The nuances and complexities of mastering the current healthcare IT security environment took center stage during the first panel discussion of the day on Thursday, August 11, as the Health IT Summit in Nashville, sponsored by the Institute for Health Technology Transformation (iHT2—a sister organization to Healthcare Informatics under the Vendome Group, LLC corporate umbrella) got underway at the Sheraton Downtown Nashville, in Nashville, Tenn.
Following an opening keynote address by Steven J. Stack, M.D., an emergency physician from Lexington, Ky. And the immediate past chair of the American Medical Association, which focused on physicians’ frustrations with electronic health records (EHRs), a group of industry leaders turned to healthcare IT security, in a panel discussion entitled “Security & Data Protection: High Tech & High Touch,” which was chaired by Glenn Pearson, principal in the consulting firm Pearson Health Tech Insights, LLC.
Pearson was joined on the panel by Patricia A. (Patty) Lavely, senior vice president and CIO at Gwinnett Medical Center (Lawrenceville, Ga.); Edward (Ed) McKinney, information security officer at Floyd Medical Center (Rome, Ga.); and Roy Wyman, a partner in the Nashville law firm of Nelson Mullins Riley & Scarborough LLP. The panel covered a broad range of discussion areas.
Pearson began by asking discussants, “How high a priority is security for most organizations right now?”
McKinney referenced a recent survey conducted by the CIT Group. “The CIT Group did a survey of senior health executives,” he said, “and in their survey, it was 88 percent a concern. And 90 percent said in the boardroom, IT security was becoming a very common topic that they were having to address. The thing that worries me a bit,” he said, “is when it’s not in the news. Right now, the malware/ransomware is definitely getting everyone’s attention, but we’ve got to be thinking about what we’re doing. It can’t just be a trend of attention to ransomware,” but rather, he stressed, the leaders of patient care organizations need to continue to focus strongly on healthcare IT security for the foreseeable future.
“Are boards of directors getting interested now?” Pearson asked. “Yes,” said Wyman. “A board hired me as their chief privacy officer in my most recent past position. They told the CEO, you’re not doing enough” to focus on healthcare IT security, he recounted. As a result, he said, “They brought in a CISO, a chief privacy officer, and others. So yes, I think that boards are becoming more aware. And I think boards are seeing more liability [that they might face as a result of their participation in hospital and other patient care organizations]; and they’re saying, hey, this isn’t just something I can put on my resume, this is something I have to do well,” he said, citing the federal Sarbanes-Oxley legislation that puts liability on directors for actions of the organizations they help to govern.
“I love that you mentioned Sarbanes-Oxley and that connection,” Pearson said. And, turning to Lavely, he asked, “Patty, how has your situation evolved at Gwinnett?” “Interestingly, it has related to the board,” Lavely responded. “Our board has gotten more involved and taken more of an interest and more of a leadership role than they ever have. And our work seems to be driven by our board of directors. And that’s been true for us in the past three years. And I think our overall workforce is becoming more educated, partly because of our efforts, and partly because of the efforts of the news media.”
In fact, Lavely said, mainstream news media coverage of IT and data security has helped her and her team, “Particularly because more people are having their identities stolen; so that when you start talking about security at work, people can relate it back to their own lives.”
Turning to Wyman, Pearson said, “Roy, you’re probably in touch with lots of different organizations. On the flip side, do you quantify in any way how many boards are not aware? How widespread is not being involved?”
“I don’t know the percentages,” Wyman said. “But what I’m seeing is that in the larger organizations, boards are very much aware; it’s on the front burner. I get calls every week” for help with a lot of basic issues, he said. “I had a call yesterday from someone saying, we’re buying up physician practices. But they had no chief compliance officer, had no idea what policies to implement. Part of this is that the burden is so high that organizations just push it all off. They say, we’ll wait until we’re bigger. But the problem is that you’re seeing physician practices being hit with fines of up to $750,000, not because there’s been a breach, but because they don’t have business associate agreements signed, and for other technical issues. And that’s waking people up.”
“So the expansion of [regulatory mandates] is making people more aware?” Pearson asked. “Yes, organizations are realizing they don’t have all the security and privacy policies and practices in place that they need,” Wyman responded.
