"We see healthcare as a communication and flow of information data that needs to be protected at all times. You can never just sit back and rest on your laurels, because you can be certain the adversary isn't," Marx says. He adds that a hospital has to be willing to invest heavily in technology and work closely with its vendor partners to remain current about the latest threats.
"We test the defenses of our network with a third party that will tax our systems to make sure we have latest and greatest security," he says.
Marx says that CEO Douglas Hawthorne's belief that security is not just an IT problem has helped keep up the system's defenses. "Our CEO has long been an advocate and leader for IT at Texas Health. It has been and remains on his agenda, specifically as it relates to safeguarding patient privacy," Marx says.
Of course, all the outside testing in the world won't do the hospital any good if the threat comes from the inside, like at UCLA Medical Center, where one employee was responsible for many of the data security breaches.
Marx says THR spends a significant amount of time educating employees about what happens when they don't follow good security practices. "It's easy to get lazy because things are working fine, but that's when you are most vulnerable. We've found that you absolutely have to be hyper-vigilant, not just about education, but about staying current as to what the latest threats are," he says.
Offering guidance and helping the industry keep up with the latest security threats is what a fairly new collaboration called Health Information Trust Alliance (HITRUST) says it's all about. According to Dare, the group, comprised of representatives from across the healthcare spectrum, is in the process of creating a common security framework that will include a single set of standards for security governance practices and security control practices, as well as a guide to help organizations reconcile the different aspects of existing security standards. Dare says the HITRUST will publish its first set of work in January 2009.
Although it's a daunting task, keeping private data from the public isn't impossible, but, like Marx says, it takes complete buy-in from the entire health system—from the CEO right on down to the nosiest front-line employee.
Kathryn Mackenzie is technology editor of HealthLeaders magazine. She can be reached at email@example.com.
Note: You can sign up to receive HealthLeaders Media IT, a free weekly e-newsletter that features news, commentary and trends about healthcare technology.