Intermountain CISO on importance of healthcare data security

Intermountain Healthcare CISO says in a podcast that health data security best practices include thorough training and retraining, encryption technology, and risk assessment.

For Karl West, CISO at Utah's Intermountain Healthcare, top-notch healthcare data security is as much about workplace culture as it is about technology.

Like other CISOs of major health systems, West says that while technologies such as encryption and penetration monitoring are essential, healthcare data security best practices must also emphasize employee training and retraining and regular and thorough security risk assessments.

That's how Intermountain -- one of the nation's largest and most technologically sophisticated health systems -- approaches healthcare data security, West says in this SearchHealthIT HIT Squad podcast episode.

"A culture of security is just critical to the success of the enterprise," West tells SearchHealthIT writers Kristen Lee and Shaun Sutner during the podcast.

Karl West, CISO, Intermountain Healthcare Karl West

For example, even with advanced network monitoring, encryption and other health IT security tools, employees are bombarded every day with "phishing" emails that could give an intruder access to the Intermountain data network, West says.

For that reason, Intermountain holds regular security training and retraining sessions for all employees, who are also sent regular email updates on how they can keep the health system's protected health information and other data safe at work and at home on their mobile devices.

"The bad guys are becoming so significant and so advanced in their tools and technology," West says, that "it's becoming so difficult" for provider organizations to keep pace.

As for encryption, West says Intermountain encrypts all health data: while it's being transmitted within the network or to outside associates and while it's stored in the health system. Encrypting health data at rest and at motion is equally critical, he says.

"Either way, if you leave data unencrypted, you leave an access point, a threat, a vulnerability, a risk for bad actors to take advantage of exposed data," he says.

In recent years, West says data security efforts at Intermountain have been well funded, in large part because c-suite executives have bought into security as a critical part of safeguarding patient privacy and the finances and reputation of the health system.

"For us, it's about the people, processes and technology," he says.

West says Intermountain retains a large external security firm to perform security risk assessments during even-numbered years, and does its own internal assessments during odd-numbered years.

Next Steps

Pros offer expert tips on health data security

White hats test government healthcare website

Analytics helps prevent health data breaches

Dig Deeper on Electronic medical records security and data loss prevention