Being responsible for the data security of 25 hospitals sounds like a daunting assignment, especially given the different types of risk, volume of data and variety of end points. But Ron Mehring, director of information security for Texas Health Resources, uses a layered methodology when managing security for all of those organizations.
Mehring is the director of information security for the Texas Health Resources system, which includes all of the 25 hospitals and other clinical settings. Its organizational structure is such where it’s decentralized and there’s ISO at each hospital and an ISO that reports directly to Mehring.
The bulk of the Texas Health Resources system security program is managed centrally from the corporate level. And it’s governed centrally from a risk management and security architecture and operations framework. While there are some things that would be executed locally, such as making sure people are badged from a physical perspective, Mehring has a number of different security focuses in an assortment of settings.
Could you talk about the Texas Health security framework?
We have a pretty large portfolio of technology that we use to protect our enterprise network. We centrally manage and encrypt all of our laptops, desktops and mobile devices. This encryption is managed through a central system that also manages our AV and other end point security technologies.
[Texas Health] isn’t a big multi-factor shop yet. We primarily use user name and password with a complex password for authentication that is centrally managed. We also have an identity management system that is integrated into our different authentication systems that are used for enterprise applications.
There are different layers [to the security framework]. We have a boundary layer security area with firewalls and intrusion prevention systems and an end point security layer where we’re securing different end points such as desktops, servers and mobiles devices. We have that layer that resides, more or less, in between the boundary and endpoint security layers where we’re doing things such as database activity monitoring, managing privileged access, and integrity monitoring on specific high-value systems. We’re also performing vulnerability assessments and patching systems. To actively protect our environment we view our architecture in layers and then apply non-technical and technical security approaches to each layer to protect information and systems. With mobile and cloud computing this layered approach is being reengineered to account for the way users interact with systems and data.
How do you manage user access monitoring for such a large network?
That’s a tough one to solve when you have a large application portfolio and you have to synthesize all these different logs and data into a single system. So we started aggregating more and more into centralized systems where we can monitor, as an example, where Nurse A is accessing a record of a family member. Our privacy monitoring system tells us if this was inappropriate access. This year we are starting to aggregate more event logs at a much more granular level within the systems and with that data and we will start getting more detailed and aggressive in our activity monitoring. We are integrating our network monitoring with the application logs and we’re starting to synchronize it with our other activity monitoring systems, such as identity and data loss prevention systems. The goal is to have a much more synchronized approach across applications and network events.
How often do you generally change passwords?
We use a complex password and mandate a change every 180 days, which for a health system in this day and age is pretty aggressive. This especially is the case when you consider the interactions we have with different clinical applications and how complex passwords can create a negative impact to clinical workflows and operations in high-pace environments. It can be tough sometimes to enforce this relatively rigid policy, but in general it but seems to be going pretty well within our health system.
What is your mobile security strategy?
We’re primarily a BYOD shop. There are very few corporate-owned mobile devices unless they’re dedicated to a specific mobile application. In a BYOD environment, of course [the challenge] is the diversity and complexity of the end points. There are lots of different types of mobile devices, operating systems and form factors that come into play. This influences not only how we secure the device but how we provision an application with that device in a way that’s consistent. We’re doing things like making sure we don’t have to recognize so much the details of the end point. Instead we’re looking at ways to provision virtualization technology to that end point where we don’t have to worry about it and keep the information off of it but basically provision in the application interface.