Interview with Terrell Herzig who is the Information Security Officer at the University of Alabama at Birmingham (UAB) Health System. Terrell is also UAB’s HIPAA Security Officer, an Adjunct Professor of Health Informatics Program at UAB, and the editor of Information Security in Healthcare: Managing Risk published by HIMSS. Terrell kindly shared his views regarding day-to-day challenges faced by security and compliance teams in healthcare – while striving to improve their overall security posture.  “…the recent fines driven by HIPAA and HITECH enforcement are really a wake-up call, not just for IT and security, but all the constituents in healthcare.” – Terrell Herzig, UAB Medicine  

Thanks so much for taking the time to talk with us about security. Let me start by asking for your opinion regarding the biggest challenges you and your teams are facing in healthcare.
Traditionally healthcare has been behind on information security.  But the recent fines driven by HIPAA and HITECH enforcement are really a wake-up call, not just for IT and security, but all the constituents in healthcare. Just earlier this month Blue Cross Blue Shield of Tennessee agreed to pay the U.S. Department of Health and Human Services $1,500,000 to settle potential violations of the HIPAA Privacy and Security Rules.  The settlement involves the 2009 theft of 57 unencrypted hard drives containing sensitive information belonging to more than one million policyholders. When your problems hit this scale, information security is no longer relegated to the back office. We are seeing more awareness of the broad implications of failures to adhere to compliance – not just with internal controllers and auditors - but now involving clinicians and care delivery professionals.

You have long been a proponent of penetration testing.  What are the critical factors and unique requirements in healthcare organizations such as yours?
Healthcare organizations usually have small security teams and resources.  Most health systems our size have 8-10 people supporting all security needs of a similar size infrastructure. Many of these individuals must split their time across a multitude of mission priorities. Our move to automated penetration testing boils down to very pragmatic and economic considerations – we simply needed to know where to focus our limited resources.   For instance, the information gathered from vulnerability scanning, while valuable, is hugely time consuming to cull through.  Frankly this is not where I wanted to focus my team. They needed to get more intelligence from the data.  The other alternatives were periodic consulting engagements with professional penetration testers, but the templates those folks presented were a big turnoff. The automated tools like yours are not just a lot less expensive, but they hold more value because now we know exactly what is truly exploitable and get a closed loop validation of the results. We use CORE Impact software across our business as part of a disciplined testing and risk assessment – validating and testing controls of our infrastructure and policies.  For example, when we bring a new system into production, we use pen testing techniques to determine if the product is configured correctly. This allows us to obtain a baseline which is invaluable in comparing and tracking post production test results.  We also use CORE Impact to validate patches and policies of our firewalls and VLAN systems.  Healthcare organizations typically use many VLANs to segment devices of different security configurations. 

Can you share what it is like behind the scenes? In particular, what happens in your meetings with external auditors?
Healthcare organizations are under a variety of regulatory “guns” including HIPAA, HITECH, and PCI DSS. Many regulatory groups require a sound evaluation process to determine if security controls are functioning as designed. This is why having a risk and security assessment process is so critical. We have frequent financial audits that require verification of certain controls, such as access controls for instance. However, working with auditors to ensure our compliance can be an all-consuming effort. Organizations with a mature security program must not only monitor their controls, but test them frequently. By testing, organizations can implement a full quality loop and roll their findings back into practice.  As an academic medical center, we also have to comply with federal security programs such as FISMA, which utilize many of the NIST best practice documents. This compliance activity stems from our NIH research projects. Finally, since we operate our own insurance programs, we are required by the state to run frequent penetration tests.

You certainly have a lot of ground to cover, Terrell. Before you head back to your busy day at UAB, what parting advice can you give your peers who are working to mature their security programs?
First, think about security as a program.  Don’t make knee-jerk decisions based on the most recent breach type or technology of the day. Instead, think holistically about your investments and tie them back to critical assets and risks for the organization. Security is often perceived as a barrier. Information security professions need to show how security can produce a return for the investment. This will help you make the case to management when you need tools to secure the enterprise.  Most organizations’ initial approach to information security was to put policies in place, but the policies alone are not sufficient and do not constitute adequate controls.