http://healthitsecurity.com/2014/04/01/umc-health-system-security-officer-discusses-user-awareness/
By Patrick Ouellette
Health IT Security
April 1, 2014
With 14 years under his belt working with government entities in IT
security, Phil Alexander, Information Security Officer at University
Medical Center (UMC) Health System, certainly has a unique outlook on IT
security in the healthcare sector.
Based on those experiences at the federal level and his one year at UMC,
Alexander talked with HealthITSecurity.com about his current focuses and
where he thinks healthcare IT security is headed. UMC Health System, which
includes our all its clinics in the local area, is the major regional
provider in the West Texas area, so Alexander has a lot to keep track of.
What are you concentrating on security-wise at UMC at the moment?
When I got here, we were doing the typical basic cybersecurity and
information assurance, nothing out of the ordinary. So I split my team
into two: one dedicated to beefing up information assurance and the other
being our computer security incident response team (CSIRT).
The CSIRT team does a lot of traffic monitoring, packet analysis and
forensics. And then on the other side of the house we’re increasing user
awareness training this year. I have a different philosophy on security
awareness -- I know there’s been a lot of discussion on the subject and
there have been two philosophies. There’s one that argues organizations
will never teach the end user anything and the other that says it’s a
must-have. The pendulum kind of swings back and forth on the topic, but I
think we’ve made a mistake over the past 20-30 years in IT in that
organizations have told users that the organization, not the users, will
take care of security. That worked back in the mainframe days of the 1970s
and 1980s where your information at work wasn’t available to you at home.
That doesn’t work anymore because work and home devices now look very
similar to each other, so we’ve never really taught some of those users
proper security.
[...]
--
Subscribe to InfoSec News
http://www.infosecnews.org/subscribe-to-infosec-news/
