With a fast-evolving cyber threat environment and a continuous flood of healthcare data breaches, chief information security officers (CISOs) at hospitals and health systems face mounting pressure to safeguard their organization’s networks as well as critical clinical and financial data. Healthcare CISOs face complex and challenging issues with respect to information security, including rapidly evolving malware threats, insider data breaches and the increasing use of medical Internet of Things (IoT) devices across their organizations.
In addition to security-focused projects, CISOs are often involved in enterprise-wide technology initiatives as well. At Texas Health Resources (THR) this past year, C-suite executive leaders have been focused on a massive data center migration initiative. THR is an integrated health system based in Arlington, Texas with more than 350 points of access, including 29 hospital locations that are owned, operated or joint-ventured with THR, 100 outpatient facilities and 250 other community access points, including the Texas Health Physicians Group clinics. THR has more than 24,000 employees and the system serves more than 7 million residents across 16 counties throughout North Texas.
The health system’s CISO, Ron Mehring, says the organization is migrating data centers housed in individual hospitals to “sophisticated, advanced co-location facilities” and the new data centers provide increased security controls and protections.
“Throughout the whole year, our focus has been on transforming our data center, and that includes improving the availability and integrity of data and overall performance. It also includes the security controls within the data centers, from the physical controls to environmental controls, to improving the general security and technologies within the data centers themselves. And that’s been a ton of heavy lifting this year,” Mehring says.
Mehring and his team also have focused on what he refers to as “blocking and tackling improvements,” ranging from multi-factor authentication enhancements to process improvements around vulnerability identification and remediation activities. “We spent a lot of time trying to improve our assessment processes to get a little bit more detailed on the way that we identify risk and the way that we articulate risk to our stakeholders in the enterprise. We focused on general improvements in those areas, but most of our efforts have really focused on our data center transformation, and some of the things that orbit around that.”
And, he adds, “That’s so important for our organization as we proceed to transform ourselves as a healthcare delivery system. It’s really setting up the playing field; setting up the infrastructure and security services to support all those future business initiatives and clinical operations.”
The Current State of Healthcare Cybersecurity
When looking at the current state of cybersecurity in the healthcare industry, current data breach reports and news reports about malware incidents paint a troubling picture. Cybersecurity software company Protenus, which publishes a “Breach Barometer” report every month, reported 233 total breaches in the first six months of 2017; in all of 2016, about 450 breaches were reported. The company also reports that the trend first noted in 2016 has continued, with an average of one health data breach per day. Protenus tracks breach incidents either disclosed to the U.S. Department of Health and Human Services (HHS) or to the media.
However, there are indications that healthcare provider organizations have boosted their cybersecurity efforts and are responding more quickly and strategically to cyber threats. In October, FirstHealth of the Carolinas reported that it had shut down its computer networks after a threat from a new version of the WannaCry malware virus was detected. The health system reported at the time that its information system team immediately identified the threat and implemented security protocols. The health system reported that because of the quick response by the information security team, the virus did not reach any patient information, operational information or databases.
In a 2017 Healthcare Information and Management Systems Society (HIMSS) Cybersecurity Survey, more than half of respondents (60 percent) reported their organizations employ a senior information security leader, such as a CISO. What’s more, the survey results indicated that organizations that employ a CISO or other senior information security leader have adopted holistic cybersecurity practices.
Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.