Tuesday, March 24, 2015

Health IT security more than HIPAA compliance

With the recent Anthem security breach, healthcare information security has once again taken center stage. With congress scrutinizing HIE security plans PARCA eNews talked with Cris V. Ewell, PhD, the Chief Information Security Officer at Seattle Children’s, about security. Seattle Children’s is a not-for-profit pediatric hospital, academic medical center, and research institute. Dr. Ewell has full strategic and operational oversight for building and managing the information security framework, teams, programs, and policies. He is a frequent speaker at healthcare industry privacy and information security forums and
events, and will be speaking at HIMSS 2015 later this month. He serves as a professor and guest lecturer at several universities, and conducts research on information security risk management. Recently, Dr. Ewell was recognized by the Healthcare Info Security organization as one of the top 10 leaders who are playing a significant role in shaping the way healthcare organizations approach information security and privacy.

Are CIOs and CISO re-examining their security measures after the Anthem breach?
Any of the breaches that are out there are a reminder that this is a real threat to covered entities within the healthcare organization and you need to be diligent in your information security practices. We have not reexamined our controls specific to the Anthem breach. We look at our controls annually and address concerns as part of our robust information security practice and program. But this breach serves as a reminder for the board and executives that this is why we do these things, why we work to the best of our ability to continually prevent any type of unauthorized access to, use of, or disclosure of our data.

What actions do you take when one of these breaches occur?
I report directly to a board-level committee, so when I meet with them, I always review the top threats that are out there. Anytime we have a healthcare breach of this nature, they get my synopsis of what happened and what we know about it, and ask are we doing the right things. 

Anthem refused to let the OIG do an audit. Is that unusual and where do you stand on that. 
Well I think that information is still coming out what exactly was requested and what happened. But certainly if HHS, Department of Health or OIG comes in and says we need to do something for them, we will evaluate that request, and certainly I want to work with all our government agencies as best we can.
Top 5 Healthcare
security breaches

Courtesy: Health-
care Info Security

Is that an unusual request?
To do an investigation? no that is very common, but I don't know if [the request] was related to investigating this breach because all breaches have to be reported to HHS. If there is an investigation OCR (Office for Civil Rights) will contact the organization and complete the audit. So for this particular request, I'm not quite sure, the detailed information on what was requested is not out yet.

What more can be done to protect against this type of breach?
Institutions have to be diligent. They need to have a robust information security strategy and program. It is not just a compliance program, it is the whole thing of how we look at our institution and the risks that are out there and what can we do to help reduce that risk. You are never going to eliminate the risk. I operate at Seattle Children's under the assumption of breach. I presume the adversary will always be able to get in. I am always asking, ‘What practices can I put in place to help minimize the impact of a breach if it were to happen?’ You can only do so many preventative controls, you can only add so many technical solutions and do so much training. You have to be very robust in your detection mechanisms and monitoring of the environment, then when a breach happens your response can be immediate and minimize the impact. Everything has to be put in balance.

Are there any innovative or extraordinary tactics that you use at Children’s that might not yet be an industry-wide practice?
We have implemented the following strategies to help address the advance threats to our institution: 

  • Adoption of a risk management framework, 
  • Completion and maintenance of an asset profiling and inventory listing, 
  • Prioritization of assets and related mitigation efforts, 
  • Implementation of clearly defined roles and communication plans, and 
  • Implementation of an aggressive risk transfer strategy.

How do you balance security needs with the need for patient and physician access to the information they need?
It is balance. We're here to treat our patients to prevent disease and do research. We have to allow people to use information. Again, our entire program is based on risk, and how to reduce that to an acceptable level within the organization. You're never going to reduce it to zero. So we discuss that with our business leaders and ask if this activity is worth doing. If it is, then we determine the best controls to implement it in the least risky manner.

What are some of the significant challenges in the next six to 12 months?
I think we continue to have outside threats. Our adversaries, whether they are "nation state," “organized crime,” or individuals, want access to our data. As you have more and more data outside of your environment, due to things like HIE, patient portals, ACOs and agreements where you are having to share data, our adversaries are going to be looking at how they can gain access to that data. That is a significant threat. We need to determine how we can be better stewards of the data as well as be better at monitoring access to the data, as well as determining the controls that need to be put into place to minimize the risk. 

I also think that all third-party contracts, including vendors and business associates, that potentially have internal access to our systems or they are hosting data for us, is a concern. You have to continue looking at your contracts and Business Associate Agreements, and determine what type of independent verification you need to do to verify the external controls. Making sure third party vendors have adequate security precautions in place is a concern. 

The last one of the top three that is out there is the ‘ever presence’ of data and how do we get it into the hands of the people who need to have that data. From a technical challenge, how to protect it, and as more and more of environment becomes mobile, how do we ensure that all the controls are in place to protect that data whether those devices are lost or stolen.

Are you actively involved in the contracting process then to ensure vendors have the necessary controls?
Absolutely. I'm very active with our legal contract process. Our general and associate counsel and I will get together for contract review for anything that deals with electronic data, to determine what adequate controls are in place and what type of independent verification are we going to require.

As part of the Seattle Cancer Care Alliance, is data sharing a concern?
We have lots of data sharing from imaging to you name it we probably share it. Through our partners, such as the University of Washington, Fred Hutchinson Cancer Research Center, Seattle Cancer Care Alliance as well as other outside providers, we definitely have a very robust data sharing process, and it is just a matter of continually understanding what are the connections, what are the risks, and knowing whether we are pushing or pulling data. We definitely try to keep on top of that and understand where all the data entry points are to our organization.

Who do you work with to establish a security culture throughout your organization?
Yes this is a people problem. It is not a technology problem, you can't solve it with technology. It is a constant effort to keep this as a priority and on people's minds. It is not our highest priority, patient care is our highest priority, but we need to be ever vigilant in what we do in how we protect our patient's data as well as our intellectual property and donor information. Because of all of this information, we do have a lot of methods. We have a campaign right now aimed at protecting PHI (patient health information), and patient charts, so we do different initiatives throughout the year to remind people. We work with leadership, we work with nursing staff, patient education, and the staff education department. We use many avenues to keep that information in mind as the employees do their daily rounding or other activities. 

Then we do lots of auditing. We do walk-arounds throughout the hospital to see that things are actually happening the way they are supposed to.

Information security and HIPAA compliance is tough to do. I really try to stay away from just a compliance program. You have to have a strategy for the entire institution for how you want to reduce risk. Focusing only on compliance is not security. I still see organizations that say they have a HIPAA compliance program, but that just is not enough. With our adversaries, as smart they are, as well-funded as they are, that is not enough any longer as more and more data is electronic and more and more of it is hosted outside your organization.

No comments:

Post a Comment