At Texas Health Resources, A Strategic Approach to Evolving Cybersecurity Challenges | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

At Texas Health Resources, A Strategic Approach to Evolving Cybersecurity Challenges

November 14, 2017
by Heather Landi
| Reprints
Click To View Gallery

Specialist insurer Beazley reports that in the first nine months of 2017, unintended disclosures accounted for 41 percent of healthcare data breach incidents. The high level of unintended disclosure incidents remains more than dou­ble that of the second most frequent cause of loss—hack or malware (19 percent), according to the Beazley report.

At Texas Health Resources, Mehring says security leaders utilize sophisticated IT monitoring systems, such as behavioral analytics, to detect anomalous behavior as well as continuous auditing and monitoring of protected health information (PHI) within the electronic health re­cord (EHR) and data loss prevention technologies.

There are also non-technical processes and programs that should be used, Mehring points out, such as a hot­line that employees can use to report anomalous behav­ior. “You need a good hotline that allows the reporting of things, and from that hotline, you need to make sure the information is acted upon and communicated to the right department, whether its HR or it’s the legal or se­curity team,” he says.

At a high level, Mehring says it’s critical that the CISO have strong relationships with human resources and compliance leaders within the organization to de­velop processes and policies to identify and address insider threat actions. “From a policy perspective, it’s about who is going to own the policy for that type of data and who sets the rules?” A transparent sanction­ing program also is key so employees are aware that activities are being monitored. “Employees need to know that there is a process in place for accountability when something is inappropriately accessed or inap­propriately shared,” he says.

Medical IoT and Cybersecurity

For many hospital and health system CISOs, the gover­nance of medical device programs is the next frontier in IT security. Healthcare provider organizations are now managing an increasing number of digitally connected devices, and, as more devices come online, the cyberse­curity risk increases and intensifies in complexity.

“I think most of us are still coming to terms with how we characterize IoT. Is a medical device an IoT, is a re­frigerator that stores blood an IoT? Is a monitor that is displaying our marketing information in our hospital, is that IoT? If somebody gets a wearable, is that an IoT? And the answer to that is probably, yes, to all of that in some way,” Mehring says.

A critical, foundational step to managing medical de­vices is developing a comprehensive inventory and asset identification of all digitally connected devices within an organization, he notes. “Then you have to start develop­ing at least some internal rules of how we characterize those types of IoT things and make sure we can differen­tiate between those different asset types because they are going to get different protection profiles. A medical device is going to get a different protection profile than a monitor on the wall in a hospital passageway that’s providing branding information,” he notes.

Understanding how various medical devices communi­cate, both inside and outside the hospital environment, also is a vital step in maintaining and protecting devices. “Developing good data flow mapping and understand­ing the way that devices communicate is very important. That allows you to put in better protection mechanisms once you understand how things communicate with each other. You can ensure that the appropriate communica­tion security strategy is put in place around those devic­es,” Mehring says.

At THR, health system C-suite leaders have long been aware that cybersecurity is not just an IT problem, but a corporate-wide risk management issue, and one that requires an evolving, strategic approach to address the changing threat environment.



Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More