Virtua Health Inc., a sprawling network of 16 hospitals, outpatient centers and clinics that is southern New Jersey's biggest healthcare provider, prides itself, among other things, on its commitment to the privacy and security of its patients' health data.
But IT executives at the healthcare system say they realized a decade ago that they couldn't go it alone when it came to the rapidly shifting terrain of health IT security, with cybersecurity threats proliferating along with government regulation.
Supplementing in-house staff
So even though Virtua has three staffers dedicated to IT security, the provider system also retains CynergisTek Inc. the health IT security and privacy consulting firm based in Austin, Texas led by health IT security guru Michael "Mac" McMillan, to buttress its own internal firepower.
Yes, Virtua employs encryption, multifactor authentication, and security testing of third-party apps and connected devices, said Virtua CIO and senior vice president Tom Gordon. It's the strategic direction that CynergisTek supplies, he said.
"It's part of an overall strategy we have. It's more of a partnership than a client-vendor relationship," Gordon said.
Among the most valuable assets McMillan, a former U.S. Department of Defense security director, and his team bring is deep knowledge of the federal government's regulatory framework, Gordon said.
Government expertise a selling point
In practical terms, that expertise manifests itself in personal relationships that McMillan and key CynergisTek consultants have with federal regulators in places like the U.S. Department of Health and Human Services Office for Civil Rights (OCR) -- which conducts HIPAA audits. CynergisTek's prowess is also displayed through performing all-important security audits and risk assessments required by OCR and under CMS' meaningful use program.
"That's just as important as the technology itself," Gordon added.
McMillan also has the credibility to make the "strategic pitch" to top Virtua executives and the board on the importance of investing in security. "In our program, we strive to stay ahead of the industry, and having Mac come in kind of shows the value of security," Gordon said.
As for McMillan, he sees his role with Virtua as not only talking with senior executives, but also deploying CynergisTek's technical staff to consult on testing, monitoring security logs, and conducting annual strategic assessments of Virtua's overall security approach to learn how it can be tweaked.
"It's collaborative," McMillan said.
No system immune to breaches
That said, even with a dedicated internal security staff and seasoned outside reinforcement, no security system is foolproof, both Gordon and McMillan agreed.
"I feel like we have pretty good protection in place here, but breaches are going to happen," McMillan said. "Anybody can have a breach."
But with Virtua, "I feel more confident than I do with 80% of [customers] that's not going to happen," McMillan added. "They're not just trying to keep bad guys out. They have an organization that supports security. They have a good security culture."
Actually, the health system hasn't suffered a significant breach to date, Gordon said.
That's the kind of record that makes McMillan proud. And wary.
More connected mobile health devices means more security threats
A member of FBI's Cyber Division spoke at HIMSS 2015
Risk assessments figure into health security plans