Intermountain Healthcare's Cybersecurity Challenge

Surveys show that most health organizations have suffered some kind of data breach or security incident. For example, Ponemon Institute’s Third Annual Study on Patient Privacy reveals 94% of the healthcare organizations it interviewed reported at least one data breach in the past two years, and 45% said they had more than five breaches during that time. With risks continuing to escalate, some organizations are taking a proactive approach, working to better protect patients’ data and fortify their systems before an attack or theft occurs. One organization keen on building greater resiliency and security is Intermountain Healthcare, a health system repeatedly honored for excellence and innovation both in healthcare and its use of technology. Last year, DXC began working with Intermountain to help strengthen its security. Along the way, the team has applied innovative approaches to better secure Intermountain’s network of systems and data.

Managing risk with innovation

Cybercriminals’ increased focus on healthcare data compounds that challenge. Intermountain wanted to ensure that it was reducing the risk to its organization and that it stays current with the latest security controls. “The dynamic has changed substantially,” says Ashif Jiwani, DXC Global Cybersecurity partner, Healthcare. “A year ago, the financial services industry was attacked from everywhere in the world; now the healthcare industry has become the easiest target for commercial hackers.” For cybercriminals, stealing identities from sick people is fairly easy since they’re focused on getting well and many times let other responsibilities slip, such as ensuring that their identities haven’t been stolen. Healthcare records, which contain megabytes of valuable personal data ranging from Social Security numbers to blood types, have also become more valuable than simple credit card numbers, which financial industries have worked hard to protect with antifraud capabilities.

An issue of reputation and regulation

“Until a breach occurs, security usually tends to be an afterthought,” says Jiwani. “Intermountain has decided that’s not where it wants to be. The system has made security a priority because it feels that the protection of its patients’ information and privacy as well as its reputation is as important as any of its other prime strategies.” State and federal regulators also have strong feelings about securing patient data and have set penalties, both penal and financial, for noncompliance and breaches. For example, under the U.S. Health Information Technology for Economic and Clinical Health Act, hospitals and other organizations can be fined up to $1.5 million per year for serious security incidents. Corporate officers can also go to jail for negligence.

Segmenting networks and data encryption

A key area where DXC and Intermountain have teamed to set new benchmarks in the healthcare industry is a network approach that classifies data, encrypts data at rest and in transit, and then segments, or enclaves, data and systems — an approach that simultaneously protects data if stolen and protects data from being stolen. This approach, which DXC mainly uses in its public sector work, is a first for the healthcare industry, says Jiwani. “Few organizations have looked at developing a strategy where they can encrypt and enclave their enterprise storage networks,” he says. “We essentially took defense-level security and applied it to healthcare.” Under DXC’s security work with Intermountain, DXC is helping the healthcare organization apply cutting-edge technologies and equipment from leading vendors that is mapped and embedded into these network design solutions.*

*This success story was originally written by CSC, which has become DXC Technology as of April 2017.