Commentary What CISOs are up against in 2015
Happy Old Year?
By David S. Finn (left), CISA, CISM, CRISC, Health IT Officer, Symantec Corp.; and George W. McCulloch Jr. (right), MA, MBA, FCHIME, CHCIO, Executive VP, Membership and Professional Development, CHIME
’Tis the season for wishing others a Happy New Year. If you happened to have celebrated the holidays with a healthcare Chief Information Security Officer (CISO), they were probably relieved to see 2014 come to a close. The year 2013 was the “Year of the Mega Breach,” and 2014 may as well have been the “Year of the Advanced Threat” – from Heartbleed to Regin to the “Sony-pocalypse.”
So as 2015 kicks off, what visions are dancing through a CISO’s head? Today, we have more of everything … good and bad. There are more security frameworks, legal/regulatory requirements, checklists, security management, executive reporting and best practices. But information security events and data breaches continue at a staggering rate.
Here is what healthcare CISOs are up against in 2015:
- Poor visibility into the data and the risk posture of the overall environment – changes happen too fast, and a risk-based approach is best, not a checklist.
- Lack of understanding by individual organizations of what security is and requires – CISOs are now being asked to provide security reporting to senior leadership (even Boards), but making it meaningful to business leadership is a real challenge.
- Security, despite a lot of talk and media coverage, is not the priority for providers dealing with a lagging budget and resources to implement security initiatives.
- Risks in mobility, medical devices and patient engagement need special assessments and resources.
- Addressing culture effectively and making security a business problem. Ultimately, the problem isn’t just technology – it’s people and process. It has to be a team sport.
This is the year to move from compliance to assurance.
Here are the leadership challenges for CISOs in 2015:
- Understand the needs of the business.
- Have the security knowledge and skills to match the demands of the business and the threats to it.
- Understand, define and communicate critical success factors for information security from a business perspective.
- Learn to manage real risks, prioritize risks and document the plan to address them.
- Drive process change, across the organization, in collaboration with other business leaders.
- Think and communicate about both security and privacy.
- Have a plan, and communicate in terms that the customer understands.
Finally, CISOs need to demand uniform standards. “Reasonable and appropriate” doesn’t work as a governance standard to guide investments in security, privacy and risk management. Until we set a minimum standard, allowing everyone to do their own thing puts us all at risk, especially given how interconnected and interdependent we’ve become.
For healthcare CISOs, is that cup of New Year’s punch filled with honey or hemlock? Let’s make it the sweet stuff.
Finn and McCulloch are leaders of the newly formed Association for Executives in Healthcare Information Security (AEHIS), the College of Healthcare Information Management Executives (CHIME) organization that represents chief security officers (CSOs) in the healthcare setting. Learn more at cio-chime.org/aehis/.
Mobile Imaging
Tablet-based ultrasound shines as emergency tool
In a first-of-its-kind field trial that began July 1, 2014, six emergency services vehicles in the Dallas-Fort Worth metropolitan area have been equipped with Samsung tablet-based ultrasound systems to provide real-time imaging of on-scene trauma patients back to clinicians in hospital facilities.
The wireless transmission of ultrasound images has enabled medics and/or doctors at Texas hospitals to positively identify internal bleeding/fluids, resulting in faster treatment upon patient arrival at the ER. Medics have also used the Samsung PT60A ultrasound system to detect heart movement on cardiac patients presenting no pulse. While the existing protocol has been to contact their medical director to determine whether to cease resuscitation efforts, in several instances medics have continued treatment based on the ultrasound information, resulting in return of spontaneous circulation and eventual patient discharge.
EHRs
Truman Medical Centers wins two big HIT awards
If you are looking for advice on integrating electronic health record (EHR) technology to produce measurable patient-outcome and safety improvements while bettering clinical workflows and the bottom line, Truman Medical Centers (TMC) in Kansas City, MO, is the place to find some real answers. TMC was recently named the recipient of two prestigious health information technology (HIT) awards: the CHIME/AHA Transformational Leadership Award and the 2014 HIMSS Enterprise Davies Award.
