According to a recent report from the Breach Level Index, the healthcare industry had the highest number of data breaches in the first half of 2015 and also led the way in number of records breached by industry, with 84.4 million records. These findings represent a dramatic shift from the past few years when healthcare had relatively small numbers of records involved in data breaches, according to the report.
The report findings are just one more reminder of the ongoing threats to healthcare information security and highlight the importance of building a strong information security program. Ron Mehring is the chief information security officer at Texas Health Resources, the 25-hospital integrated health system based in Arlington, Texas that has a workforce of 22,900 employees. Mehring recently spoke with HCI Assistant Editor Heather Landi about the growing risks to healthcare data security and his risk management strategy for managing the security program at Texas Health Resources. Part one of Mehring’s interview with Landi from last week can be found here; part two excerpts can be seen below.
On the topic of cybersecurity, what have you taken away from the large scale data breaches at Anthem and UCLA Health?
Be prepared and have a plan. From what I have learned, and those organizations, Anthem especially, have been very transparent on the way they handled those breaches, you need to have a great response plan and be prepared for that inevitable breach at the tactical and technical level, but also at the executive level. You need to make sure everyone understands that it could happen and have a plan.
What types of threats do you think are the biggest risks to your organization?
With all the publicity that goes with the massive breaches out there, external threats have the podium right now, and we’re paying attention heavily to that. And at the same time, we have to keep our eye on the ball with internal threats. I think the probability of an internal threat is greater than an external threat. You have a trusted environment where you’ve done background investigations of people accessing your system and you trust them and for the most part they are doing good things for those we serve, our patients, but occasionally you do have a situation where somebody does things inappropriately internally inside your network and you have to take action.
How do you handle that internal threat to data security?
With an internal threat, there’s the malicious insider who is deliberately trying to cause harm or trying to steal data to monetize that data. And then there is the inadvertent accident where someone puts data on an unencrypted drive and they leave the building with it and those are not necessarily malicious actions but they obviously need to be handled. Within any good security program, you need good policy and good training where people are aware of the policies and can be held accountable for their actions. Our policies reflect sanctioning activities, which are required under regulatory rules when there is a security incident or privacy breach, as well as accountability at the individual level in terms of how individuals handle data appropriately. Policy and training are very important.
On the topic of training, what is your strategy for training end-users?
Our training regimen is immersive. We have worked deliberately with our university, Texas Health Resources University, and our corporate communications to develop vigorous, continuous awareness throughout the year. So we send out communications and reminders and we attend directors’ leadership meetings within each hospital. We also set up booths inside of hospitals so we can have cybersecurity days and actually talk to different business and clinical staff inside the hospitals clinics. The end-user training has got to be continuous and immersive as we help our end-users protect their systems and our patients’ information. One of the things we’re going to be focusing on at the end of this year and next year is phishing. We are going to have a really aggressive training program focused on giving end-users the tools to effectively evaluate emails and how they should respond to an email.
And, here is a hot topic, should core data in the EHR be encrypted at rest?
Ideally, yes, we should encrypt as much as possible at rest. The problem is with large data sources and database complexity, it can be difficult to encrypt at rest. The reality is we need to look at how the database is being used transactionally, and then do a good risk analysis and understand clearly what needs to be protected and how it needs to be protected at the database layer and then below the database layer. And so when you say encryption, there are multiple ways we can engage that.