Balancing security and end-user access
One of the issues that came up in the discussion was balancing end-user access to data and systems, with the need to improve IT security, in patient care organizations. “How do you balance that out, as a CIO?” Pearson asked Lavely. “There is a balance; I’m not sure I know what it is yet,” she said. “But access is an inherent area of vulnerability; we can’t lock it down. So one of our concerns right now is that we give access right now to many people who are outside of our sphere, and control, so to speak. They’re with physician practices whose physicians are members of our medical staff. So that’s a huge area of vulnerability.” “And how do you handle that?” Pearson asked. “The only way to handle that is to hire an army of people checking in on them, and to do random audits,” Lavely responded. “But there may be a six-month gap where someone has left a medical practice, and no one has checked in on that. Or Susie leaves, and hands her access to Sarah. And no one knows. So it’s a problem.” “And there are so many people out there who add so many layers to this,” Pearson offered. “Yes,” said Lavely. “Yesterday, we heard that there has to be a human firewall; and that’s a huge gap in that firewall” when it comes to end-users in patient care organizations.
“We’re doing spot checks on vendors,” McKinney noted. “We’re putting in place certain products that really lock down on access, so that vendors and other parties that need to connect, so that they’re really locked down on other systems connected to us. We’re doing it after the fact, but you really have to do system security checks early on. So we’re trying to get into the life cycle early on, so we can interject that security.”
“And that’s why people in patient care organizations so often hate me,” Wyman said, “because I’m always having to say no. I was working with a client that was working with a pharmacy hub, which was controlling processes around patients getting specialty medications. And I told them, I believe you’re violating HIPAA. And I got a call from the hub within an hour saying, if you don’t release that data, children will die. And you don’t get that call that often as a lawyer. But there are times when there is a tension between the regulatory environment and real life. And you’ve got to work things out. Often, lawyers get blindered, and we shut things down as a natural inclination. I’d much rather be in front of a jury saying, we did the right thing, than to be in front of a jury saying, well, we followed HIPAA.”
“I’m an information security officer, and you want to get people to buy into the process,” McKinney said. “There are times when you have to say no, but you really want to find ways to say, we can do this better.” “And we have to continually listen to our end-users and hear the experience we’re imposing on them, because we are imposing so many things on them,” Lavely emphasized. “As Dr. Stack said, the IT department doesn’t know that what they think they gave us, is actually what they gave us. And if we’re not standing at their shoulder, we don’t see that.”
“Do executives and boards understand how vulnerable everything is?” Pearson asked, referring to the full panoply of information systems, medical devices, mobile devices, and all devices. “I’m not sure that healthcare executives necessarily do understand, except for around medical devices, because so much attention is being focused on it,” Lavely responded. “We have a community board. And one of our members is a business owner, and another is a financial executive for a very large telecom company, which is great for me. And they’re great, because they’re champions for security on the board.”
“And my sense is that this is one of the last areas that healthcare executives would think about—the Internet of things,” Pearson said. “Would you agree, Ed?” “I agree,” McKinney said. “But you have to look at it the way you would look at any device. You look at the storage of the data, at how well the data is encrypted at rest, and in transit. You just have to look at it from those basics, and do the best you can. And also, per what Patty is saying, many times, security is an afterthought; it’s been bolted on and not baked in.”
CISOs and CIOs
“You’re a CISO, which is still a relatively new position,” Pearson said. “How do you see the trends evolving for the position?” “To give you an example,” McKinney said, “There’s a recruiting firm that’s very active in this area, and they’re seeing a 68-percent increase this year over last year in the hiring of CISOs. On the other hand, they’re also seeing a 50-percent rate in CISOs leaving their positions, which means that there’s obviously a lot of turnover taking place right now.” “So how can CIOs and CISOs best work together?” Pearson followed up.
“It’s important to remember,” McKinney responded, “that security is a team sport. The CISO is there to make sure on a daily basis, an hourly basis, of security for the organization. From the moment you get up to the moment you go to bed, you’re thinking about security. And in today’s world, we don’t have the luxury of being in a world without vulnerabilities. So, given that security is a team sport, the CISO is always trying to wave the banner of security, but also to work with the team, and cheering on every effort that touches on security. That’s how we get things done.”
“How much authority does the CISO typically have?” Pearson followed up. “Again, it’s a team sport,” McKinney emphasized. “You want folks to buy into the security. You want a steering committee so that when they start looking at security with you as a committee, they go back into their workplace and see the issues facing them. So it’s about helping people to keep the focus around security.”
Wyman made the point that “I just want to say that what I’ve seen in a number of situations is that you get the CISO parachuting into a company, and out there on her own. And the CISO goes in and says, OK, now I’m responsible to do all this, and it’s just me, and I can’t do anything without the CIO helping me. And the CIO has been given no input, and says, OK, I’ve got all these projects to do, and security comes out of my project, and he’s not reporting to me. And we don’t need him fudging with my stuff. So I think,” he said, “that it’s really important CISOs have the resources and the buy-in. And I think CIOs honestly need to get over themselves on this. And make sure that the CISOs have the resources, because this man or woman is making me look good.”