Auto-negotiation of transport-layer security, irrespective of vendor or service provider, is something Texas Health is able to achieve today, with some exceptions. "The underlying protocol does that, so my email servers are set up to auto-negotiate transport-layer security," he says. "As long as the other system has that ability to do the same and configure the same, it'll negotiate that secure transport.
"Every once in a while we get a health system that pops up where they're using a different system in a different configuration, and we have to take a kind of a one-off approach in how we're going to get data to them securely," Mehring says.
Data-loss prevention's next hurdle is fast approaching, however, as providers widely embrace health information exchanges.
"Our data-loss prevention systems are really kind of a very internal function," Mehring says, adding that "health information exchanges imply the sharing of information. Just moving DLP into that environment will be extremely difficult.
"We're going to be relying on a lot of nontechnical ways to control information in those environments. If we're using vendors to provide the health information exchange capabilities, they're building in robust technologies to control information as it sits in the exchanges. I think we're going to be relying on a lot of that," Mehring says. "Of course you are passing out information to folks that really kind of goes beyond the trust boundary and trust negotiated through participation agreements and things like that, which are all very nontechnical approaches."
Those nontechnical approaches include strong information security and privacy policies, standards, procedures, and training, built using a risk-management approach, Mehring says.
And the DLP technology solution, as good as it is, also has to evolve to cope with the evolution of the cloud-based services the network providers use. Providers can bring their own devices to Texas Health, and may have data network access through a carrier's 4G network rather than the internal healthcare network, bypassing network policy blocking Dropbox and its ilk.
"If they really wanted to, staff could go ahead and screen-capture that data and things like that, where we might not have full control of that device to control that interaction," Mehring says. "That happens quite often. I think most health systems are struggling with that today, on how much authoritative control they can take over these personal devices, which we do in many cases. When they're accessing data definitely they have the ability to potentially move that data onto their device. We'll take active control of that through our security solutions.
"But of course there's always the devices that kind of come and go. They come in, they access data, and then they go away, but they never really became a formal part of the actual infrastructure. We try to get in the middle of that interaction in all cases through our internal DLP solution and interrogate that transaction before it leaves, but like I said, there's always things like shadow IT or the shadow transaction, right? Everyone struggles with that, I think."
This article appears in the November 2012 issue of HealthLeaders magazine.