Our hospital’s commitment to its mission of providing excellent care, close to home has always been our primary focus. Our technology investments have been strategically aligned with the types of care we want to deliver, the timeliness of care, and our desire to bring exceptional care to our community. Fifteen years ago our focus was to digitalize the paper process through the implementation and use of the Electronic Health Record (EHR). We used a best of bread strategy consisted of providing the clinical service lines with technology that had a developed track record and would seemingly best-serve their needs. Many times non-technologists were making these decisions based on slick presentations from sales representatives who promised their solution had most, if not all the answers to the clinical and operational problems and desires, including integration. In retrospect, , and now fifteen years later, we finally realize complete integration was essentially impossible and impractical – we should have looked at everything across the continuum of care. Yet, we can breathe easier knowing, for the most part, this was an industry wide problem and not just our own.
“Information Security is a macrocosm of the Information Technology world”
That realization now leads me to discuss information security, the derivative of the HIPAA and HITECH regulations invoked policy, and process. Now, the planning and investment of resources must evaluate and consider the management of clinical health information in the EHR, or any other digital media or on paper. The industry is no longer flippant about the subject because of the ransom note. CIO’s who gave information security tertiary priority and thought they had the correct protection through patient privacy monitoring, information access control, risk management, and authorized data disclosure are now re-evaluating their world. The problem lies in Information Security as a macrocosm of the information technology world. There are very few areas in the healthcare world where information security is void of assessment, so where do we start? Here are 8 considerations all CIO’s must engage in to ensure they’ve done everything possible to avoid the ransom note:
• Vulnerability Management - Stay current on the zero-day vulnerabilities. There are many outlets for that information (www.us-cert.gov or any of the major virus software vendors). A very large percentage of threats are exploiting vulnerabilities that have an existing antidote. The cost to your organization is dedicated resource time. The controls are typically in the hands of the Chief Technology Officers (CTO) and/or the Chief Information Security Officer (CISO); however, CIO’s now need to be in that loop.
• Access Control Review – You may think you have an ironclad process that’s awesome, but chances are there is room for improvement. Conduct a periodic (quarterly) review of your approved user population. To do this, you have to establish and maintain an approved user population. This will include employees from your human resources system, approved vendor and named users, community providers, volunteers etc. We struggle to manage our own employees who follow policy and use approved forms. We need to consider vendor and clinical partner employees. As they transition out of their organizations, are we capturing that information or are we at risk? Best practice would encourage you to use a tool like Visio and diagram the process and the control and evaluate how you are doing.
• Email Filtering – Managing your email filter and having redundant layers is essential. It’s estimated that more than 85 percent of all email is unsolicited junk mail (SPAM). The risk is so high that many are choosing to outsource the responsibility and/or adopting a cloud management model. There are pros and cons with this deferred risk model and these must be clearly understood.
• Move from Blacklisting Websites to White listing them – This will cause pain but in the end bear great fruit. In the past, we’ve only black listed problem sites after we learned they were a problem. We also used a content filtering appliance to manage it for us. I suggest using IT Governance to manage the responsibility for approving changes to a white list (a list of approved sites versus a list of blocked sites). Change the universe! Take an inventory of sites used to conduct business and flip the switch. We have to remain agile to make necessary changes on demand in the first several months. At the same time implement a process for submitting sites to the white list. It is an obvious fact that if your end users can’t get to an unwanted internet location, no damage can be done.
• Network Access Control – You need to monitor who has access to your network and what they are doing. Network traffic can now be monitored to deter threats. Unknown devices can be placed in a sandbox and evaluated for compromise potential. This is a technical area you cannot and should not avoid because of its complexities.
• End User Education – Create a program that teaches and re-enforces the risks and responsibilities all end-users have. Use email campaigns from the CIO. Staff is more apt to read and respect information from leadership that is specific to their everyday role. Speak in laymen’s terms while teaching and simplifying industry and technical terms.
• External Audits – First of all the word audit is a perpetual verb in information technology. It provides the guardrails for governance. It’s in your best interest to ensure they are conducted by competent, well informed resources. None of us want to get hacked, receive a ransom note or have a significant loss due to an unmanaged information security layer. The best way to stay on top of your program is through perpetual, internal and external audits. Never be afraid to expose flaws to an auditor; they will not only document the issue but provide you with remediation. Throughout this process budgets are established and justified.
• Personal Development – In the past, the CISO would rightfully spend time at information security conferences. Now it’s time for the CIO to attend as well. You don’t know what you don’t know. The CIO carries a great deal of responsibility and investing in personal growth is paramount.