How Kaiser does privacy and security
Kaiser Permanente’s Jim Doggett knows a little something about privacy and security risk management.
As chief security officer and chief technology risk officer of the 38-hospital health system, Doggett and his 300-person team oversee the security of some 273,000 desktop computers, 65,000 laptops, 21,700 smartphones and 21,000 servers. All told, the team is charged with safeguarding the health information of more than 9 million Kaiser members. It’s one seriously tall order, but they make it happen.
Doggett, who will deliver the opening keynote address at the HIMSS Media & Healthcare IT News Privacy and Security Forum June 16-17 in San Diego, said a position involving this kind of scale “calls for the rigor and vigilance of not only the technology teams but of every staff member across Kaiser Permanente.”
We caught up with Doggett to hear more about his upcoming keynote, best practices and how Kaiser Permanente tackles the multifaceted and oft-uphill nature of privacy and security in the digital age.
Q: What will you be speaking about as the keynote speaker for the HIMSS & Healthcare IT News Privacy & Security Forum?
A: I’ll be providing a state of the health IT industry and discussing the need for trusted technology. Companies no longer have the luxury of time to adapt to new and changing technology risks. Everything about a given organization’s technology portfolio is in a near or constant state of change – technologies change, member requirements change, usage changes and the threat landscape changes. Fortunately, there are ways to mitigate the risks these changes pose. Risk management can help an organization identify, prioritize and manage the issues and risks they face, addressing those that are most important to the organization.
I’ll also discuss how to maneuver in the delicate balancing act of protecting an organization's technology footprint, as well as the role risk management plays in defining the future of healthcare. This includes things like how to approach technology risk management and align to the business; how to stay ahead of the technology adoption curve; and how to update your technology risk model with an eye toward the future.
Q. What is Kaiser Permanente's encryption policy? Encryption obviously is a safe harbor for the HIPAA breach notification requirements. Why do you think it proves so difficult for healthcare entities to encrypt mobile and portable devices?
Kaiser Permanente encrypts data on endpoint devices (e.g., PCs, tablets, smart phones, removable devices), as well as encrypts sensitive data in transit. Encryption can be a challenge for many industries not necessarily because of the cost, but because the quantity of data is huge.
For healthcare companies we have a unique challenge because the nature of electronic health records is complex with patient’s privacy and data security being the paramount concern. The focus is not just about protecting the data, but at looking at the impact to electronic health records and patient care. We are always looking at security from the consumer perspective, and this is when we can best meet the business need.
Q: Before you transitioned into healthcare, you came from the finance industry. What were some of the big surprises when you made the transition into healthcare, an industry generally considered significantly less sophisticated in terms of security protections and policies? What is the biggest lesson the finance industry can teach healthcare in that regard?
A: I joined Kaiser Permanente two and a half years ago after spending more than 20 years in the financial services and banking industry on Wall Street. I had to learn a whole new way of looking at technology. The principles are the same, but the stakes are different – much higher – protecting member and patient data is critical.
In addition, various regulations have just begun to hit the healthcare industry, so from a regulatory perspective the healthcare industry is not as mature as the financial services industry. This presents a unique set of challenges and opportunities when it comes to protecting patient health information.