Marx: Leadership cornerstone to health IT security

BOSTON--How did IT security staff get the attention of executives at Texas Health Resources? By hacking into their email accounts, said Ed Marx, senior vice president and CIO at Texas Health Resources, speaking at HIMSS’ Privacy and Security Forum on Sept. 9.

“I realized security was not at the level it needed to be. No matter how many trumpets we raised, we weren’t able to capture the attention of senior management,” he recalled. After providing envelopes to senior executives with their email passwords, which he noted took “less than one second to find,” the leaders realized security vulnerabilities were present in the system and more funding and resources began to flow.

“When it comes to privacy and security, healthcare must think and execute differently,” he said. Health IT security is analogous to the Great Wall of China—a 1,500-mile long, 40-ft. high structure that, despite its sheer enormity, did not prevent Mongol attacks. “The reason why was because there were gates. The wall never really served or fulfilled its purpose. You can’t measure a country by brick and mortar but by the character of its people.”

The same applies to health IT security, he said.

“We can’t think about building walls, but something more resilient, flexible and able to adjust to threats that will come our way,” he said. Integral to this is placing real authority in the hands of chief security and compliance officers, and allowing them to work more directly with senior business and clinical leaders to address and manage risk.

At Texas Health Resources, a 25-hospital system, the chief security and compliance officer has access to such leaders through a security governance council that meets about six times per year. The officer is empowered with authority and autonomy, which drives his success, he said.

Marx also shared some of the system’s strategies for identifying and managing risk. They hire three separate vendors, which are switched out every couple of years, to offer an independent view of risk. Texas Health Resources also conducts an internal audit, and its security program prioritizes risks and proactively plans for breaches, Marx said.

“Our security program is based on data and not emotions or what we saw in the latest magazine,” he said. “It’s a daily process.” This process entails a risk-based approach to managing current and emerging threats within its complex healthcare environment.

“Risks can be found everywhere. We do not chase weaknesses, we manage them,” he said. As such, the system’s program focuses on the highest risk priorities. “We can’t manage everything. Life is about how you manage risk.” By blocking and tackling threats, breach events in most cases can be prevented by following well-known policies, procedures, standards and best practices, he said.

Ultimately, it all boils down to leadership. “It all comes to leadership. Everything rises and falls with leadership,” he said.  

Marx suggested the following activities to buttress health IT security:

• Ensure ownership and accountability on technology risk within the organization
• Break down barriers for the compliance and security staff
• Ensure security needs are prioritized and funded
• Ensure the organization is prepared for that breach or disaster event.

“It’s less about turf wars and more about doing the right thing for the patients,” he said.