HIMSS15: Data security from the inside out a must, says West Virginia United Health's Mark Combs [Q&A]

When it comes to protection of health data at provider organizations, heading off insider threats is a good place to start, according to West Virginia United Health System Assistant CIO Mark Combs.

"I think they're very common," Combs told FierceHealthIT at the Healthcare Information and Management Systems Society's annual conference in Chicago. "To think that you're going to put any sort of program in place that will completely stop them is fooling yourself."

In an exclusive interview, Combs discussed how West Virginia United Health System is mitigating its own data security risks and the importance of cybersecurity to providing exceptional patient care.

FierceHealthIT: What steps have you taken to try to prevent insider risks to data security, and to counter them when events do occur?

Combs: Our first step was taking a hard look at our policies to make sure they aligned with the culture that we wanted to develop at our institution. Then we made sure that procedures we created set clear expectations for the staff. Then we went through and educated the staff. You can't expect people to do something they don't know how to do.

We also put auditing tools in place. We're collecting data from seven different systems right now, soon to be eight, and we're running daily audits across those systems. As issues pop up and arise, we've developed a team that includes folks from human resources, legal, compliance and security, so if something rises to the level of being a little more severe than just snooping, we all come together in a room, sit down and talk about it. We have a pretty well-defined process on how we're going to handle situations like that.

FHIT: How successful have your efforts been?

Combs: The good thing is, it's a successful process because it's repeatable. We can do the same thing every time, and because of that, we've been able to set the expectation in the organization that "if you do X, or you do Y, or this occurs, or that occurs, then this is what's going to happen."

It's been widely accepted and we've gotten a lot of support from leadership all the way from the board level over to the school of medicine. We're an academic medical center and academics are much more open with their information. But we've worked very closely with them and they understand how serious it is to create these kinds of policies.

It's a cyclical process. It's not something you can put in place and forget about. You've got to keep working it. 

FHIT: How important is maintaining data security to the patient care process?

Combs: We've tried to tell our employees that ensuring patient privacy and ensuring data security aren't just about getting caught and having something bad happen. It's really about, this is the way we care for patients; this is the right way to care for the patient. You have to look at the person as a whole person. I can put a Band-Aid on a cut, right? So why aren't I doing something to protect that person's information? It's all part of that holistic care. 

FHIT: Has there been any backlash from employees about your efforts?

Combs: A group of our employees are unionized, so we have had grievances come back from the union about being unfair to employees who weren't malicious in their breach actions. But because we've been consistent in how we've applied the policy, they really have no leg to stand on. Consistency has really helped to beat some of that back.

Editor's Note: This interview has been condensed for clarity and content.