- With 14 years under his belt working with government entities in IT security, Phil Alexander, Information Security Officer at University Medical Center (UMC) Health System, certainly has a unique outlook on IT security in the healthcare sector.
Based on those experiences at the federal level and his one year at UMC, Alexander talked with HealthITSecurity.com about his current focuses and where he thinks healthcare IT security is headed. UMC Health System, which includes our all its clinics in the local area, is the major regional provider in the West Texas area, so Alexander has a lot to keep track of.
What are you concentrating on security-wise at UMC at the moment?
When I got here, we were doing the typical basic cybersecurity and information assurance, nothing out of the ordinary. So I split my team into two: one dedicated to beefing up information assurance and the other being our computer security incident response team (CSIRT).
The CSIRT team does a lot of traffic monitoring, packet analysis and forensics. And then on the other side of the house we’re increasing user awareness training this year. I have a different philosophy on security awareness – I know there’s been a lot of discussion on the subject and there have been two philosophies. There’s one that argues organizations will never teach the end user anything and the other that says it’s a must-have. The pendulum kind of swings back and forth on the topic, but I think we’ve made a mistake over the past 20-30 years in IT in that organizations have told users that the organization, not the users, will take care of security. That worked back in the mainframe days of the 1970s and 1980s where your information at work wasn’t available to you at home. That doesn’t work anymore because work and home devices now look very similar to each other, so we’ve never really taught some of those users proper security.
Can you talk about what works for you with user awareness training?
We try to make user awareness more personal and don’t just tell them that they need to secure patient data. It’s not that they don’t care, but it’s just not relevant to them. They have a job to do and I’ve been showing them how to secure their own devices, such as a smart phone or laptop, as well providing as data on identity theft. If we get them into a habit of protecting their own stuff, then whenever the anomalies happen at work, they know that it’s not right because they’ve already learned how to protect their data at home. For example, we have a phish market blog where they can report phishing and we post a few times a week to really get the word out [on user awareness].
Do users bringing in their own mobile devices affect network security?
That’s a big thing for us and something that I’m not used to as well, because I never had to deal with mobile devices in my prior experiences because we didn’t allow them in the buildings. While I’m all about the newest technology and think it would be cool to see doctors running around with iPads, the mobile device management (MDM) piece that’s tied to BYOD is something that we’re still struggling to get our arms around. I think that’s something that’s an issue in healthcare in general.
Another part of this is new technology like Google Glass. When a couple of users began wearing Google Glass, the first thing I thought of was what would happen if a surgeon went into the OR and recorded a surgery. But the question is, where’s that data going? It’s not going to my servers.
That data goes straight to Google and we’re not big enough of an organization to tell Google what it can and can’t do with the data. The question is how do you protect and stop it? Right now, it’s easy if you’re in the operating room (OR) and someone starts taking photos, because everyone around them will tell them to stop doing it. But Google Glass is kind of introducing a new thing where it’s more than a prescription glass and they’re actually use the Google Glass to record something in the room. We’re looking at geo-blocking where devices are connected through our wireless.