Kaiser Permanente’s Jim Doggett knows a little something about privacy and security risk management.
As chief security officer and chief technology risk officer of the 38-hospital health system, Doggett and his 300-person team oversee the security of some 273,000 desktop computers, 65,000 laptops, 21,700 smartphones and 21,000 servers. All told, the team is charged with safeguarding the health information of more than 9 million Kaiser members. It’s one seriously tall order, but they make it happen.
Doggett, who will deliver the opening keynote address at the HIMSS Media & Healthcare IT News Privacy and Security Forum June 16-17 in San Diego, said a position involving this kind of scale “calls for the rigor and vigilance of not only the technology teams but of every staff member across Kaiser Permanente.”
We caught up with Doggett to hear more about his upcoming keynote, best practices and how Kaiser Permanente tackles the multifaceted and oft-uphill nature of privacy and security in the digital age.
Q: What will you be speaking about as the keynote speaker for the HIMSS & Healthcare IT News Privacy & Security Forum?
A: I’ll be providing a state of the health IT industry and discussing the need for trusted technology. Companies no longer have the luxury of time to adapt to new and changing technology risks. Everything about a given organization’s technology portfolio is in a near or constant state of change – technologies change, member requirements change, usage changes and the threat landscape changes. Fortunately, there are ways to mitigate the risks these changes pose. Risk management can help an organization identify, prioritize and manage the issues and risks they face, addressing those that are most important to the organization.
I’ll also discuss how to maneuver in the delicate balancing act of protecting an organization's technology footprint, as well as the role risk management plays in defining the future of healthcare. This includes things like how to approach technology risk management and align to the business; how to stay ahead of the technology adoption curve; and how to update your technology risk model with an eye toward the future.
Q. What is Kaiser Permanente's encryption policy? Encryption obviously is a safe harbor for the HIPAA breach notification requirements. Why do you think it proves so difficult for healthcare entities to encrypt mobile and portable devices?
Kaiser Permanente encrypts data on endpoint devices (e.g., PCs, tablets, smart phones, removable devices), as well as encrypts sensitive data in transit. Encryption can be a challenge for many industries not necessarily because of the cost, but because the quantity of data is huge.
For healthcare companies we have a unique challenge because the nature of electronic health records is complex with patient’s privacy and data security being the paramount concern. The focus is not just about protecting the data, but at looking at the impact to electronic health records and patient care. We are always looking at security from the consumer perspective, and this is when we can best meet the business need.
Q: Before you transitioned into healthcare, you came from the finance industry. What were some of the big surprises when you made the transition into healthcare, an industry generally considered significantly less sophisticated in terms of security protections and policies? What is the biggest lesson the finance industry can teach healthcare in that regard?
A: I joined Kaiser Permanente two and a half years ago after spending more than 20 years in the financial services and banking industry on Wall Street. I had to learn a whole new way of looking at technology. The principles are the same, but the stakes are different – much higher – protecting member and patient data is critical.
In addition, various regulations have just begun to hit the healthcare industry, so from a regulatory perspective the healthcare industry is not as mature as the financial services industry. This presents a unique set of challenges and opportunities when it comes to protecting patient health information.
Q: It seems so simple and straightforward: Healthcare security is not just about getting the latest computers and technology. The policies and compliance culture also prove integral, but these are often underemphasized by healthcare entities. Talk about how Kaiser fosters a culture of compliance in regards to privacy and security.
A: At Kaiser Permanente, compliance is everyone's job. Our code of conduct, compliance policies and compliance training curriculum make this expectation clear and it is the foundation of Kaiser Permanente's compliance culture. Through these and other initiatives, we promote a culture of compliance that emphasizes the importance of maintaining the privacy and security of our members’ information and an environment where individuals can feel safe to raise compliance concerns.
Q: Kaiser Permanente has reported a few HIPAA breaches in recent years, not unlike the majority of healthcare organizations. What is Kaiser Permanente’s process of responding to a threat or breach?
A: Kaiser Permanente is committed to safeguarding member and patient protected health information. Our first and foremost priority is the protection of member data by stopping any threat or breach.
After containing the issue, we then perform analysis to determine the root cause, add security measures to ensure it doesn’t happen again, and inform those that need to be informed.
In addition, we have a comprehensive risk and security strategy that includes policies; mandatory annual training of all staff and physicians; ongoing education via communication channels such as websites; as well as advanced surveillance and security monitoring mechanisms.
Q: Regarding your work, what keeps you up at night? What’s top of mind for you right now?
A: Because the industry and government regulators have not developed criteria to secure connected clinical devices, the proliferation of these clinical devices connecting to hospital networks is an area that every healthcare provider must be assessing. Securing and monitoring these connected clinical devices and associated bio-device networks is critical. As with most companies today, the threat of advanced persistent threats and organized crime is also top of mind.
Q: Lastly, how do you connect the clinical end with the compliance side of things? For instance, how do you get staff and employees on the same page with privacy and security?
A: Today, many healthcare providers use electronic medical records, which allow the industry to take a much more proactive approach to monitoring security and privacy. For example, most electronic medical record systems include the ability to monitor appropriate or inappropriate access to specific patient records, which is a benefit we never had with paper medical records.
Key to compliance is training, training, training, and then more training. Just as critical to protecting our electronic medical record is also privacy and security education and training for employees. Employees must understand their role in protecting sensitive data.
