The list of tools in a health organization's data security armamentarium is long and varied: firewalls, encryption, anti-virus, etc. But a truly risk-based security framework needs more than mere protective measures. It requires awareness.

Ron Mehring, senior director and chief information security officer Texas Health Resources, oversees security architecture and operations at the sprawling 25-hospital system – an organization whose sheer size and name recognition plausibly make it a conspicuous target of any bad actor looking to gain access its huge troves of data.

"With larger health systems, there's more data there, there's more complexity there, and there's a larger base of users," says Mehring. "Just your footprint alone makes you a target."

That understanding – that THR (like "all of us in healthcare") is beset on all sides by shadowy cyber crooks looking to exploit the tiniest chinks in its armor – has led to some adjustments in its security strategies in recent years, he says.

After all, the recent drumbeat of massive data-loss events – Anthem, Community Health Systems, UCLA – is hard to ignore.

"The onset of these large-scale breaches is changing how we prioritize our security efforts within the health system," says Mehring. "In the past, we kind of spent time on the regulatory and compliance level, and then we thought about what we would do (in the case of) large scale breaches."

The fact that such breaches have become so commonplace now means that THR is "changing how we prioritize investments, resources – what we fix first, what we fix last, and how we internalize risk treatment plans," he says.

Specifically, that means escalating up from "baseline security requirements" to something much more robust. Firewalls? Intrusion protection and prevention? Antivirus? "I consider that the starting point, those are table stakes," says Mehring, who'll describe his approach to threat management at the upcoming Healthcare IT News Privacy & Security Forum December 1 in Boston.

"I think where we're heading now is: How can we manage incredibly complex environments?" he adds. "How can we more effectively manage the baseline security controls and make decisions on what advance controls or techniques we need to put in our enterprise to manage these more sophisticated threat actors who want to break in?"

That means thinking shrewdly about how to configure appliances and controls, how to ensure staff are properly trained, how to optimally monitoring them: "It's that whole slew of activities that go around those control sets that's critical in defending against these advanced threats," says Mehring.

THR has deployed what's variously called a "cyber kill chain" or a "threat actor profile," he says. "We're improving our technology around how we detect and react to phishing campaigns, whether they're targeted or broad-based. We're starting at that first injection point and then working away through every one of those profile areas. If they try to get a persistent foothold in the network, how do we detect that?

"We make sure we're monitoring more on our endpoints, we're monitoring inside of our data centers to see if we can see that anomalous activity, we're advancing our security zoning in our enterprise to break apart our network to control data flow," Mehring adds.

The goal of that last one, if the bad guys were to get in, is to make it "really hard to get to where the most important stuff is at: We're breaking apart the network to make it more difficult for them, preventing a little of that horizontal movement."

Analytics such as data loss prevention technology is also aimed at offering visibility into what the bad guys are up to, he says.

"If they get that far, can we see them lift data off these sensitive areas and try to carry it out of the network? We're putting in solutions to hopefully more effectively identify that behavior in the network. We're advancing our DLP platform, as well as some more technical parts of our architecture, to see if we can detect that liftoff when they're trying to exfiltrate and get it out of the network."

But the ideal scenario, of course, is to not let them in in the first place. Which is why THR has put in place an array of threat management systems, focused on activity monitoring.

"It gives us a good analytical view across our core systems, and helps us profile behavior. Those things exist today but they're not a consolidated end-to-end view. And in any case we have to do a lot of log aggregation and manual correlation to make sense of it all. So having a consolidated, easy to use, easy to deploy platform that analysts can get behind so they can manage the security of the infrastructure is pretty tough to do."

Mehring hopes to see advancements and improvements in analytics tools in the near future -- especially a move toward a more holistic threat awreness.

At the moment, he says, "we're dealing with a security space that is heavily siloed; even the vendors that have a portfolio of security products, they aren't necessarily well-integrated."

That makes it exceedingly difficult to get a common operational view of an organization's security posture.

"We're still creating separate views in our architectures, in our analytics platforms, to detect bad behavior. In the protection schemes and the detection schemes, we're still seeing a lot of point solutions that make it difficult for us to effectively detect and respond," he says.

"What I would like to see is a much more tightly integrated platform that ties together not only our generalized security event management data but also that integrates much more tightly with a common view of behavioral data."