On Friday, May 12 at the Health IT Summit in Chicago, sponsored by Healthcare Informatics, and held at the W-City Center Hotel in downtown Chicago, a panel discussion focused on some of the broad issues around IT security management in healthcare.
The panel discussion, entitled “Building an Integrated Security Strategy—Practical Tips for Creating a Governance Structure that Meets Your Standards,” was led by Sriram Bharadwaj, chief information security officer (CISO) and director, information services, at UC Irvine Health (Irvine, Calif.). Bharadwaj was joined by Michael Brunelle, privacy officer and data security analyst, Norwegian American Hospital (Chicago); Fred Kwong, Ph.D., director, information security, and CISO, Delta Dental; Adam Page, CISO and director, application services, NorthShore University Health System (Evanston, Ill.); and Chuck Podesta, CIO, UC Irvine Health.
It should be noted that the discussion took place from 9:00 to 10:15 AM central time, nearly four hours before the news of the global cyberattack known alternatively as Wanna Cry and Wanna Decryptor, broke in the U.K. and elsewhere; so that subject had not yet emerged to be discussed.
In any case, the discussion Friday morning was very wide-ranging. After general introductions and an overall framing of the subject, Bharadwaj turned to his discussants to get their perspectives on how they handle data security from the data governance and data management levels, specifically, how they’ve worked to develop an internal IT security framework. With regard to how the process moves forward at NorthShore University, Page said, “In terms of how we assess our security position, it had been up to the person leading those efforts” to manage governance, before he arrived at the organization. “So,” he said, “my first task was to assess our options. The first thing we did was to think, OK, if something does happen and we have to publicize some sort of breach, OCR [the Office of Civil Rights in the Department of Health and Human Services] is going to come in and ask questions, probably in the format of the OCR audit profile. So the first thing we did was to fill out that profile, and answer the questions, and score things red, yellow, or green, and why.”
Page continued, “When we felt we had gotten everything at least up to a yellow level, we did a reassess, looking at the progress we’d made in the past year. Documentation is huge: you’re using a framework to prevent a breach; but you’re also using those assessments to document what you’re doing. And from there, we’re now using the Resilience framework or assessment from the Department of Homeland Security/Carnegie Mellon. No matter what,” he said, “you need to use tools that are out there. And very importantly, what’s your scope, what angle are you coming from? And what software are you using? And how are you responding to each of the questions in any of the frameworks. That’s all very important.”
Delta Dental’s Kwong testified that “The reason why we went down the path of a framework, is this: if you think about it from a legal perspective, frameworks allow you to show to auditors and/or OCR if you ever get audited, what you’ve done in terms of legal standards. Following frameworks shows that you’ve followed reasonable steps to protect the data you hold. You cannot show something that you’re doing is reasonable if you don’t have it allied to some sort of framework; otherwise, someone’s going to poke holes. And so, how can you answer the question as to whether you’ve done what you need to? Following a framework isn’t the only thing you need to do,” he added, “but it’s a good foundation. There are a lot of frameworks: the NIST Framework that came out about three years ago, and the older NIST framework. The ISL Framework, and others.”
“If what you have today is mainly compliance-based security program, and you want to switch over to a risk-based program, start with a relatively simple framework,” Norwegian American’s Brunelle offered. “If you haven’t done this in the past, that’s a good way to start. If you’re more mature, you might be able to go to a more advanced framework. Or there might be pressures in your organization to go to something more advanced like the HITRUST framework. So once you’ve gone down that path, you can start moving forward, choosing a framework and developing a security program based more on risk than compliance. And 1.1 added in the concept of risk. And the ISL framework is more of an international standard. But ultimately, you want to adopt one that works with your organization.”
In response to a question from an audience member on whether a framework exists that focuses on the internal side of identity management and IT security governance, and on whether that is something that is important, Delta dental’s Kwong said, “Any of the major frameworks will address identity protection. There’s a Rising Breach Report—the most recent one found that 68 percent of breaches occur from the inside out. If you think about data that walks out of your organization, how often does that happen? It happens to everybody.”
Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.