This is the first post in my new blog series Executive Insights; Healthcare Leadership. In the series, I will share insights and lessons learned from conversations with Healthcare Information Technology (HIT) executives from across the country. While the topics will vary, they will all be focused on the initiatives and challenges that are top-of-mind in the industry.
In this post I reflect on a security discussion I had with Christopher Baldwin, CIO, Charlotte Hungerford Hospital, in Torrington CT.
Security has been a specialty for Mr. Baldwin for the last few years. He has concentrated on security both in his role as CIO and also in a private practice, CSB IT Solutions, LLC that assists other Healthcare organizations as they inspect and audit their own security strategies.
Healthcare CEOs are seeing the reports on breaches within and outside the healthcare industry and are asking, “Could this happen to us?”
The answer is YES! Patient-specific data stored in electronic health record systems is becoming extremely valuable on the open market, which makes healthcare entities an attractive target for hackers. The patient data stored by hospitals and insurances companies contains rich stores of information that can be easily monetized.
While patient data is a priority concern for the healthcare industry, other personally identifiable information (PII) and payment card information (PCI) is also stored in human resources and billing systems. These risks are commonplace in other industries and flow through to healthcare organizational environments.
During our discussion, three key points emerged that influence the overall development of a security program.
First, can influence and practices from other industries can be leveraged to drive security improvements in healthcare?
Chris Baldwin noted, “Security in healthcare is beginning to get traction, but emphasis still trails significantly behind other industries such the banking and credit card industries. The healthcare vertical can learn a lot from these and other industries. Many healthcare organizations have not truly established information security programs that receive the necessary funds to address today’s security threats and vulnerabilities.”
Then I asked him about HIPAA: “Is it enough? Does it help you protect your organization?”
“The HIPAA Security Rule specifically covers the confidentiality, integrity and availability of healthcare information that is uniquely identifiable to a patient, known as protected health information or PHI. The underlying requirements are based upon the security standards developed by the National Institute of Standards and Technology (NIST) and the Federal Information Security Management Act (FISMA). Of course cyber security is much broader than just PHI but HIPAA offers a solid roadmap or framework for development of a complete security program.”
My follow up question was, “What are the most important foundational elements of a security program?”
“Any good security program starts with three pillars,” Mr. Baldwin replied.
- Administrative safeguards (Policy, education, review, audit)
- Physical safeguards (Device, workspace, facility)
- Technical safeguards (Encryption, data in motion/at rest, disaster recovery, etc.)
While the standards are the same for all organizations, each organization should with a thorough risk assessment, which includes identifying prevailing security threats and vulnerabilities that are the most likely to occur and would have the greatest impact. This allows for a rational approach to setting improvement priorities.
Our discussion continued. Below, I’ve provided a few more key insights Mr. Baldwin provided in our discussion:
A dedicated CISO is key for a successful program strategy.
Although your organization’s IT division will be responsible for implementing some of the technical security infrastructure, having the engineering team be responsible for the program can cause a conflict of interest since they are driven more toward operations and program development. What’s more, it adds complexity to an already resource-strained group.
The Security team should consist of staff that are completely focused on program design, policy adherence, auditing and reporting of system data.
This not only separates duties, but also grants clear transparency to the program.
The CISO should report into the CEO/board/risk or compliance, rather than to the CIO.
CIOs are measured by projects, timelines, and budget. This may directly conflict with security initiatives and/or their priority within the CIO’s scope of responsibility. The CISO needs to be continually assessing cyber security risk and improving the safeguards to reduce risk.
Citrix plays a key role in a healthcare security program.
“Everyone in healthcare uses Citrix,” Mr. Baldwin offered. “It has strategic and tactical qualities healthcare entities need.”
The Citrix portfolio allows an organization to be nimble as well as to develop standardization around its technical initiatives. “Whether it is business continuity, remote access, or application presentation, Citrix solutions offer a secure method of service delivery,” Mr. Baldwin notes. “Encryption has become a fundamental requirement under HIPAA and is one of the few regulatory safe harbors under HIPAA if there is a potential breach of PHI. And of course encryption is part of the DNA of Citrix.”
EMR implementations have shed light on just how complex healthcare IT really is – in terms of technology, data protection and availability.
Although organizations have offline/downtime processes in place for planned or unplanned outages – productivity, patient safety, and patient care are impacted during such episodes. Healthcare organizations need a robust solution portfolio to handle anything that may impact the day-to-day or disaster recovery operations of their most critical systems. Citrix fits well into that requirement.
While mergers and acquisitions (M&As) and TeleHealth initiatives promote increased patient care benefits and the broad sharing of patient data, they also add to security concerns. As the digital paths into organizations become more diversified, so does the complexity involved in delivering secure information access to both patients and providers.
We’ll leave those subjects for another post, though. Thanks, Chris Baldwin, for our conversation!
Follow Citrix Solutions for Healthcare on Twitter.
Follow Christian Boucher (that’s me!) on Twitter.
*If you are in the healthcare industry, we invite you to begin a dialogue with us. You can share your thoughts on the topics in this blog or any other healthcare IT issue with a Citrix researcher by clicking here.