CIO talks stepping it up with security

How to ensure your team has the authority to make the big decisions
By Erin McCann
09:52 AM
Texas Health Resources CIO Ed Marx

When asked how big his security team is at the 25-hospital Texas Health Resources, Chief Information Officer Ed Marx responds in a serious manner: "24,000" – which happens to be the total number of people the health system employs.

As criminal attacks on the healthcare industry continue their alarming trend upward – some reports estimate data attacks on hospitals have surged a whopping 100 percent from just four years ago – Marx's security team of 20 individuals just isn't going to cut it these days. 

Marx, who will be keynoting at the HIMSS Media and Healthcare IT News Privacy and Security Forum in Boston, Sept. 9, on stopping the bleeding and getting serious with privacy and security, says part of getting serious involves letting all employees know: "(Security's) everyone's responsibility."

[See also: Data attacks on healthcare flying high.]

And this means creating a culture of security and implementing the necessary training and education to foster that culture. 

At Texas Health, all employees are required at least once per year to attend a privacy and security class and take a proficiency test so they understand security is just as much their responsibility as the CIO's. 

"We're learning through experience, and what we see happening out there, that more and more of the focus of breaches and attempts to get into systems is being turned toward healthcare," Marx says. Indeed, nearly 34 million people have had their protected health information compromised in large HIPAA breaches, according to data from the Office for Civil Rights. So when employees are educated and trained appropriately on security, the organization becomes that much more secure.  

Another essential piece to getting one's privacy and security house in order involves ensuring that chief security and compliance officers have the necessary authority to do their jobs right. 

[See also: HIPAA data breaches climb 138 percent and Ready or not: HIPAA gets tougher today.]

At Texas Health, Marx and his colleagues developed a security task force, which reports right on up to the audit committee of the health system’s board. Every two months, Marx and CSO Ron Mehring sit before the audit committee and the board. 

"We have a direct line of sight from the chairman of the board, who sits on the committee, all the way down to the individual employee," he says. "When we need support, we get it because we have this governance council for security and straight access to the board."

What proved to be another integral decision was when Marx also moved the chief security officer out from reporting solely to him as CIO, so now the position also reports to the chief compliance officer. "I think that helped elevate his position in the organization and give it even more clout because we didn't want people to see this as an IT thing because it really isn't," he says. 

Marx has made it so his security people now have the authority and the support to make key decisions, so now what’s top of mind? It's not necessarily what one might think. 

Explains Marx, "The biggest risk, as much we talk about the hackers and people trying to get in and steal healthcare data, I think the biggest risk is still the individual employee who maybe forgot what the policy was and does something they shouldn't do."

Marx anticipates his security team will continue to grow as threats – both internal and external – continue to materialize. In the last three years already, Texas Health has increased the size of its security team by 40 percent. Adds Marx: We will continue to "double down on our security."