Darren Lacey describes his role of chief information security officer (CISO) at Johns Hopkins University in Baltimore as being like that of a circus master. At any one time, he has a list of up to 60 different technologies, ranging from firewalls and e-mail encryption to iPad pilot projects, to work on. But much of his job hinges on building relationships. “You have to have a good relationship with your CIO, and you’re only as good as the trust-building you do,” he says. “People have to know that you aren’t going to light your hair on fire over small things.”
Like other CISOs, Lacey recognizes that 2012 will be a challenging year. Final Health Information Technology for Economic and Clinical Health (HITECH) Act modifications to Health Insurance Portability and Accountability Act (HIPAA) privacy and security regulations will be released. “The HITECH Act doesn’t really change what we are working on, but it does raise the stakes,” he says.
CISOs have a higher profile now, but the changes in the role and in security programs in general are evolutionary, not revolutionary, says Kate Borten, president of the Marblehead Group, a Marblehead, Mass. consulting firm, and former CISO of Beth Israel Deaconess Medical Center in Boston.
“As we see more data breaches and recognize the cost of regulations—and there will be new regulations in 2012—there is a gradual recognition by C-level executives that they need a high-profile person in this role and that they must give CISOs the authority to lead this program.”
But at some organizations, the CIO is still doing double-duty, Borten adds. They don’t usually have the skills or the time to do a good job of security, and it is a built-in conflict of interest. “We often see network administrators handed these responsibilities, but this is a big leap in scope and vision for most of them,” she stresses.
This will be a challenging year for CISOs, because the provider community has recognized that they are way behind on improving their security controls as HHS’ Office for Civil Rights ramps up its audit program, notes Chris Apgar, CEO and president of Apgar & Associates, a Portland, Ore.-based consultancy.
OCR contractors will conduct up to 150 audits between May and the end of the year, at covered entities ranging from small practices to multistate health organizations. “OCR is looking for a culture of compliance, with a focus on having risk analyses conducted and training and incident response plans in place,” he says. Because organizations are struggling to respond to ICD-10 and meaningful use, CISOs must convince other C-level executives to beef up their staffing with more security personnel or to outsource some of the responsibility to consultants.
The Healthcare Information and Management Systems Society (HIMSS) conducts a wide-ranging survey of health security officials each year. With the 2011 survey released last November, Lisa Gallagher, senior director of privacy and security for HIMSS, is seeing gradual progress on some fronts and some stubborn gaps in security controls persisting. “There has been a little bit of progress in the profile of CISOs, especially in larger organizations and independent delivery networks,” she says. The percentage of organizations that report doing risk assessments is relatively flat at 75 percent. “That still leaves 25 percent not doing them,” she notes. “It is tied to the budget issue. They often don’t have the resources or knowledge of how to do them.” Almost 60 percent of survey respondents indicated that their IT budget dedicated to information security has increased in the past year, but at an average of 3 percent of IT spending, it remains below other industries that are in the range of 5 to 10 percent, she says.
The survey also identified several technologies CISOs plan to work on in 2012, including e-mail encryption, data loss prevention, and single-sign-on, which Gallagher says should make adding security controls more palatable to users.
Many CISOs will be addressing the issue of unsecured mobile devices in 2012. In a 2011 survey by the Ponemon Institute LLC, more than 80 percent of respondents said their organizations use mobile devices that may collect, store, and/or transmit protected health information, yet 49 percent said they don’t do anything to protect these mobile devices. But although the top cause cited for data breaches remains lost or stolen computing devices, Lacey says academic medical centers such as Johns Hopkins also have to increase their intrusion detection and data leak control capabilities.
“The percent of breaches due to hacking and malware is small at around 10 percent,” he says, “but the risk at academic medical centers is higher than that. We all have to raise our games in terms of preventive controls.”
Borten’s prediction for headlines for 2012: We will see more breaches reported and more state attorneys general prosecute them. “It is unfortunate, but well-publicized legal cases and fines get senior management’s attention,” she says. Also, new regulations are expected to make business associates’ subcontractors that touch PHI directly responsible for being HIPAA-compliant themselves. “That is enormously important,” Borten adds, “because it is a huge vulnerability today.”