Impact of Target Breach in Healthcare

UPMC's John Houston Describes Monitoring the 'Dark Web'
In the wake of the Target breach, the University of Pittsburgh Medical Center has ramped up Internet monitoring to detect early if the organization is a target for attacks, says John Houston, UPMC's security and privacy leader.

"In relation to the Target breach, we've decided to go down the path of engaging a third party to help us monitor the Internet for activity that might be related to UPMC - watch some of the 'Dark Web' and some of what's going on in the hacker communities - to see if our name's coming up in relation to things being planned or information that's been stolen and is being resold," says Houston, UPMC's vice president of privacy and information security and associate counsel.

"So hopefully we can catch it on the front end, catch them talking about us before they actually execute something," Houston says in an interview with Information Security Media Group during the recent 2014 HIMSS Conference.

This approach will enable the medical center "to prevent something or respond more quickly if that sort of breach were to occur.

"When you look at the kind of information that's handled in the healthcare sector, it's the same kind of information that can be used to steal somebody's identity," including credit card and insurance information, he says.

International Reach

UPMC, an $11 billion health system in Pittsburgh, offers healthcare services internationally, including organ transplants in Italy, cancer care in Ireland and telemedicine services to patients in Afghanistan. Providing services to patients internationally presents complicated legal and data privacy issues, Houston says.

"The biggest challenge is that we are dealing with a whole different set of laws in each location," he says. "We need to make a conscious decision of how we manage that information, and do we allow it to cross borders or keep it within the border of the country we're serving in," he says. "You have to use a lot of forethought in how you're going to manage the information and you have to look at the laws to make sure we're not going to do something that violates those laws."

In the interview, Houston also discusses:

  • The complex privacy issues involved with providing family members access to their relatives' electronic health information;
  • An update on an identity management venture, CloudConnect Health IT, a joint venture that UPMC and Oracle launched last year to focus on helping smaller hospitals manage user access, and why ID and access management are especially challenging issues in healthcare;
  • How the use of patient privacy monitoring software helped UPMC detect a breach last year involving an employee who was snooping on patient records, and how that worker's termination and the known use of the monitoring software is helping to change workforce behavior at the organization.

"Now that they know we are watching, frankly, they're saying 'I don't want to be that person disciplined, I don't want to be that person that maybe gets terminated.'"

Houston has been an information security leader at UPMC, which has more than 20 hospitals, 400 outpatient sites and a health insurance division, for more than a decade. He is a member of the Health IT Policy Committee's Privacy and Security Tiger Team, which makes recommendations to the National Coordinator for Health IT. Houston is also a member of the Pennsylvania eHealth Collaborative's Policy and Operations Tiger Team.

Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.