A number of complex, nuanced issues at the CISO level came to the fore in a panel discussion on Friday afternoon at the Cybersecurity Forum, on the second day of the Health IT Summit in Raleigh, being held at the Sheraton Downtown Raleigh (N.C.), and sponsored by Healthcare Informatics.
The panel, entitled “Practical Tips for Creating a Cybersecurity Framework that Meets Your Privacy Standards,” was led by Lee Barrett, executive director of the Electronic Health Network Accreditation Commission (EHNAC). Barrett was joined by Johannes (John) Boehme , CISO, Wake Forest Baptist Health (Winston-Salem, N.C.); Chuck Kesler, CISO, Duke Health (Durham, N.C.); Chris Beal , director of security and chief security architect, MCNC (Durham); and Carl Cammarata , CISO at Northwestern University’s Feinberg School of Medicine (Chicago).
EHNAC’s Barrett opened the discussion by asking his fellow panelists, “What’s the single most complex and challenging issue your organization is facing right now with respect to security and privacy compliance?”
(l. to r.:) Barrett, Beal, Kesler, Boehme, Cammarata
“It’s a continuous challenge—knowing where you’re data’s at,” said the Feinberg School of Medicine’s Cammarata. “In the culture of our organization, with 3,600 researchers in 2,400 departments, although they are connected together through the School of Medicine, they are run by their department heads, in a very entrepreneurial way. So the challenge is knowing where the data is, knowing the level of sensitivity involved; and if it’s consented research data, it’s treated differently from ePHI under HIPAA.”
“And you have millions of dollars in research grants and projects coming into your organization,” Barrett said. “Does that add another level of complexity?”
“We receive $676 million in research grants a year,” Cammarata replied. “And absolutely, that adds a huge level of complexity to this. And yet it ends up having only an incremental effect on my staffing model, which is constrained by budgets. I have to learn how to manage what I have. So I built out an extensive risk assessment process—we have over 5,000 data security plans prepared by the principal investigators,” reported.
“The challenge we have right now is the maturation process for our medical device program,” said Wake Forest Baptist’s Boehme. “This to us is our next frontier: the ability to get everything together, to know what’s in your assets, what’s in your production network. That’s a real challenge. It’s similar to the days when we were moving from analog film to digital” in radiology, he added. “But I think we’ve put a handle around that, and around the technical questionnaires and interactions with the vendors. Our challenge is how we govern it. You’ve got radiology, laboratories, and biomedical, all spread out. Our challenge will be how to put a governing set of principles around all those areas. Who’s going to govern those areas, and which would be the overarching committee over a particular issue? One team says, ‘We have to do this for patient care,’ while the security people say, ‘It’s going to be a detriment to the network.’”
“Building on those themes,” said Duke Health’s Kesler, “Duke is both highly centralized, but also decentralized, in terms of the organization’s research functions. It really comes down to people. We have 30,000 users, including faculty, students, affiliates, staff members, etc. We’ve done a lot of work educating people and trying to instill good behaviors. But at the end of the day, usually when we have a problem, it’s because someone’s made a mistake, and that results in an infected machine or other problem. At the same time, people are our greatest asset, and are an extension of my team,” he added. I’ve got a team of 20 people, but by extension, a team of 30,000. And another challenge we’re dealing with is that a lot of people are bringing devices into the network. So bringing in training and awareness hopefully helps change the equation.”
“At an abstract level, the biggest challenge is culture and change,” said MCNC’s Beal, whose organization provides a secure communications network for North Carolina’s state government, its public and some private universities, and numerous hospitals, public safety organizations, libraries, and other organizations. “The threat landscape has changed. And we have many people who have been here for a long time, in IT. And their attitude is, our job is to move packets, not to care what’s in it. So we need to change that, and that’s a challenge at a really high level.”
What’s more, Beal continued, “Bringing it down to the next level, we are challenged greatly by scale. We have 2,700 miles of fiber. And our backbone network moves a lot of data. And there are a lot of tools we could take advantage of, but the vast majority of solutions are designed for enterprise scale, not service provider scale, and the service provider scale solutions are really, really, really expensive. So affording what we need to provide is a significant challenge.”
Balancing data availability and data security
“A lot of data has been shared now, including among ACO [accountable care organization] partners, other organizations,” Barrett noted. “So how do you look to balance data availability and data security? Because the number of connections you’ve got is growing exponentially out there.”