Last week came news that yet another healthcare organization, Excellus BlueCross BlueShield, was the target of a cyber attack into its IT systems. This latest hacking incident exposed the personal data of more than 10 million people and once again highlights the ongoing threats to healthcare information security. Ron Mehring is the chief information security officer at Texas Health Resources, the 25-hospital integrated health system based in Arlington, Texas that has a workforce of 22,900 employees. He reports directly to CIO Joey Sudomir and heads up Texas Health Resources’ information security program with a dedicated staff of 17. A retired U.S. Marine, Mehring served 21 years and his experience with the Marines included working in the information security space. His work with government information security included leading oversight and compliance teams at the U.S. Department of Veterans Affairs, where he also led the department’s security operations and network defense. Mehring also worked as an information security consultant before joining Texas Health Resources as CISO, a position he’s held for the past four years.
Mehring recently spoke with HCI Assistant Editor Heather Landi about the growing risks to healthcare data security. In this first part of a two-part interview, Mehring shares his insights into the complexities that CISOs face and his risk management strategy for managing the security program at Texas Health Resources.
What is your vision for Texas Health Resources’ information security strategy in the next few years?
The security program will be managed through the lens of risk and threat management. We’ll set priorities, investments and performance goals through that lens. From a vision standpoint, if there is anything I’d like to see is to continue down that road of integrating risk management practices well into our security program. And that’s not to say that we haven’t done that in the past. We are going to become much more deliberate and much more focused in terms of how we manage the program. I want to ensure that this risk management approach is not just something that exists within the tactical operational areas or regulatory areas of the program, but that it’s actually engaged in and populated within multiple layers of the organization as we manage security. From the audit and compliance committee, down through executive leadership, down through our security governance council and all the way down through the different operational areas, I want us to manage our priorities through that lens of risk management.
How has information security at healthcare organizations changed and what will it look like going forward?
I think healthcare systems as a whole are going to become much more mature and adopt more formal risk management principles and approaches that have been common in other areas, such as the finance industry, where risk management has been an integral part of their strategy. This means healthcare organizations will start bringing forward benchmarks, targets and measurements and much more quantitative data to the risk area. Rather than addressing risk in a subjective way which is saying ‘Hey, here’s a problem and here’s why I think it’s a problem.” That approach doesn’t work over time as what you end up doing is just dealing with the fire of the day. So I think we’ll see more sophistication in managing risk over time and, that way, cost investments can be prioritized more effectively in healthcare. This is what needs to happen; otherwise, we’ll be chasing every single new technology and every new process without ever making any progress in relation to the priorities of the organization and the business.
What are some of the biggest challenges that you and your staff are facing?
Plain and simple, it’s complexity. I think it’s one of the toughest challenges we have in healthcare—the merging of regulatory requirements, the merging of internally and externally-based threats--and how do you manage this in an ecosystem of diverse technologies managed by multiple areas of an organization? It’s just a huge pool of complexity. So you get into medical devices, healthcare IT applications, infrastructure, cloud-based systems and software service products, accountable care organizations, health information exchanges, third-party vendor relationships—it all piles into the security program. The goal is how do you actually separate that into manageable pieces so you can effectively manage risk? And, how do you prioritize inside that large portfolio and make sure you’re focusing on things at the right time? I think the biggest challenge to security is managing that enormity of complexity.
Is information security getting more attention and visibility at healthcare organizations?
Absolutely. And, that path has unfortunately been laid by those who have been victims of cybersecurity attacks. When you look back to 2013 when the major breaches started happening in a cascading way from retail to healthcare and government, immediately we had a lot more attention from the executive leadership at the board level, saying, “What exactly are we doing and what plans should we have in place?” And it’s not that they weren’t interested before. Fortunately, working for Texas Health Resources, we’ve always had an actively engaged compliance program as well as an actively engaged executive leadership and board membership that asks questions. But from an industry perspective and from talking to my peers, they are all getting asked much deeper questions today. Even I am getting much deeper questions. In other words, the executive leadership is now actually wanting to see some sort of evidence in terms of how we are performing in these areas in the security program.
Stay tuned for Part 2 of this interview coming soon, which will examine the lessons learned from recent data breaches, what Mehring sees as the biggest threats to his security program and his thoughts on encrypting core data in the EHR at rest.