BOSTON—The growing use of electronic personal health information has largely changed the healthcare industry for the better, but ePHI has had one downside, says Mac McMillan, CEO of the consultancy CynergisTek. Since patient data is now electronic, security has become the sole purview of IT departments.
McMillan adds, this has made it difficult for many healthcare organizations to establish a culture of privacy and security for many reasons:
- Security is rarely discussed at hospital board meetings, even though every facility has security problems.
- The chief information security officer (CISO) is often buried in the organizational chart, several steps from the CEO.
- Fewer than 50 percent of healthcare IT security professionals have either the credentials or the experience necessary to put together a budget.
- The amount of the IT budget devoted to security is often less than 1 percent at healthcare organizations, compared to 6 to 12 percent in other regulated industries.
More than anything, McMillan says, healthcare's security culture leaves a lot to be desired because leaders don't take security seriously and employees simply follow that example.
BYOD in Healthcare Must Balance Productivity, Mobile Security
McMillan spoke at last week's Privacy & Security Forum. The event focused on several existing and emerging areas of concern for healthcare CIOs.
Mobile security ranks highly among those challenges. Physicians and administrators alike readily embrace the bring-your-own-device (BYOD) phenomenon, as their personal devices easily trump the legacy, wired clients at many hospitals. While institutional responses vary, most CIOs admit that the productivity gains, realized in actions as simple as a physician answering email while waiting in the cafeteria line, provide a nice return on the BYOD investment.
Maine's Franklin Community Health Network, for example, embraced BYOD in large part because it could not afford to buy mobile devices for employees, CIO Ralph Johnson says.
The facility's BYOD policy covers any device that can log onto the guest network—which is not the same network that the folks in the waiting room use—but limits users to email, calendar and portal applications. Users must give IT remote wipe and encryption permissions, and no ePHI can be stored locally, Johnson says.
Children's Hospital Central California has a similar BYOD philosophy—"If you can download the client, then you can use BYOD," Vice President and CIO Kirk Lawson says—though its move to BYOD came in conjunction with an advanced clinical system deployment in 2011. (This also corresponded with an effort to virtualize servers; today, the facility is 85 percent virtualized and has avoided the need to construct another data center.)
Users access the new clinical system on via a virtual desktop on their devices. This reduces the risk of local ePHI storage. ePHI is also not allowed in email; in fact, Children's Hospital uses email filters to detect whether personal health information may have inadvertently been shared, Lawson says. IT support is limited to connectivity, he adds; users are responsible for troubleshooting their devices
Kaiser Permanente, meanwhile, doesn't allow outside devices, says Jason Zellmer, executive director of technology risk management. The network, which serves 9 million patients, predominantly in California, instead provides employees with Apple devices.
The current policy treats mobile devices like laptops, which are loaded with software and security controls before they're given to Kaiser employees. That said, Zellmer doesn't think the mobile strategy is a long-term one; a lack of robust virtualization technology is what's currently holding Kaiser back.
Cloud Adoption Hindered by Lack of Business Associate Agreements
Lack of technology doesn't prevent healthcare organizations from adopting cloud-based systems. Rather, two CISOs said, it's an unwillingness among cloud service providers to adhere to the security and privacy standards that the healthcare industry requires.
The Health Insurance Portability and Accountability Act of 1996 requires entities covered under the act to sign a HIPAA business associate agreement (BAA) with any organization that handles PHI in its paper or electronic form. Adam Greene, partner with Davis Wright Tremaine LLP and chairman of the HIMSS Cloud Security Workgroup, says federal regulations are clear about the need for Software as a Service firms to sign a BAA but less so when it comes to Infrastructure and Platform as a Service vendors.
Partners HealthCare had a preferred cloud storage vendor, but since it wouldn't sign a BAA, the provider went elsewhere, CISO Jennings Aske says. That process, coupled with other dealings with cloud service providers, taught Aske that transparency is at a premium when it comes to CSPs.
Aske says healthcare CIOs need to know that CSPs are regularly performing penetration, application and PIN tests. "They want to tell me when a breach has happened," he says, "but I want to make that determination [myself]."
Case Study: Doctor's Orders: Healthcare in the Cloud
Darren Lacey, CISO and director of compliance for Johns Hopkins University and Johns Hopkins Medicine, agrees. His objectives when reviewing cloud applications are to examine its infrastructure and study how it handles key management. Neither are easy to find, he says, though he has signed contracts with vendors who agree to put ePHI on encrypted, key-protected storage.
Both CISOs say they evaluate cloud service providers using a mix of standards established by the Cloud Security Alliance and the National Institute of Standards and Technology's NIST Special Publication 800-53 (PDF). Greene suggests a simple criterion as well: "If they misspell HIPAA, that may be a warning sign."
Risk Assessment Means Showing That You Know—and Care
Uncertainties surrounding cloud security mean that cloud risks must be addressed in a healthcare organization's enterprise risk analysis, Greene says.
Risk analysis (which evaluates threats and vulnerabilities), coupled with risk assessment (which evaluates security controls), is taking on added importance for healthcare CIOs in light of the Office for Civil Rights' HIPAA Audit pilot program, which began in 2011 and is poised to expand as the agency emphasizes ePHI security and data breach prevention.
Risk assessment comes down to ensuring that everyone understands administrative controls such as managing paper records and electronic devices and handling notifications about a possible incident, says Sharon Finney, corporate data security officer for Adventist Health System. Survey department or practice managers about common security risks and develop remediation measures based on how they respond, she adds.
Risk assessment is similar to disaster recovery planning, Finney says, in the sense that you need an established team of technical and compliance liaisons who know what to do. Documentation is important, too; it shows auditors that you take risk seriously and it ameliorates the process once an audit letter arrives, since the audit process "is not insignificant in the amount of time and resources it takes."
However, it's important to remember that, while risk assessment is a one-time process, assessing risk is a daily task, Finney says. Furthermore, she says, the key to accessing risk is knowing that it's people, processes and technologies that create risk—specifically, the intersection points of the technology that drives people and the business processes they use.
Healthcare Employees Must Take Security, Privacy Seriously
Taking risk seriously means creating a privacy and security culture that's not afraid to challenge traditional ways of thinking, McMillan says.
Take "need to know" policy. McMillan, who spent more than two decades working in government intelligence and security, says "need to know" isn't a matter of trust but, rather, protecting access to information. There were certain things the employee in the next office didn't need to know, so he didn't know them, and the organization was no worse for the wear. Along those lines, there's no reason for a CEO—or a CIO, for that matter—to be in a data center by himself, McMillan says. If he is, then something's fishy.
Additional legislation, such as 2009's HITECH Act, which beefed up HIPAA, isn't the answer, McMillan contends. Knowing that privacy and security is important will make the difference for an organization. Knowing that remediating a data breach, not including a potential government fine, can cost an organization $3 million—money better spent on improving patient care—should be enough for leadership to take privacy and security seriously, he says.
For too many healthcare organizations, though, it becomes important only after a breach has occurred or a fine has been levied. "Unfortunately, that seems to be the case," McMillan says. "How do we change that mentality?"