Curran began his civilian career with Campbell Soup Company where he was the Supervisor of Information Security. In 2003, he moved to Cooper University Hospital. Having been there close to fifteen years now, Curran can claim many successes with his security program at the hospital.
“One of the first things we did was install a secure mail system for the hospital. We built the program from scratch,” says Curran. “Really, when I started here, the hospital’s information security program was based on user access management, so we built a more in-depth program from scratch. We had little money in our budget, but that didn’t discourage us. We wrote all the policies and the procedures. We began setting up intrusion detection systems, firewall monitoring, all the auditing systems. We helped create the virtual private networks, and the wireless infrastructure. We did incident management. We really built the program up from scratch.”
One might think that HIPAA was a driving factor in this build-up of the cybersecurity program, but Curran says it really wasn’t. “I’ve always maintained that you base your information security program on generally accepted security principles, and then 90% of HIPAA will fall into that. Then you can manage that other 10% separately,” says Curran.
“Currently, we’re using the HITRUST cybersecurity framework,” explains Curran. “Up until 2009, we were using a conglomeration of frameworks like NIST, then HIPAA, then the ISO, so it was very difficult for me to identify what controls really needed to be in place. When HITRUST came around, it put everything together, so all I have to do is manage one controls document.”
These days, the Internet of Things is keeping Curran busy. “It’s always been an interest to me, even way before it was called IoT—even before your toasters, refrigerators and ovens could be connected to the network,” says Curran “We had medical devices that were connected, not only to our internal network, but we had medical devices that we sent out with patients, where we needed to get the information from those devices into our medical records. How we secure those devices and their information is key; we just need to manage the risk that is associated with those devices. Now it’s designated as IoT, but it’s going to continue for us and all of this is going to grow exponentially.”
“We’ve got doctors who want to access patient information on their personal devices, so how do we do that? How do we manage that? It’s all a matter of what the risk is and how much we are willing to accept,” Curran says. It’s all challenging, but interesting at the same time.
Curran credits his military experience for helping him become a good leader. “From a leadership and a communication perspective, it definitely is my military background that is helping me the most with my career,” he says. “What I have learned through my years is that you need to walk the walk. If you’re going to do something, you need to do it, and you need to do it better than anybody else, and you need to be able to communicate with people. Understand where they’re coming from. You need to be empathetic to what they’re doing.”
“Probably, the biggest influence on me was my commander, when I was stationed down in Florida. He was the type of individual who would not spend a lot of time in his office. He would spend more time walking around the unit, getting to know everybody, not just the officers, but the enlisted people as well. It would frustrate me to no end, as this senior enlisted guy, to try to go in there and find him to talk to him about something, and he wasn’t in his office. I invariably found him sitting on someone’s desk just talking to them, understanding where they’re coming from,” says Curran.
“That, to me, engenders the loyalty and the understanding that is necessary to be a leader. I can honestly tell you, I think I’m a good leader, but I’m a terrible manager, and there’s a difference between leadership and management,” he says. “With leadership, you are leading people. With management, you’re managing time, resources like dollars, et cetera, et cetera. Getting your efficiency reports done on time, getting your annual reports done on time, getting your statistics—all of that is management.”
“Leadership is getting out there and talking with the people, helping them understand what you’re trying to do and what their role is in it, so leadership is more people-based, from my perspective, versus management, which is resource-based.”
Curran lives in New Jersey. He’s married to his wife of 33 years. They have three daughters and four grandchildren.