At Texas Health Resources, A Strategic Approach to Evolving Cybersecurity Challenges | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

At Texas Health Resources, A Strategic Approach to Evolving Cybersecurity Challenges

November 14, 2017
by Heather Landi
| Reprints
Click To View Gallery

With a fast-evolving cyber threat environment and a continuous flood of healthcare data breaches, chief information security officers (CISOs) at hospitals and health systems face mounting pressure to safeguard their organization’s networks as well as critical clinical and financial data. Healthcare CI­SOs face complex and challenging issues with respect to information security, including rapidly evolving mal­ware threats, insider data breaches and the increasing use of medical Internet of Things (IoT) devices across their organizations.

In addition to security-focused projects, CISOs are of­ten involved in enterprise-wide technology initiatives as well. At Texas Health Resources (THR) this past year, C-suite executive leaders have been focused on a massive data center migration initiative. THR is an integrated health system based in Arlington, Texas with more than 350 points of access, including 29 hospital locations that are owned, operated or joint-ventured with THR, 100 outpatient facilities and 250 other community ac­cess points, including the Texas Health Physicians Group clinics. THR has more than 24,000 employees and the system serves more than 7 million residents across 16 counties throughout North Texas.

The health system’s CISO, Ron Mehring, says the or­ganization is migrating data centers housed in individual hospitals to “sophisticated, advanced co-location facili­ties” and the new data centers provide increased secu­rity controls and protections.

“Throughout the whole year, our focus has been on transforming our data center, and that includes improv­ing the availability and integrity of data and overall per­formance. It also includes the security controls within the data centers, from the physical controls to environmen­tal controls, to improving the general security and tech­nologies within the data centers themselves. And that’s been a ton of heavy lifting this year,” Mehring says.

Ron Mehring

Mehring and his team also have focused on what he refers to as “blocking and tackling improvements,” ranging from multi-factor authentication enhancements to process improvements around vulnerability identi­fication and remediation activities. “We spent a lot of time trying to improve our assessment processes to get a little bit more detailed on the way that we identify risk and the way that we articulate risk to our stakeholders in the enterprise. We focused on general improvements in those areas, but most of our efforts have really fo­cused on our data center transformation, and some of the things that orbit around that.”

And, he adds, “That’s so important for our organization as we proceed to transform ourselves as a healthcare de­livery system. It’s really setting up the playing field; setting up the infrastructure and security services to support all those future business initiatives and clinical operations.”

The Current State of Healthcare Cybersecurity

When looking at the current state of cybersecurity in the healthcare industry, current data breach reports and news reports about malware incidents paint a trou­bling picture. Cybersecurity software company Protenus, which publishes a “Breach Barometer” report ev­ery month, reported 233 total breaches in the first six months of 2017; in all of 2016, about 450 breaches were reported. The company also reports that the trend first noted in 2016 has continued, with an average of one health data breach per day. Protenus tracks breach inci­dents either disclosed to the U.S. Department of Health and Human Services (HHS) or to the media.

However, there are indications that healthcare provider orga­nizations have boosted their cybersecurity efforts and are responding more quickly and strategically to cyber threats. In October, FirstHealth of the Car­olinas reported that it had shut down its computer networks af­ter a threat from a new version of the WannaCry malware virus was detected. The health sys­tem reported at the time that its information system team immediately identified the threat and implemented security protocols. The health system reported that because of the quick response by the infor­mation security team, the virus did not reach any patient information, operational information or databases.

In a 2017 Healthcare Information and Management Systems Society (HIMSS) Cybersecurity Survey, more than half of respondents (60 percent) reported their organizations em­ploy a senior information security leader, such as a CISO. What’s more, the survey results indicated that organiza­tions that employ a CISO or other senior information se­curity leader have adopted holistic cybersecurity practices.

