Security tips from the health IT pros

'A CIO has limited authority but infinite accountability.'
By Erin McCann
10:06 AM
Hospital executive with doctors
As anyone who's ever worked for IT security can attest, the job is no walk in the park. New threats, compliance mandates, vulnerabilities and updates are constant. But with strong leadership, and a culture of compliance and responsibility to match, many healthcare organizations have shown it can be done right -- and well.
 
Beth Israel Deaconess Medical Center's Chief Information Officer John Halamka, MD, said for this kind of career, it's a matter of first understanding that, "a CIO has limited authority but infinite accountability." You have to ask, "How do you reduce risk to the point where government regulators and, more importantly, patients will say, 'What you have done is reasonable?'" he said.
 
 
This involves thinking about how to encrypt every device and how to protect the data center from both internal and external attacks.

"Much of what I have to do is meet with my business owners and ask, 'What are the risks? Reputational risks? Patient privacy breach risks? Data integrity risks? We're never going to be perfect," he added. "But we can put in place, what I call a 'multilayer defense.'"

 
Another fundamental piece to doing privacy and security right? No surprise here: Get your risk analysis done – and done properly.

"This is the single most important document as part of the OCR investigation," said Lynn Sessions, partner at BakerHostetler, who focuses on healthcare privacy. "(OCR is) asking for the current one; they are asking for two, three, five years back. They want to see the evolution of what was going on from a risk analysis standpoint at your institution to see if you were appreciating the risk."

 
This includes showing the safeguards your organization has put in place from technical, physical and administrative standpoints, explained Sessions. Things such as staff training and education, penetration tests, cable locks or trackers for unencrypted devices all matter. 
 
Time to encrypt
 
"Encrypt; encrypt; encrypt," said Sessions. It's a safe harbor for the HIPAA breach notification requirements, but that still fails to motivate some. 
 
 
"(Physical theft and loss) is the biggest hands down problem in healthcare that we are seeing," said Suzanne Widup, senior analyst on the Verizon RISK team, discussing the 2014 annual Verizon breach report released in April. "It really surprises me that this is still such a big problem ... other industries seem to have gotten this fairly clearly."
 
According to OCR data, theft and loss of unencrypted laptops and devices account for the lion's share of HIPAA privacy and security breaches, nearing 60 percent. (Hacking accounts for some 7 percent, and unauthorized disclosure accounts for 16 percent).
 
"Pay attention to encryption, for any devices that can leave the office," said former OCR deputy director for health information privacy Susan McAndrew at HIMSS14 this past February.
 
Of course, the healthcare breach numbers are going to be slightly higher because the federal government has mandated specific HIPAA privacy and security breach notification requirements for organizations, but that has no bearing on the reality that these organizations still fail to implement basic encryption practices, Widup pointed out. 
 
Sessions conceded that it is a pricing concern. "At a time where reimbursements are going down and technology costs are going up with the advent of the electronic health record, there are competing priorities within a healthcare organization of where they can spend their money."
 
A 2011 Ponemon Institute report estimated full disk encryption costs to be around $232 per user, per year, on average, a number representing the total cost of ownership. And that number could go as high as $399 per users, per year, the data suggest. 
 
Kaiser Permanente Chief Security Officer and Technology Risk Officer Jim Doggett, however, said encryption presents a challenge not only because of costs but also because of the data itself. "The quantity of data is huge," he told Healthcare IT News
 
The 38-hospital health system encrypts data on endpoint devices in addition to sensitive data in transit, said Doggett, who currently leads a 300-person technology risk management team, in charge of 273,000 desktop computers, 65,000 laptops, 21,700 smartphones and 21,000 servers. And don't forget the health data of some 9 million Kaiser members Doggett and his team are responsible for.

"This kind of scale presents unique challenges, and calls for the rigor and vigilance of not only the technology teams but of every staff member across Kaiser Permanente," he added.