Mayo Clinic CISO: Healthcare data most difficult to keep secure

Healthcare information is harder to protect than financial information, according to Mayo Clinic Chief Information Security Officer Jim Nelms, who previously spent 14 securing financial information years at The World Bank.

Nelms, in an interview with the Wall Street Journal, says healthcare is 10 to 15 years behind other industries in its IT practices. He attributes much of the difficulty to the plethora of medical devices being used in hospital--they make up 40 percent of the technology there--and to doctors sharing information. There's less data-sharing in financial services, he adds.

Mayo Clinic has created a "threat intelligence group" to bolster its security capabilities, and Nelms says each quarter he produces a report for the hospital's board of directors on the risks and exposures Mayo faces. However, he adds that the ever-changing nature of threats means the facility could be in the 90th percentile of thwarting threats one day and in the 40th percentile the next day.

At the same time, he doesn't see new technologies being ready to substantially improve security.

"For the next period of time--I don't know how long--we are going to have to craft and use things that are going to be marginally successful. Information security in the last few years has changed from stopping things from happening to creating regular, positive change in the reduction of risk," he says.

The cost of a data breach to a company is $3.8 million, up 23 percent from 2013, the Ponemon Institute recently reported. And criminal attacks on healthcare organizations have increased 125 percent in the past five years and now are the leading cause of data breaches, it reported previously.

Veterans Affairs CIO Stephen Warren recently talked about the agency's approach to securing medical devices, describing a two-pronged "defense in depth" strategy that involves being clear about responsibility in security devices and addressing human factors that can create vulnerability.

To learn more:
- read the article (subscription required)

Suggested Articles

An assessment looking at 12 health systems that allow patients to download their health records to their smartphones via APIs finds modest uptake.

The National Institutes of Health-led All of Us precision medicine project has enrolled 230,000 participants with another 40,000 people registered.

Hospitals must pursue a deliberate strategy for managing their public image—and a powerful tool for doing so is inpatient clinical data registries.