Data loss prevention software like having a second set of eyes
Healthcare data security is a multifaceted, ever-shifting challenge – and all it takes is one missed cue for a costly breach to ensue, says Heather Roszkowski, chief information security officer of Fletcher Allen Healthcare.
"With technology changing as quick as it does, it's a constant battle to keep up with it," says Roszkowski, who joined the Burlington, Vt.-based health system following an 11-year career in the Army, where she specialized in information security.
"New viruses come out every day, and you have to be able to respond to them," she says. Human factors are another constant challenge, whether its malicious hackers, nosy staff members or even just overworked clinicians who forget the proper protocols.
No one can be truly omniscient. So these are the things that keep her up at night: "The things I don't know."
After all, says Roszkowski, "The things I know about are on my list, and I have a plan to address them. The things that scare me are the things I don't know. There's a constant threat out there, from all different angles – whether it's viruses or it's hackers, or it's information theft, internally and externally."
Since one mistake or missed signal could have the hospital's name splashed all over the newspapers, with HHS' Office for Civil Rights pursuing potential millions in settlement money soon thereafter, it's critical to be in "pursuit of 100 percent," says Roszkowski, who notes a level of urgency and criticality that's comparable to data security in the military.
"I did information security in the Army: you don't want people to know where the soldiers are on the battlefield," she says. "It translates over to healthcare: We don't want people to know about a patient unless they're caring for that patient."
But with so many threats, of so many different types, "You don't know what you don't know," says Roszkowski.
That's a fact made all the more salient by Fletcher Allen Health Care's significant growth – in size and complexity – in just the past few years.
Fletcher Allen Partners was launched in 2011 to be the new parent organization of Fletcher Allen Health Care, together with Central Vermont Medical Center. Champlain Valley Physicians Hospital and Elizabethtown Community Hospital, just over the border in New York, are other new partners in this nascent ACO.
Moreover, Fletcher Allen has been instrumental in Vermont Information Technology Leaders, the Green Mountain State's health information exchange.
"Five years ago, they were one hospital," says Mac McMillan, CEO of information security firm CynergisTek, which works with Fletcher Allen to improve its technology and compliance. "Today they are part of an academic medical center. They have other hospitals they are supporting or working with. They are the ACO for the region, half of the HIE for the state."
"It's constant growth," says Roszkowski. "CynergisTek has helped us know what we don't know. That's the first step in knowing where we want to go, what our priorities are, how we protect our network: Find out where are we falling short, where can we improve?"
One particularly valuable piece of technology that's offered at least a measure of reassurance is Fletcher Allen's use of data loss prevention software, which can monitor for potential breaches, detecting and, if need be, blocking sensitive data when it's misused.
"Security is not an afterthought for Fletcher Allen," says McMillan. "When they have started every major initiative, they have thought about security from the get-go. That, in and of itself, has probably saved them millions and made those projects go better. Because they're not retrofitting anything."
"It's easier to implement security before you have a problem, than after," says Roszkowski.
One recent case involved DLP technology that detected and prevented a potentially disastrous breach: 9,000 patient records a nurse was trying to send via email to her home.
DLP software is installed across an enterprise, "it discovers and indexes where all your sensitive information is," says McMillan. "Then, based on the rules that you specify, in terms of where it can live, where it can go, how it has to be transmitted, what devices it can go on, etc., it basically watches what people are doing."
In this case, this nurse "was doing some legitimate research," he says. "She asked for some subset of patient information to support her research, which is all fine and good.
"The expectation was that she would be doing this research at the hospital," he adds. "But she, of course, like a lot of people, got into a time crunch and decided, 'I'll just send it home and work on it there.' She wasn't a bad person; she was just trying to get stuff done."
Fortunately, "the system noticed, and said, 'You can't send 9,000 patient records through Yahoo!,' and it stopped that transmission," says McMillan. "Even well-intentioned users will break the rules occasionally, not meaning to. Unless you have the right technological controls in your architecture to help protect against those things, you can have all the policies and procedures in the world, and it ain't gonna save you."
A 9,000-record breach is a big deal, after all – and could cost hundreds of thousands of dollars to settle.
"That incident alone, had it happened, would have (cost as much) as their DLP solution three times over, easily," says McMillan.
Even with an added layer of watchfulness thanks to DLP, Roszkowski still has plenty keeping her on her toes, of course. Like everywhere, mobile technology is a constant challenge. Encryption and PINs are used on every device that has any Fletcher Allen data, she says, but as far as a broader device management strategy, "We're looking at different approaches."
Sometimes life as a CISO can feel like "controlled chaos," she admits.
Even so, while "every day is different for me, every day has a purpose," says Roszkowski. "That's the biggest thing my team and I understand: It's all toward the same goal."