4 Data Security Best Practices From Mountain States Health Alliance CIO Paul Merrywell

For hospital and health system CIOs across the country, data security is both a top priority and a top concern, according to the findings of a focus group convened by HIMSS.

For Paul Merrywell, CIO of Mountain States Health Alliance in Johnson City, Tenn., data security is also a priority — which is why he's taken significant strides to ensure information throughout the 13-hospital system is protected.

When Mr. Merrywell joined MSHA in 2011, data security practices at the system were "pretty standard," he says. "They had an understanding of their obligation to protect patient records, they were doing a good job educating team members about HIPAA compliance, had firewalls up, all that," he says, similar to many other hospitals at the time.

Since then, however, Mr. Merrywell has dedicated significantly more attention to ensuring data security at MSHA is as good as it can be. "The engineers who put these IT systems in place many years ago may not have thought much about security — they were just trying to make them work," says Mr. Merrywell. "That's why we have to commit to security now and work to deepen our understanding of its requirements."

Below, Mr. Merrywell offers four best practices to hospitals and health systems looking to strengthen their data security.

1. Dedicate resources. "The most important thing we did was to dedicate resources to this," says Mr. Merrywell of MSHA's data security efforts. Having full-time staffers focus solely on security is a large part of the health system's strategy. MSHA both retained a full-time consultant, as well as repurposed several members of the IT team to help improve the system's data security.

Resources should also be set aside during major IT projects to ensure data security standards are being met, says Mr. Merrywell. The implementation of a new IT system is "a massive exercise in change management," he says, and part of that exercise is confirming the cultural and workflow changes maintain appropriate security safeguards. This often involves setting aside additional resources to focus solely on security, he says.  

2. Educate staff. Ongoing employee education on data security best practices is essential to safeguarding information, says Mr. Merrywell. "The employees themselves pose one of the biggest security risks," he says, not because they mean to, but because of the large number of people accessing and using protected information. It's therefore very important to ensure data security is top of mind for employees, he says. "Every member of the IT staff needs to understand expectations around data security," he says.

3. Ensure vendor compliance. One of Mr. Merrywell's current data security projects is reviewing the system's vendor access policy. Like many hospitals and health systems, MSHA has an increasing need to allow third-party vendors to access systems that contain protected information. "So right now, we're trying to get our arms around that, imposing more controls and restrictions on how they can access our systems," he says, so vendor noncompliance does not result in a security event for MSHA.

4. Get help. Mr. Merrywell warns CIOs not to underestimate the task of implementing a comprehensive data security policy. "It's not a simple matter of writing a policy or two," he says, but rather a massive, organization wide project where the CIO could benefit from the advice and experience of others. "Go get educated," he says. "Go get some expertise from your local regional extension center or someone who has done it before so you're not spending time reinventing the wheel."

More Articles on Data Security:

Stolen Laptop Leads to 20-Year FTC Oversight for Accretive Health
Report: HIPAA Hinders Big Data Innovation
AvMed Data Breach Settlement First to Extend Payments to Plaintiffs Who Did Not Suffer Identity Theft

Copyright © 2024 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.


Featured Whitepapers

Featured Webinars