On June 28, at the Health IT Summit in Nashville, sponsored by Healthcare Informatics and held at the Hilton Downtown Nashville, a panel of industry experts on health IT security had a complex, layered discussion of the complex, layered current landscape around data security.
The panel discussion session, entitled “Building an Integrated Security Strategy: Practical Tips for Creating a Governance Structure that Meets your Standards,” was led by Lee Barrett, executive director of the Electronic Health Network Accreditation Commission (EHNAC). Barrett was joined by Patty Lavely, senior vice president and CIO at Gwinnett Medical Center (Lawrenceville, Ga.); Shane Pilcher, administrative director, information services, Siskin Hospital for Physical Rehabilitation (Chattanooga); Shayne Champion, director, information security and architecture, Erlanger Health System (Chattanooga); and David Finn, a former CIO and the health information technology officer at the Mountain View, Calif.-based Symantec Corporation.
The discussion quickly became very pragmatic, after Barrett asked his fellow panelists, “As each of you have developed and managed your security strategies for your organizations, what are some of the practical things you’ve done to support governance structures?”
“One of the things we’ve done,” said Champion of Erlanger, “is to look at our governance structure and look at what’s practical. For some organizations, you can do something as robust as what we’ve been doing; for others, that’s not possible.”
“Working for years on the technical side to harden our structures, we didn’t really have a formal security risk program,” Pilcher reported, of the situation at Siskin. “So we’ve taken a journey over the last year and a half to start to develop governance and management structures. We’ve consulted outside organizations. We’re using NIST [the framework from the National Institute for Standards and Technology, within the U.S. Department of Commerce] and other frameworks to help us start. We’ve putting committees into place to help us start as a body. And we wanted to make sure it wasn’t information systems-driven, but organizationally driven. So we brought in our compliance officer, our HR director, so that as we put out new policies, they w ere organizational.”
Finn said, “I’m going to echo those comments. I spent 25 years in the provider space, in roles ranging from a systems auditor to a CIO, prior to joining Symantec. And when I arrived in a security and privacy officer role in a hospital organization, I realized that we had a lot of data—but at the same time, that we didn’t understand the data. And the last people to understand the data are the IT people. So you have to understand the data and what’s at risk, and what’s important, and you have to tier that data,” he said. “IT cannot make those decisions; you’ve got to have the organizational and data owners, and the users—clinical, finance, etc.—and they’ve got to decide what levels need to be protected, and levels of protection on that data.”
“I agree with everything said,” Gwinnett Medical Center’s Lavely said. “And the most important element has been education. We put into place some formal policies, pulled together a framework. Then the next step was to bring in compliance, risk, and HR, and get them on board with the framework. And then I went to the c-suite and the board, because the board is ultimately responsible. And I’ll say, with the leadership, it’s a constant work in progress of continuing that education. It’s a little easier now [to persuade people of the need for healthcare IT security], because we have so many public issues affecting us personally as individuals, whether with Target or Home Depot, for example. But we continue to look at issues like password expiration and other issues—and it’s becoming more and more acceptable to put in [more rigorous] policies and procedures than previously, but not without education.
Achieving—and Maintaining—Board-Level and C-Suite-Level Engagement
“As you’re working with your management and board of directors, how do you keep the informed and engaged, and supportive of your various objectives and work?” Barrett asked his fellow panelists. “How do you engage and keep the board engaged? And are there other committees, like the audit committee, that you involve? How do you manage all of those groups? Patty, any specific kinds of ideas?”
“Well, we’re very fortunate,” Lavely responded. “We have a member of our board who comes from the telecom industry. He’s actually no longer in that industry, but that background has been tremendously helpful. And cybersecurity now reports to the audit committee on the board, and he’s on that committee. In fact,” she went on, “we had a board meeting Monday night. And we just produced our section on cybersecurity for the board; in my report to the board every month is a section on cybersecurity; it takes their eyes to that section of the report. And then we do an extended report to our audit and compliance committee every month. And when we have a potential big breach, I will call to give that member a heads-up. We don’t want them involved in the operations, that’s not their role; but we try to keep a high level of awareness. And I would not go to the board for funding without going to the c-suite first, but when I do bring something to the board, it’s a non-issue; it gets approved.”
“To Patty’s point,” Finn said, “it really is educational. And particularly the community hospital boards, they’re not IT experts; sometimes, they’re not even healthcare experts. So it’s a long, slow process. And you have to meet them where they are. If you start talking about IT, you’re going to lose them, or clinical workflow. You have to meet them where they are.”
Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.