Gauging the current state of healthcare cybersecurity, Mehring says, “Looking at it from a posture and a protec­tion perspective and when I talk to my peers, it feels to me that the water line is overall rising together. Five years ago, I think, in healthcare, what we saw is the ‘haves’ and ‘have nots’ at very dramatic levels. We had healthcare delivery systems and providers with differing levels of security, where a lot of the blocking and tackling secu­rity controls weren’t in place. There was this huge dispa­rate ecosystem, and that’s important because, especially when you get local, we all have to share; in a metroplex, all of our systems talk to each other. It’s important that we all understand that we all have to improve together.”

Mehring also says he is seeing more information shar­ing among healthcare security leaders, noting both infor­mal, local efforts as well as national efforts through cyber threat-sharing groups, such as the National Health Information Sharing and Analysis Center (NH-ISAC) and the HITRUST Alliance. In the Dallas area, one local hos­pital hosts regular summits bringing together local CISOs and security staff. Mehring says, “We share information with each other and give best practices, which is great, as when you get into the healthcare delivery ecosystem, local really matters. National is important, but when we are delivering care and sharing information, a lot of that is happening at a very local level, between health systems.”

Evolving External Threats

It’s widely known that healthcare is a prime target for hackers and cybercrime, with malware and ransomware attacks a constant concern for healthcare security lead­ers. In May, the WannaCry ransomware virus plagued the National Health Service in the United Kingdom and the NotPetya malware caused massive disruptions to multinational companies in 65 countries back in June, including health IT company Nuance Communications, which had to shut down its network.

Like many other healthcare security leaders, Mehring sees ransomware as a major threat to many industries, including healthcare, and one that will not go away any­time soon. As one silver lining, though, he also notes that security vendors are providing more robust infra­structures in response to the malware threats.

“I think a lot of people learned their lessons very quickly around ransomware and how to handle it. That includes, number one, putting the right protections in place on the front end, and if it gets in, having the right response and recovery strategy in place. We see many organizations being able to recover quickly from those types of destructive events. I think what you see is a lot of lessons learned being applied, so the impacts have gone down. But, do I think that threat exists? Absolute­ly, and it will continue to evolve.”

One way cyber threats have evolved, Mehring points out, is that hackers are starting to attack what he refers to as the "underbelly,” or the technical supply chain. In the NotPetya malware attack in June, for instance, cybersecurity experts believe that a software update mechanism of a Ukrainian tax preparation program had been compromised to spread the malware.

“When they attacked the Ukrainian application, which was associated to some U.S. companies as well as other companies, they attacked that trust that had been built with that company’s application, and they attacked, es­sentially, the update service associated with that appli­cation. When a malware gets in, with the right level of permission and the right level of access to the environ­ment, it’s going to do a little bit of harm, and depending on how it’s set up, it could do lots of harm.

He continues, “This is something that we really need to pay attention to; the vendors or software services that are integrated tightly into our healthcare delivery sys­tems. It’s probably the next attack vector in, and, unfor­tunately, it’s a great vector into an enterprise, because of the trust that we lay into those types of services.”

The speed of malware attacks is increasing as well, Mehring notes, and that puts more pressure on health­care organizations to have the right tools, techniques and processes in place to respond and recovery quickly. “The organizations that are not able to start to apply automation and orchestration into their infrastructure and services will probably see in the future how the lack of that becomes the real problem and can really impact their infrastructure.”

At Texas Health Resources, Mehring says the organi­zation’s cybersecurity strategy evolves to address these threats, with an increased focus on the security postures of its vendor partners. “You have got to ask really good questions of your vendors and how their services integrate into your environment. You need to ensure they are doing all the things that they should be doing to protect their environment, and yours, in the delivery of that service.”

He adds, ‘If you are integrating a software service into your environment, that’s managed externally by a vendor, you need to ensure you’re putting the appropriate con­trols in place so that any harm caused on their side does not impact the rest of the environment. And we do that through a lot of different ways, through appropriate pro­visioning of accessing and identity, appropriate provision­ing of network services and isolation and segmentation.”

Insiders Remain a Constant Threat

Specialist insurer Beazley reports that in the first nine months of 2017, unintended disclosures accounted for 41 percent of healthcare data breach incidents. The high level of unintended disclosure incidents remains more than dou­ble that of the second most frequent cause of loss—hack or malware (19 percent), according to the Beazley report.

