UAB's Terrell Herzig on Risk Management
In an interview, Terrell Herzig, HIPAA security officer, outlines priority projects and key lessons learned, including:
Herzig, who serves as the equivalent of a chief information security officer, heads a team of three security specialists at the delivery system, which includes a 1,000-bed hospital and numerous outpatient facilities throughout the state.
He is one of the authors of a new book, "Information Security in Healthcare: Managing Risk," published by the Healthcare Information and Management Systems Society.
HOWARD ANDERSON: This is Howard Anderson, managing editor at Information Security Media Group. We are talking today at the HIMSS Conference with Terrell Herzig, HIPAA security officer at UAB Health System in Birmingham, Alabama. Thanks for joining us today Terrell.
TERRELL HERZIG: Thank you very much.
ANDERSON: Please describe the size and scope of UAB Health.
HERZIG: UAB Health System includes a 1,000-plus bed hospital, which is our acute care, tertiary care environment. And then we have clinical environments scattered throughout the state of Alabama. We are the Level One trauma center for Alabama and we have an outpatient clinic that sees at least 35,000 to 40,000 patients annually. We are a fairly large academic medical center....
ANDERSON: So as HIPAA security officer are you the equivalent of a chief information security officer?
HERZIG: About as close as we get at UAB. We don't officially have a chief information security officer who sits on the executive team, but I communicate with our executive leadership on a daily basis. I serve as the information security officer for the entire heath system and the UAB HIPAA security officer for all of it, the academic environment as well as the health system. That kind of classifies me as a chief information security officer, although we don't have that title officially.
ANDERSON: So is there a data security/information security team at UAB?
HERZIG: Yes. We have both a team of people in the academic environment (University of Alabama at Birmingham) that actually has a vice president of IT, and those individuals report up through that chain and we collaborate as a large group panel on all of the security issues across both sides. So there is myself and my staff, which right now is about three full-time equivalents, but then we have at any given time 30 other individuals we have embedded out in the different departments, schools and locations that are our eyes and ears for security issues.
ANDERSON: So let's talk a little bit about some of the projects you are working on. For example, I understand you are working on encrypting portable devices. Can you tell us about how you are using encryption so far and what is ahead?
HERZIG: Sure, absolutely. You can imagine in an academic environment we have a wide variety of different platforms that we have to account for. Of course we have standard laptop/PC environments for the health system, we also have a lot of Mac users out there, and you can imagine that if there is a portable device that exists, it is probably in operation at UAB.
So, our encryption efforts have been ongoing for about...two years, and while it has been challenging it has been very effective. We have a high compliance rate. To date we have encrypted almost 3,000 laptops and portable devices across the institution. Any of our mobile devices we have deployed in our healthcare environment are all encrypted.
We use the PGP Whole Disc Encryption Project simply because it was the vendor of choice that could match most of our variety of different platforms out there. And then of course for the thumb drives and external hard drives we have gone to a hardware-encrypted device.
We believe that the less software encryption on those devices the more interoperable they will be. For example, here at HIMSS at one of the coffee shops, they could actually use their secure thumb drive device to access the system, maybe use their VPN token credentials to actually get back into our healthcare system, and all that would be cached on that secure hardware base drive has opposed to those little cheap devices that depend so much on software....
ANDERSON: What about using a secure email system of some sort?
HERZIG: We don't have one for the whole campus per se yet, but we are currently in the process of implementing that. We still have about another year's worth of work....We are trying to put in systems that are the minimum disruption for our physicians, but at the same time meet those encryption responsibilities.
ANDERSON: How are you handling security for data at rest, data in the databases and servers? Is encryption appropriate there or are you using just physical security?
HERZIG: Where we have the ability to do encryption at rest we are doing it; of course right now that is one of our big challenges. We are a Cerner shop, and we are basically looking at what Cerner is going to do in preparation for federal "meaningful use" EHR compliance. But where possible we are using the hardware-based encryption. Before we send backup tapes off site they run through hardware-based encryption.
ANDERSON: I understand you are working on some vulnerability assessment efforts. How does that fit in with your broader risk assessment and security strategy?
HERZIG: Well our security assessments are almost an ongoing daily basis kind of thing. Whenever we interact with a system or a vendor or it could be as simple as a physician...creating databases and spreadsheets at will...we will do a risk assessment for whatever system we engage in at that point in time so we can get an idea of the challenges that we are going to face.
But one of the things that we have discovered, as everyone else has, is there are a lot of new threats out there, or maybe some old threats being delivered in new ways. For example everybody is questioning social media and the ability to easily socially engineer individuals....At the end of the day we have got to look for those threats and stay ahead of them.
We run so many different software tools that even with those effective awareness programs, we have to be out there scanning equipment and looking for obsolete software...flash software and other things that people don't think about updating, we have to manage that on the back end.
ANDERSON: So you are updating your intrusion detection and prevention systems as well?
HERZIG: Yes, absolutely.
ANDERSON: What needed updating?
HERZIG: We have always relied on the Cisco intrusion detection systems, but as you go out and you start looking at all of the different outward-facing equipment, it doesn't stay static very long. You have got to keep it upgraded.
You have got to keep looking ahead at new threats that are coming out. And we have got two choices there. We can either improve our tools and do better security event management, or we can depend on some of the software to find things where we have to increase our FTEs to put eyes on logs and things like that. So we are investigating heavily in new security management technologies.
ANDERSON: I understand UAB is participating in a National Cancer Institute project that enables sharing of data to speed research? How is that working? What are the security issues that it raises?
HERZIG: It's the caBIG project and as you can imagine it sets up a collaborative, much like the National Health Information Network hopes to achieve. We want to facilitate our researchers getting information. We have a renowned cancer institute, and we want to be able to facilitate the researchers being able to exchange information with their colleagues at different institutions. This has been a national effort since 2007 for the Cancer Institute. By implementing the bioinformatics grid they have given us the tools, the concepts, the abilities to share this information. But there again...there are a lot of security challenges with that as well as the National Health Network.
Right now we are looking at federated security models and tools that will harvest the data back and forth and get it prepped up and be identified appropriately so it can be shared.
ANDERSON: So if that goes well, what is the end result of all of that effort?
HERZIG: Well if it goes well for us then it sets a good technology foundation for how we are going to deal with our state health information exchanges.
Myself and the CIO of the UAB Health System are actively involved in helping design Alabama's state health information exchange. So the same technologies that we learn from using this federal security concept could roll into practice with the health information exchange...and on up to the National Health Information Network.
ANDERSON: Very good. So you have got a new book out with consultant Tom Walsh. What is the name of the book and what is it about?
HERZIG: The book is "Information Security and Healthcare Managing Risk." It is debuting at HIMSS. Like you said, Tom is an author, we have several other authors that have contributed to the work and we have tried to cover all of the different security topics of interest for the last year and looking forward to the HITECH Act and the National Health Information Network.
ANDERSON: Thanks a lot Terrell. We have been talking with Terrell Herzig of UAB Health System. This is Howard Anderson of Information Security Media Group.