One CIO's call to action
As Tim Zoph sees it, it’s decision time for patient data security -- a defining moment for "one of the issues of our time in healthcare," that demands healthcare leaders everywhere step up.
Zoph, CIO of Northwestern Memorial Hospital in Chicago since 1993 and a CHIME/HIMSS CIO of the Year, headlined the Healthcare IT News and HIMSS Media Privacy & Security Forum Dec. 12 in Boston.
He drew analogies to New York City hospitals during Superstorm Sandy, and he brought cardiologist and geneticist Eric Topol, author Jim Collins (Good to Great, How the Mighty Fall) and the popular television series Homeland to bear on his call for leadership.
As Sandy pounded Manhattan Oct. 29, two hospitals – NYU and Bellevue – had to reverse their decision to shelter in place, and instead had to evacuate patients.
"The biggest question for these institutions at the time was, ‘are we prepared to go," Zoph said.
“Are our patients confident in our ability to manage their healthcare information for them?” he asked the audience. “The perils are there. It’s time to take stock of do we stay or do we go.”
In the Homeland episode "Broken Hearts," the character Nicholas Brody kills his political nemesis by hacking into his pacemaker. It’s just a TV show, but Zoph found the scenario plausible for comfort.
“Fact or fiction?” he asked holding up a black box – a wireless transmitter used to give instructions to pacemakers. "What do you think?"
"The health benefit of these (pacemakers) are significant," Zoph said, “but the fact is they’re not secure. We’re starting to attach them to electronic health records, and they’re not secure. We’re not doing it with security in mind."
Even as technology and mobility offer more promise than ever before, they also pose additional dangers.
[See also: Biggest data breaches of 2012.]
“The most natural device in healthcare is one that’s mobile and always on,” Zoph said, referencing Topol. “We’ve always wanted to do it this way. As patients now have mobile devices they are being empowered to do a lot of things – they are now empowered to make decisions about their health.”
At Northwestern Memorial, Zoph counted 300 connected devices in 2009. Today there are 2,500. With new buildings in the works, everything will be mobile, everything will be connected, he said. For all the advantages that brings, there is the threat of more security risks.
It is why healthcare leaders must begin now to build a culture of security, he urged, and it has to be a team sport. It can’t be relegated to the security department or the technology team.
“We’re better off together than we are separate," said Zoph. "This is a case where we need more defense because the offense is ramping up. We have to infuse our culture in others that work with us,” he said. “We have to have a sense of urgency about it.”
He urged the audience to look at the governance at their institutions and examine the risks that technology brings.
At Northwestern Memorial, he said, audit, legal, nursing and others weigh in on technology buys. “We look at the total risk of technology together. The institution gets a full view of its risk - all the way up to the board. I implore you on this discipline, especially.”
Standards are critical to security, he added. Northwestern Memorial employs the HITRUST framework.
[See also: Scant progress on breaches since HITECH.]
“We’re a believer in standards,” Zoph said. “More than just having a toolkit, it gives you common language. We use it."
“I’m an optimist,” he told the audience. “I believe we will solve this because we have to.”
He circled back to Sandy.
“Do we stay or do we go?” he asked. “Let’s all agree to stay.”