Healthcare Independent Health Jeremy Walczak

Transcription

1 Healthcare Independent Health Jeremy Walczak Taking a cue from banks, a health system boosts its information security. That s great news for 400,000 members. 34

2 Independent Health Jeremy Walczak Healthcare Jeremy Walczak Independent Health An information security makeover for Independent Health Produced by Grace Chlosta & Written by Mike Schoch Jeremy Walczak says the brakes on a car aren t just for stopping, they re for letting you accelerate with confidence. His philosophy regarding information security isn t so different strong security measures don t just protect, they let a company aggressively pursue its goals, he says. Walczak is the mechanic tuning up the brakes on Buffalo, New York-based Independent Health, a not-for-profit health plan that brings affordable healthcare to around 400,000 members in the eight counties of western New York. Originally a security architect when he began at Independent Health in 2010, Walczak is now Chief Information Security Officer (CISO). He points out that healthcare has traditionally been slow to adopt state-of-the-art security measures, but he believes that trend has changed and wants to make Independent Health an example. He s adapting security measures from other sectors like manufacturing and financial services, to the world of healthcare, protecting Independent Health and its clients, as well as promoting a more trusting relationship between them.

3 Healthcare Independent Health Jeremy Walczak Shrinking the scope of risk Walczak says it makes sense that the healthcare industry was behind the eight ball on information security for a long time. After all, hackers were said to be after credit card numbers, not medical records. He adds that the signing of the Affordable Care Act as well as the growth of online insurance distributors, have encouraged consumers to make more online credit card transactions for healthcare. More pervasive and dangerous is growing Medicare and Medicaid fraud. Walczak says hackers can steal social security numbers and siphon money through the Medicare system. What s more, Medicare fraud takes longer to discover and shut down than credit card fraud. A social security number is much more difficult to replace than a credit card, he points out. 36

4 Independent Health Jeremy Walczak Healthcare To protect Independent Health s members, Walczak is working toward reducing the frequency with which patient data is accessed by the company s departments, minimizing the opportunity for the data to be intercepted or misdirected. It s an idea he took from his prior experience in manufacturing and financial services, which protect sensitive data by only transmitting them when absolutely necessary and using fake data for all other tests and internal reviews. Similarly, Walczak proposes using dummy data rather than the real thing when, for example, the quality assurance or development team needs to use data to test their systems. The fewer places you process sensitive information, the more you reduce the footprint that you have to secure, he says. WINTER 2018 EDITION II 37

5 Healthcare Independent Health Jeremy Walczak Digital defensive linemen In addition to shrinking the scope of data use, Walczak does a lot of what he calls blocking and tackling that is, foundational security measures that prevent attackers from reaching member information in the first place. It is a governance, risk and compliance management platform that Independent Health uses to generate web-based assessment questionnaires. The questionnaires are sent to third-party vendors and help Independent Health detect gaps in their partners information security. Walczak says these measures, which encompass everything from encrypting systems to improving IT architecture, act like guardrails for the big vehicle that is Independent Health. With strong security processes in place, the company can roll out new applications or tech solutions for its members without worrying about hidden vulnerabilities. Based on information collected from the questionnaire, Rsam issues each vendor a risk score, which helps Independent Health see which gaps present the biggest risks and what fixes will remedy those risks most efficiently. The platform also lets Independent Health s Information Security team track all vendor assessments from a single window and helps the team manage those assessments through notifications, reminders and a tracking function. One tool to help set up the guardrail is called Rsam. 38

6 Independent Health Jeremy Walczak Healthcare We have to do that level of due diligence, Walczak says, adding that they incorporate the information they glean into their negotiations on contract terms. The information Walczak s team collects from its questionnaires is also useful for triaging potential sources of risk. Walczak s team identifies these potential vulnerabilities and then tracks efforts to remediate or manage the risk. By streamlining this process, it s easier for the company to learn where their key security risks reside, what security tools or processes to invest in and how to build the case necessary to procure funds to buy them. WINTER 2018 EDITION II 39

7 40 Healthcare Independent Health Jeremy Walczak