According to a recent report from the Breach Level Index, the healthcare industry had the highest number of data breaches in the first half of 2015 and also led the way in number of records breached by industry, with 84.4 million records. These findings represent a dramatic shift from the past few years when healthcare had relatively small numbers of records involved in data breaches, according to the report.
The report findings are just one more reminder of the ongoing threats to healthcare information security and highlight the importance of building a strong information security program. Ron Mehring is the chief information security officer at Texas Health Resources, the 25-hospital integrated health system based in Arlington, Texas that has a workforce of 22,900 employees. Mehring recently spoke with HCI Assistant Editor Heather Landi about the growing risks to healthcare data security and his risk management strategy for managing the security program at Texas Health Resources. Part one of Mehring’s interview with Landi from last week can be found here; part two excerpts can be seen below.
On the topic of cybersecurity, what have you taken away from the large scale data breaches at Anthem and UCLA Health?
Be prepared and have a plan. From what I have learned, and those organizations, Anthem especially, have been very transparent on the way they handled those breaches, you need to have a great response plan and be prepared for that inevitable breach at the tactical and technical level, but also at the executive level. You need to make sure everyone understands that it could happen and have a plan.
What types of threats do you think are the biggest risks to your organization?
With all the publicity that goes with the massive breaches out there, external threats have the podium right now, and we’re paying attention heavily to that. And at the same time, we have to keep our eye on the ball with internal threats. I think the probability of an internal threat is greater than an external threat. You have a trusted environment where you’ve done background investigations of people accessing your system and you trust them and for the most part they are doing good things for those we serve, our patients, but occasionally you do have a situation where somebody does things inappropriately internally inside your network and you have to take action.
How do you handle that internal threat to data security?
With an internal threat, there’s the malicious insider who is deliberately trying to cause harm or trying to steal data to monetize that data. And then there is the inadvertent accident where someone puts data on an unencrypted drive and they leave the building with it and those are not necessarily malicious actions but they obviously need to be handled. Within any good security program, you need good policy and good training where people are aware of the policies and can be held accountable for their actions. Our policies reflect sanctioning activities, which are required under regulatory rules when there is a security incident or privacy breach, as well as accountability at the individual level in terms of how individuals handle data appropriately. Policy and training are very important.
On the topic of training, what is your strategy for training end-users?
Our training regimen is immersive. We have worked deliberately with our university, Texas Health Resources University, and our corporate communications to develop vigorous, continuous awareness throughout the year. So we send out communications and reminders and we attend directors’ leadership meetings within each hospital. We also set up booths inside of hospitals so we can have cybersecurity days and actually talk to different business and clinical staff inside the hospitals clinics. The end-user training has got to be continuous and immersive as we help our end-users protect their systems and our patients’ information. One of the things we’re going to be focusing on at the end of this year and next year is phishing. We are going to have a really aggressive training program focused on giving end-users the tools to effectively evaluate emails and how they should respond to an email.
And, here is a hot topic, should core data in the EHR be encrypted at rest?
Ideally, yes, we should encrypt as much as possible at rest. The problem is with large data sources and database complexity, it can be difficult to encrypt at rest. The reality is we need to look at how the database is being used transactionally, and then do a good risk analysis and understand clearly what needs to be protected and how it needs to be protected at the database layer and then below the database layer. And so when you say encryption, there are multiple ways we can engage that.
I think most important factor when you get into database management and database security is that the most sensitive data elements are clearly identified and inventoried within the database, and then those areas within the database and access to those areas are monitored heavily. And then look at the data sources and how those data sources are being managed in the enterprise for protection; are the data sources being managed effectively and deliberately? And then looking for targeted ways to encrypt and redact mass data. There are many different techniques that could be used to effectively protect data, so we need to open up the spectrum and not just look at encryption because that might not be the most effective with these large data repositories with high transactions counts. Encryption is great and we need to look at that, but we also need to bring a slew of other techniques to the table to protect those databases so they operate well. A solid risk analysis needs to be done on those databases.
What risks do medical devices pose to healthcare information security and how is your team handling that risk?
At the provider level, you have these ecosystems where the systems are engineered into the architecture. And whether the medical devices are wireless or not, medical devices, in many ways, bring different types of risk to the organization, as medical devices have a heavy patient safety component as well as the confidentially component, as the devices could leak data. And, in the way medical devices are designed and operated, they become what could be considered a pivot point, so they could be attacked that trust relationship the device has with the network could be leveraged against the rest of the network. In other words, someone could use that trust relationship to get to other things inside the network. I think there is a lot of undefined risk in that space, as they [medical devices] have been in a black box for many years. Many organizations have started to open that box. Specifically, we work collaboratively with our biomedical teams to understand what those risks are in the organization and how we can effectively protect those devices as well as protect the rest of the environment from those devices.