'A CIO has limited authority but infinite accountability.'
As anyone who's ever worked for IT security can attest, the job is no walk in the park. New threats, compliance mandates, vulnerabilities and updates are constant. But with strong leadership, and a culture of compliance and responsibility to match, many healthcare organizations have shown it can be done right -- and well.
Beth Israel Deaconess Medical Center's Chief Information Officer John Halamka, MD, said for this kind of career, it's a matter of first understanding that, "a CIO has limited authority but infinite accountability." You have to ask, "How do you reduce risk to the point where government regulators and, more importantly, patients will say, 'What you have done is reasonable?'" he said.
[See also: Hacker calls health security 'Wild West'.]
This involves thinking about how to encrypt every device and how to protect the data center from both internal and external attacks.
"Much of what I have to do is meet with my business owners and ask, 'What are the risks? Reputational risks? Patient privacy breach risks? Data integrity risks? We're never going to be perfect," he added. "But we can put in place, what I call a 'multilayer defense.'"
Another fundamental piece to doing privacy and security right? No surprise here: Get your risk analysis done – and done properly.
"This is the single most important document as part of the OCR investigation," said Lynn Sessions, partner at BakerHostetler, who focuses on healthcare privacy. "(OCR is) asking for the current one; they are asking for two, three, five years back. They want to see the evolution of what was going on from a risk analysis standpoint at your institution to see if you were appreciating the risk."
This includes showing the safeguards your organization has put in place from technical, physical and administrative standpoints, explained Sessions. Things such as staff training and education, penetration tests, cable locks or trackers for unencrypted devices all matter.
Time to encrypt
"Encrypt; encrypt; encrypt," said Sessions. It's a safe harbor for the HIPAA breach notification requirements, but that still fails to motivate some.
[See also: Hacker calls health security 'Wild West'.]
"(Physical theft and loss) is the biggest hands down problem in healthcare that we are seeing," said Suzanne Widup, senior analyst on the Verizon RISK team, discussing the 2014 annual Verizon breach report released in April. "It really surprises me that this is still such a big problem ... other industries seem to have gotten this fairly clearly."
According to OCR data, theft and loss of unencrypted laptops and devices account for the lion's share of HIPAA privacy and security breaches, nearing 60 percent. (Hacking accounts for some 7 percent, and unauthorized disclosure accounts for 16 percent).
"Pay attention to encryption, for any devices that can leave the office," said former OCR deputy director for health information privacy Susan McAndrew at HIMSS14 this past February.
Of course, the healthcare breach numbers are going to be slightly higher because the federal government has mandated specific HIPAA privacy and security breach notification requirements for organizations, but that has no bearing on the reality that these organizations still fail to implement basic encryption practices, Widup pointed out.
Sessions conceded that it is a pricing concern. "At a time where reimbursements are going down and technology costs are going up with the advent of the electronic health record, there are competing priorities within a healthcare organization of where they can spend their money."
A 2011 Ponemon Institute report estimated full disk encryption costs to be around $232 per user, per year, on average, a number representing the total cost of ownership. And that number could go as high as $399 per users, per year, the data suggest.
Kaiser Permanente Chief Security Officer and Technology Risk Officer Jim Doggett, however, said encryption presents a challenge not only because of costs but also because of the data itself. "The quantity of data is huge," he told Healthcare IT News.
The 38-hospital health system encrypts data on endpoint devices in addition to sensitive data in transit, said Doggett, who currently leads a 300-person technology risk management team, in charge of 273,000 desktop computers, 65,000 laptops, 21,700 smartphones and 21,000 servers. And don't forget the health data of some 9 million Kaiser members Doggett and his team are responsible for.
"This kind of scale presents unique challenges, and calls for the rigor and vigilance of not only the technology teams but of every staff member across Kaiser Permanente," he added.
Encryption is also deployed enterprise-wide by the folks at Mayo Clinic. In addition to encrypting Mayo-issued laptops, tablets, flash drives, etc, any outgoing email unless it's going to a Mayo.edu address must be encrypted if it contains protected health information, said Barbara McCarthy, health information management services and privacy officer of Mayo Clinic in Florida.
Mayo also has a data loss protection application, McCarthy pointed out, which monitors outgoing emails and screens them for certain characteristics indicating disclosure of protected health information. If a disclosure occurs, a Mayo enterprise compliance officer addresses the issue in a direct email to the particular user who sent the information. The site privacy officer is copied along with other key stakeholders. "It's a tough email that goes out," said McCarthy, essentially saying, "Get it back, and don't do it again."
Employee education
As Mayo Clinic's Mark Parkulo, MD, added: sure, encryption is huge and very much necessary, but an organization also has to concern itself with the policies and procedures portion of privacy and security – the employee education piece of the puzzle.
"Some of it is a real education issue," said Parkulo, vice chair of Mayo Clinic's Meaningful Use Coordinating Group, in an interview with Healthcare IT News. "A number of providers and other people don't understand that typical unencrypted email; you're not even sure exactly what locations it's going to, whether it could be intercepted or not."
These realities mean Mayo has to host "a lot" of education for providers throughout the year.
In terms of what this education looks like, Parkulo said first Mayo has standard education for employee orientation. On top of that, "then we try to get out multiple times per year, especially if there are issues through email, through grand rounds, through our websites." Sometimes even through the CEO of Mayo Clinic. "We try to get to people as many ways as possible."
As McCarthy explained, Mayo has launched an effort at the enterprise level to converge on its HIPAA policy. "This is an all-out effort to get everything standardized across the enterprise with site-specific procedures," she said. "It's really been a great opportunity to refresh folks on what's really been in place."
Kaiser's Doggett agreed: getting to all those people is the important thing. "Compliance is everyone's job," he said. "Our code of conduct, compliance policies, and compliance training curriculum make this expectation clear."
But be sure to go beyond the mere policies, Sessions cautioned. Healthcare "probably has more policies than they know what to do with," she said. "As far as the written policy, that's great. Connecting to the end users particularly on the security side I think is more difficult."
On top of the privacy piece of the puzzle, there's also the security standpoint to consider – and it's far from one-dimensional.
Phil Lerner, chief information security officer of Beth Israel Deaconess Medical Center in Boston, said he has many competing priorities. "Continuous monitoring is a large priority of mine, so having a 360-degree view into whatever the technology may be," he told us. Then, there's supply chain security, "always digital forensics, mobile device forensics, incident response."
With threats like the recent Heartbleed vulnerability and cyberattacks only on the upswing – some 40 percent of healthcare organizations have reported a criminal data attack this year, according to Ponemon data – security proves absolutely critical for organizations.
"What's newer at least in the few years as part of continuous monitoring is definitely threat feed analysis," added Lerner.
As the experiences of industry professionals have demonstrated, healthcare privacy and information security is not done in a vacuum. Past incidences show us the industry has time and again said, 'Come and trust us with your most personal information, but don't expect us to have a firewall to protect it; don't expect us not accidentally to post it publicly online or encrypt it or monitor employees who are inappropriately accessing the data.'
Past cases have illustrated it's not just a matter of professional obligation and responsibility. It's a matter of cost, reputation and the integrity of the patient-provider relationship. IT is waist deep in it all, for better or for worse. Now, here's to the better.
