Texas Health Resources CIO Ed Marx and chief information security officer Ron Mehring circled the boardroom table handing out envelopes.

Within the package that every member of the senior management team received were their passwords, and how long it took Marx and Mehring to figure out that sensitive piece of information -- “which in every case was less than a second,” Marx explained.

“We got their attention and ever since have gotten the resources we need for security,” Marx said.

Reasonably harmless tactic

Texas Health is hardly the only hospital or health network that struggles to convince the CEO, CFO or other board members just how critical funding security initiatives and technologies really is.

When Marx told his story at the HIMSS Media and Healthcare IT News Privacy and Security Forum in Boston in early September, the trick drew some chuckles for its cleverness, and perhaps for how harmless it was against the backdrop of high-profile security troubles such as the hacker breach of 4.5 million patient records at Community Health Systems or Anonymous attacking Boston Children’s Hospital this spring.

Underfunding security, in fact, is common in healthcare, according to Symantec director of healthcare Nathan Russ, who explained that the industry until recently has been flying “under the radar.”

Among the practices Russ said are frequently overlooked include basics, such as patch management and overall IT asset management, which are increasingly important as federal laws that call for giving patients access to their records, whether via free email accounts, portals or other means, are making security more complex for providers.

Beyond IT

Whereas financial and personnel resources go a long way toward technology and compliance with federal mandates including HIPAA, multiple CIOs and CISOs at the conference agreed that true security requires surpassing mere compliance and it must be systemic to succeed.

“This is not an information technology problem. It’s an enterprise-wide problem,” Seattle Children’s Hospital CISO Cris Ewell said. “We’re going to have to change something to figure out what to do, how we fix this, and where we go from here.” 

Indeed, the message that Ewell, Marx and other CIOs and CISOs delivered at the conference was that providers should be shifting away from security-by-compliance to the savvier approach of understanding your risks so you can manage them accordingly. Without abandoning compliance, of course.

For Ewell that means undertaking an Assumption of Breach methodology, essentially operating as if someone has already managed to break into your IT network.

“We have a really scary concept,” Ewell continued. “What if someone knows our data?”

Down in Texas, someone did: Marx and Mehring.

“That day we went to our senior leaders with their envelopes,” Marx explained, “they were embarrassed but they paid attention and appreciated what we did.”

What have you done to sway the CEO or CFO to allocate enough funding for security? Any tips or tricks that proved especially successful?