As the recent ransomware attack at Hollywood Presbyterian Medical Center illustrates, healthcare organizations are increasingly at risk for cyber attacks due to the value of protected health information (PHI). Cybsersecurity was top of mind with health IT leaders at the 2016 HIMSS Conference and Exhibition in Las Vegas this week with an entire preconference session centered around the topic of how hospitals can improve their security posture to avoid information security compromises and breaches.
Hospitals, payers and business associates are increasingly leveraging the internet, medical and mobile devices in order to improve care, lower costs and retain competitive advantage. With this shift to digital comes increased risk to protected health information (PHI).
Paul Connelly, vice president and chief information security officer (CISO) of Hospital Corporation of America and Dave Levin, M.D., chief medical officer at Sansoro Health and previously chief medical information officer (CMIO) for the Cleveland Clinic Health System, gave a joint presentation discussing the C-level perspective on information security and strategies to “sell security” to the board.
During the presentation, Connelly and Levin both emphasized the need for collaboration between CISOs and CMIOs to improve information security and to align the security strategy and tactics to meet clinical and business goals. Essentially, the CISO can be the CMIO’s best friend and vice versa, they both said.
“The days of healthcare organizations blindly buying new technologies without the CMIO’s and the CISO’s blessing needs to be in the past. And the good news about the recent bad news is that it has helped raise awareness,” Connelly said.
They also discussed the unique clinical and business goals of CMIOs and CISOs within healthcare organizations.
“The view of the CMIO is to find a way to maximize the value of clinical IT at a time when medical systems and data are in the crosshairs,” Levin said.
“The CISO view is to look at this from the perspective of how to keep systems safe to protect your patients when there are organizations with many non-secure legacy systems and threats and the access and dissemination of data is growing exponentially,” Connelly said.
Despite these somewhat opposing goals, there is common ground, Levin said, with an overriding goal to protect patients and their health information.
Levin addressed the role of clinical IT with the ongoing movement in healthcare toward value-based care, which focuses on increased quality, improved safety and decreased cost. Healthcare organizations are now beginning to align the business case and the economic case, Levin said.
With the move from volume to value, the delivery of clinical services is now based on what Levin described as the three “Ps.”
“Personalized, where we zoom in, and that requires real-time information and highly customized care for each individual; Population, where we zoom out, and we need systems designed to care for large groups of similar patients; and Pervasive, which is zoom everywhere, and there’s where everything is connected,” Levin said.
From a CISO’s perspective, the healthcare transformation taking place now creates the challenge of keeping pace with the clinical and business pursuit of the best and newest health IT tools and uses of data. “Yet we have systems showing up on the loading dock purchased with no security vetting, architecture or implementation plan or maintenance/lifecycle provisions,” Connelly said.
“Today’s big data thefts may be remembered as the good old days as the system and data destruction and attacks on people via cyber for extortion and terrorism could become reality,” he said.
Connelly said health IT leaders need to change the paradigm and get security “baked in” to the lifecycle of health IT products and systems.
When it comes to medical device security within HCA, Connelly said he works together with the CMIO community to identify the systems and classify the tiers of priority. “They play a key role in introducing new technologies and they have the relationships with vendors so that provides some leverage to work with them to improve the systems.” He added, “It’s a two-way street and the CISO also can be an important ally to the CMIO and we can get involved early to do vetting and help identify the security vulnerabilities and what it takes to correct and identify new approaches.”
Connelly and Levin both highlighted reasons why CISOs and CMIOs should collaborate on health IT and information security.
“Secure solutions carry more weight with management today,” Connelly said. “You have a better chance of approval of initiatives when the CISO is on board. By including me in the initiative, you can “bake” the security into the clinical initiative and the net result is that we are going to save money.”
And, he said, collaborating on messaging to end-users of the clinical IT tools creates the “right processes and drives adoption.” “A secure clinical initiative protects your patients, it provides for privacy, integrity and availability of the data and systems you need to provide care.”
Conversely, Levin said CMIOs can help CISOs “see around the corner,” and he added that “being involved in new initiatives and innovations from the beginning makes security work better. And, as CMIO, I can help the CISO improve their understanding of how healthcare works and how security is involved in the front line.”
And, he added, “I think, together as a team, our mutual credibility is higher when we are seen as collaborating and demonstrating a balance between appropriate security and appropriate data. It looks a lot less credible when we surprise each other and have diametrically opposed messages.”