At Texas Health Resources, Mehring says security leaders utilize sophisticated IT monitoring systems, such as behavioral analytics, to detect anomalous behavior as well as continuous auditing and monitoring of protected health information (PHI) within the electronic health re­cord (EHR) and data loss prevention technologies.

There are also non-technical processes and programs that should be used, Mehring points out, such as a hot­line that employees can use to report anomalous behav­ior. “You need a good hotline that allows the reporting of things, and from that hotline, you need to make sure the information is acted upon and communicated to the right department, whether its HR or it’s the legal or se­curity team,” he says.

At a high level, Mehring says it’s critical that the CISO have strong relationships with human resources and compliance leaders within the organization to de­velop processes and policies to identify and address insider threat actions. “From a policy perspective, it’s about who is going to own the policy for that type of data and who sets the rules?” A transparent sanction­ing program also is key so employees are aware that activities are being monitored. “Employees need to know that there is a process in place for accountability when something is inappropriately accessed or inap­propriately shared,” he says.

Medical IoT and Cybersecurity

For many hospital and health system CISOs, the gover­nance of medical device programs is the next frontier in IT security. Healthcare provider organizations are now managing an increasing number of digitally connected devices, and, as more devices come online, the cyberse­curity risk increases and intensifies in complexity.

“I think most of us are still coming to terms with how we characterize IoT. Is a medical device an IoT, is a re­frigerator that stores blood an IoT? Is a monitor that is displaying our marketing information in our hospital, is that IoT? If somebody gets a wearable, is that an IoT? And the answer to that is probably, yes, to all of that in some way,” Mehring says.

A critical, foundational step to managing medical de­vices is developing a comprehensive inventory and asset identification of all digitally connected devices within an organization, he notes. “Then you have to start develop­ing at least some internal rules of how we characterize those types of IoT things and make sure we can differen­tiate between those different asset types because they are going to get different protection profiles. A medical device is going to get a different protection profile than a monitor on the wall in a hospital passageway that’s providing branding information,” he notes.

Understanding how various medical devices communi­cate, both inside and outside the hospital environment, also is a vital step in maintaining and protecting devices. “Developing good data flow mapping and understand­ing the way that devices communicate is very important. That allows you to put in better protection mechanisms once you understand how things communicate with each other. You can ensure that the appropriate communica­tion security strategy is put in place around those devic­es,” Mehring says.

At THR, health system C-suite leaders have long been aware that cybersecurity is not just an IT problem, but a corporate-wide risk management issue, and one that requires an evolving, strategic approach to address the changing threat environment.


2018 Seattle Health IT Summit

Renowned leaders in U.S. and North American healthcare gather throughout the year to present important information and share insights at the Healthcare Informatics Health IT Summits.

October 22 - 23, 2018 | Seattle


Phishing Attack at Georgia Health System May Have Exposed 400K Patients’ Data

August 20, 2018
by Heather Landi, Associate Editor
| Reprints
Click To View Gallery

Augusta University Health System, based in Augusta, Georgia, has reported that a phishing attack on email accounts that occurred last fall may have led to the unauthorized access of protected health information (PHI) of approximately 417,000 individuals.

In a notice posted on its website, Augusta University officials said the organization was targeted by a series of fraudulent emails on Sept. 10-11, 2017. “These sophisticated phishing emails solicited usernames and passwords, giving attackers access to a small number of internal email accounts,” officials said.

A second phishing attack occurred July 11, 2018, and appears to be smaller in scope, Augusta University President Brooks Keel, Ph.D., wrote in a separate message.

Augusta University officials said that, upon recognizing the nature of the attack, security leaders took action to stop the intrusion, including disabling the impacted email accounts, requiring password changes for the compromised accounts, and maintaining heightened monitoring of the accounts to ensure that no other suspicious activity was taking place.

On July 31, 2018, investigators determined that email accounts accessed earlier by an unauthorized user may have given them access to the personal and PHI of approximately 417,000 individuals.