The TMC organization comprises a pair of not-for-profit acute-care hospitals with 600 total beds, more than 50 outpatient clinics, a behavioral health program, the Jackson County health department and a long-term care facility. The organization provides 11 percent of all uncompensated care in the state of Missouri at a cost of $130 million, so cost avoidance through clinical improvement is crucial.
The CHIME-AHA Transformational Leadership Award, sponsored by the College of Healthcare Information Management Executives and the American Hospital Association, honors an organization that has “excelled in developing and deploying transformational information technology that improves the delivery of care and streamlines administrative services.” The award was given to the organization’s CIO and CEO: CHIME member and TMC’s Senior Vice President and CIO, Mitzi Cardenas, and the recently retired TMC President and CEO, John W. Bluford.
TMC is a participant in the Partnership for Patients, established by the Centers for Medicare & Medicaid Services (CMS) to make hospital care safer, more reliable and less costly. The organization has also launched Q6, “Quality to the Sixth Power,” which led to the formation of multidisciplinary committees to drive quality improvement across clinical workflow, IT and business processes using data from the organization’s EHR.
Using data from and the capabilities of its Cerner Corp. Millennium EHR system, TMC has been able to improve a variety of clinical processes:
- Using real-time EHR data and order sets, and integrating pharmacists into the care team, has reduced adverse drug events (ADEs), saving the system money and improving professional satisfaction for pharmacists.
- Developing a data-driven approach to develop protocols for moving patients has reduced the prevalence of healthcare-acquired pressure ulcers (HAPUs) by 78 percent.
- Creating a clinical decision support (CDS) system for hospital-associated venous thromboembolism (VTE) enabled clinicians to make informed decisions at the point of care. In the 27 months after the VTE CDS was implemented, some 48 incidents were headed off, 800 patient days were eliminated and approximately $400,000 in costs were avoided.
The Davies Awards program, sponsored by the Healthcare Information Management Systems Society (HIMSS), “promotes EHR-enabled improvement in patient outcomes through sharing case studies and lessons learned on implementation strategies, workflow design, best practice adherence and patient engagement.” Davies Enterprise Award recipients are HIMSS EMR Adoption Model Stage 7 and 6 hospitals and healthcare delivery organizations that have demonstrated significant sustainable improvement of patient outcomes by using EHRs and IT while achieving return on investment (ROI).
The Davies Awards program noted that TMC’s EHR-enabled automated interpreter requests and streamlined workflow enabled a more personalized care experience for each unique patient while providing the correct care in the fastest time possible. The program also cited the CDS system for VTE prevention as providing TMC with significant savings.
The CHIME award was presented at the CHIME14 Fall CIO Forum in San Antonio, Texas, on Oct. 31. TMC will be recognized for the 2014 HIMSS Enterprise Davies Award at the 2015 Annual HIMSS Conference & Exhibition, April 12-16, 2015, in Chicago.
Sources: CHIME, HIMSS
Patient and Worker Safety
Need a guide to help prioritize technology-related safety initiatives for your hospital in the new year? ECRI Institute has you covered. The independent nonprofit that researches the best approaches to improving patient care has released its annual Top 10 Health Technology Hazards report to help hospitals reduce technology-related risks. This year, the focus is on:
1. Alarm hazards: Inadequate alarm configuration policies and practices;
2. Data integrity: Incorrect or missing data in electronic health records and other health IT systems;
3. Mix-up of IV lines leading to misadministration of drugs and solutions;
4. Inadequate reprocessing of endoscopes and surgical instruments;
5. Ventilator disconnections not caught because of mis-set or missed alarms;
6. Patient-handling device use errors and device failures;
7. “Dose creep”: Unnoticed variations in diagnostic radiation exposures;
8. Robotic surgery: Complications due to insufficient training;
9. Cybersecurity: Insufficient protections for medical devices and systems; and
10. Overwhelmed recall and safety alert management programs.
ECRI’s report is available as a free download. Each hazard includes an overview of the issue and recommended action steps to aid healthcare facilities in their efforts to maintain a safe environment for patients and healthcare workers. Get the full report at www.ecri.org/2015hazards.