Information governance: An interview with Kathy Downing

July 10, 2017

The WannaCry ransomware attacks and the Health Care Industry Cybersecurity Task Force’s report to Congress are highlighting an important security issue within the healthcare industry: cybersecurity is a public health concern that needs immediate and aggressive attention. I recently had the pleasure of speaking with Kathy Downing, Senior Director, Information Governance, Privacy and Security for AHIMA. We had a pretty lengthy conversation about information governance sparked by the WannaCry ransomware attacks that recently plagued the healthcare industry.

What is information governance? Information governance is the set of procedures, processes, policies, and controls an organization implements to manage information on an enterprise level. This helps organizations support immediate and future regulatory legal risk, environmental, and operational requirements. So, basically, a set of policies that ensures that all your organization’s information is being handled correctly. Kathy started out our conversation by expressing the importance of an organization’s awareness.

“As part of an information governance initiative one of the main things we talk about is organization wide awareness and training—about all things information. This includes access, securing information, creation, all the way through responsibilities around destruction. So when it comes to mitigating cyber threats, education is certainly a key part of that,” she said.

Next, Kathy and I discussed education. She said, “It’s education regarding things like: phishing, whaling, spear phishing, and emails. I go out and do a lot of speaking and training on privacy and security. I always ask the group: are any of your organizations doing a fake phishing email regularly to see who clicks on it? At first I didn’t see any hands, now I’m seeing more and more hands go up.” Kathy went on to explain that many organizations are now sending a fake phishing email that comes up with a message saying, “you shouldn’t have clicked this!” to test and train their employees on the importance of staying vigilant.

She went on to say, “Now there are technologies to continue educating and reinforcing things like unsolicited phone calls, social media, or email messages asking about employees or financial information. Even things like information regarding your network or how things are structured and paying attention to a URL of a website—all these things should be part of education. I think when organizations are doing HIPAA training, they only reeducate on the basics, instead of a broader view of responsibilities around information.”

Kathy and I then went on to talk about how there needs to be something done about insider threats regarding access. She explained to me that when EMRs or EHRs were set up in an organization in 1995 or 2005 for example, organizations let users access creep, adding more permissions and access based on a couple of nurses needing this or that. Or an organization hires someone as a registration clerk and eventually they get promoted but the organization doesn’t take away their previous access because they may need to finish up something or do some work until someone else gets hired. She commented, “I think that a lot of organizations need an access audit as a review under an information governance program.”