While the investigation verified that personal information was contained in compromised email accounts, no misuse of information has been reported at this time, Keel wrote in his message.

In some cases, patient information that may have been contained in compromised email accounts included patient names and one or more of the following: addresses, dates of birth, medical record numbers, medical information, treatment information, surgical information, diagnoses, lab results, medications, dates of service and/or insurance information.

For a small percentage, information that may have been viewed included a Social Security number and/or driver’s license number, organization officials said.

Keel also wrote that IT staff reacted quickly to contain the July 11, 2018, attack. “The number of email accounts involved in this attack is fewer than those in the September attack. The investigation into the consequences of that attack is still underway,” Keel wrote.

 In response to the incident, the organization has taken or will be promptly initiating several actions to protect against future incidents, Keel stated. Organization leadership created a new position of vice president for audit, compliance, ethics and risk management to bring “fresh leadership and direction to compliance functions.”

The organization also is implementing multifactor authentication for off-campus email and system access, reviewing and adopting solutions to limit email retention, and leadership is taking steps to implement a policy banning PHI in email communications.

In addition, Augusta University officials said the organization is employing software to screen emails for PHI or personally identifiable information (PII) to prevent them from sending, increasing employee training in preventing security breaches, and enhancing compliance-related policies and procedures.

Augusta University will offer free credit monitoring services for one year to individuals whose Social Security number was included in the compromised email accounts.

More From Healthcare Informatics


PODCAST: AHA's Cybersecurity Leader John Riggi on the Evolving Cyber Threats Facing Healthcare

August 17, 2018
by Heather Landi, Associate Editor
| Reprints
Riggi believes the cyber threats against healthcare are increasing in severity, complexity and frequency
Click To View Gallery


Within the healthcare industry, cyber threats are constantly evolving as the threat landscape changes, and executive leaders at patient care organizations all face the same daunting challenge of protecting information systems and patient data.

A recent report found that cyberthreats are continuing to increase and shift, and even though ransomware attacks are significantly declining, cyberattacks overall are on the rise. A Protenus Breach Barometer report found that 3 million patient records were breached in the second quarter of 2018 alone. At the same time, an IBM Security study found that the cost of a data breach for healthcare organizations continues to rise, from $380 per record last year to $408 per record this year. Overall, the healthcare industry continues to incur the highest cost for data breaches compared to any other industry.

Another report based on a survey of hackers uncovered some alarming results: about a quarter of hackers surveyed say they can complete a breach of a hospital or healthcare organization under five hours.

On top of all that, recent high-profile healthcare cybersecurity incidents in the past few months serve as a stark reminder that the healthcare industry continues to be a ripe target for attacks. One cyber attack on Singapore’s public health system, SingHealth, breached the records of 1.5 million people and targeted the country’s prime minister. The breach impacted about a quarter of Singapore’s population of 5.6 million people.

John Riggi, who serves in the newly created role of senior advisor for cybersecurity and risk with the American Hospital Association (AHA), sees the  cyber threats against healthcare increasing in severity, complexity and frequency. Prior to his role at AHA, Riggi spent nearly 30 years with the FBI, including in the cyber division.

Riggi dives into the evolving cyber threats facing the healthcare industry right now, including sophisitcated criminal organizations, nation-state actors and cryptocurrency mining malware. Case in point, the incident of cryptocurrency mining on healthcare networks and other critical infrastructure networks increased by 1,000 percent from late 2017 to the present, Riggi says. He also discusses the implications of recent high-profile cyber incidents such as the hack at SingHealth.

The podcast runs about 13 minutes in length. You can listen to all Healthcare Informatics podcasts right here.

Related Insights For: Cybersecurity


Who Can Healthcare Trust When Ransomware Hits?

Please register to download

WannaCry and Petya caused business impact for several organizations and in both cases the damage was largely mitigated across the industry. This information is widely known.

What is not widely known is what the role of information sharing was between private industry and the public sector specifically between the NH-ISAC Threat Intelligence Committee members (TIC) and the HHS Healthcare Cybersecurity Communications and Integration Center (HCCIC).

See more on Cybersecurity