At the World Health Care Congress 2016, Marc Probst, notable vice president and CIO of Salt Lake City, Utah-based Intermountain Healthcare, discussed the continual—and increasing— threat that the healthcare industry is facing when it comes to protecting data.
During his case study presentation, "Avoid Data Breaches and Strengthen Health Information Security" at the Marriott Wardman Park Hotel in Washington D.C., Probst reflected on when he first started working at Intermountain 12 years ago. Back then, he recalled, IT security consisted of just passwords and usernames. There wasn't anything close to the chief information security officer (CISO) that you see all across patient care organizations today, but just someone who ran the data center and was mostly concerned about locking doors and changing passwords. "Physicians would get ticked off every five years when we asked them to change their passwords. Yes, every five years," Probst said, partly facetious.
Probst further looked back at one of the first data breaches at Intermountain since he was there, involving a lost laptop which was unencrypted and had a lot of behavioral health data on it. "We spent tens of thousands of dollars investigating it, and we did recover it. We had poor security on it and no way to track it. It woke us up," he admitted. He additionally recalled another incident at the nearby University of Utah Health Care involving records stored on backup security tapes being stolen from an employee's car overnight. It cost the healthcare organization about $2 million, and Intermountain, having learned from the incident, began encrypting their tapes two weeks later, Probst said.
The current environment at Intermountain, however, reveals the obvious—times sure have changed. "Now, it's the chief job of the CISO to be in charge of information security," Probst said. "IT is clearly the fastest growing area in information systems. I am incredibly concerned about security as a CIO, and it's mostly because we have people in the most vulnerable times of their lives with their most private data. It's our duty to protect that data that's been entrusted to us," he said.
As such, Intermountain now has a a multi-faceted, layered approach to tackling the one thing that Probst has previously said keeps him up at night
more than anything else in healthcare. "I'd rather our data center go completely dark than have a major data breach," Probst said, confirming that fear. Part of this proactive strategy is a recently deployed security operations center (SOC), a 24/7 monitoring system that generates daily security reports across Intermountain by looking at business activity, network traffic, and actionable events.
Probst said that the health system is looking to take this information center and make it a shared one, in which Intermountain and other local healthcare systems pool all of their assets together into one center. He said this isn't outsourcing IT security, but rather sharing playbooks and use cases so that when an incident happens at one organization, everyone in this collaboration can be made aware and help remedy the situation. Probst admitted that this "sharing" process has challenges and isn't operating very smoothly right now, but his hope is that the kinks can be worked out soon.
Indeed, Probst said that the biggest strength at Intermountain when it comes to data security is its ability to work as a team, an essential ingredient as cybersecurity has clearly gone from hacker to attacker. "Information systems security and privacy requires a team. I meet with the head of compliance at least twice a month, with my CISO. We look at where our vulnerabilities are, and best practices emerge daily," he said
What's more, every four months Intermountain performs a practice run on what to do if it was faced with a ransomware incident, Probst said. "What would we do in that case? Well, we would call the CEO, so we do that in our practice run. We prepare, and doing so allows you to learn where you can be better." Probst added that if Intermountain were to get hit with a ransomware attack, he would be forced to pay the ransom as the consequence of hurting patient care is just too severe. "If that were to happen, we know that we would have to divert patients. In Utah, I don't know how you can do that without a really big crisis," Probst said.
When asked about if Intermountain would ever think of deploying something such as mirrored systems—an approach that would allow the health system to have a completely separate system with data on it in reserve in case the original system has to be wiped out—Probst noted the high expense associated with it, adding that it could be possible, and while it wouldn't be as information-complex as the other system, it would do the job in terms of keeping patients healthy.
To this end, Probst brought up the three different types of cyber attackers: criminals, spies and terrorists.