Michael Mucha: Risk Management at Stanford
Widespread implementation of encryption is a top priority at Stanford Hospital and Clinics, thanks, in large part, to the "safe harbor" in the HITECH breach notification rule, says Michael Mucha, information security officer.

Organizations that use the proper form of encryption don't have to report data breaches under the HITECH Act. Mucha says this safe harbor instantly created an obvious return on investment for encryption.

In an in-depth interview, Mucha discusses Stanford's risk management projects, including:

  • Using data loss protection, or DLP, as an extension of encryption;
  • Implementing an event correlation system that aggregates logs and uses business rules to monitor who is accessing information and detect potential internal breaches; and
  • Updating role-based access to systems.

Palo Alto, Calif.-based Stanford Hospital and Clinics, part of Stanford University Medical Center, recently received a Stage 7 award from HIMSS Analytics. It's one of only a handful of organizations to receive the award in recognition of its advanced implementation of electronic health records and related clinical information systems.

Mucha works with a team of about 30 security and privacy specialists to ensure the information in these systems remains secure.

HOWARD ANDERSON: This is Howard Anderson, managing editor at Information Security Media Group. We are talking today with Michael Mucha, information security officer at Stanford Hospital and Clinics. The organization recently received national recognition for its advanced use of clinical information systems. Thanks so much for talking with us today Mike.

MICHAEL MUCHA: Hello. Good morning.

ANDERSON: Stanford Hospital and Clinics recently won recognition from HIMSS Analytics for achieving Stage 7, the most advanced rating for implementation of electronic health records and related clinical systems. Only a handful of organizations have achieved that honor. Please tell us a little bit about the diverse clinical information that physicians and nurses can now access online.

MUCHA: Well the core clinical information is all available online through the Epic EMR system, which includes inpatient records, outpatient, scheduling and billing. We also have integrated some of our other clinical systems such as GE PACS. Radiology images are available through the same EMR interface with Epic, and we are going through integrating a variety of other systems, with our core EMR system being the hub of all of the clinical information.

ANDERSON: And can clinicians access those systems remotely as well as while they are on campus?

MUCHA: Yes. So remote access is a big part of our infrastructure strategy....A lot of our physicians go to conferences, take sabbaticals, take time off, take six months off to work in another academic medical center, for instance, so there is that modern workforce aspect of using the Internet through our clinical portal.

We also have a referring physician portal, which is for our community physicians who aren't Stanford physicians per se but are referring patients to us, and they have a specific portal just for that purpose. And then there is also our patient portal to view your own records.

ANDERSON: I suspect that all of that raises a long list of security issues. What risks did you identify as you were ramping up to Stage 7 level automation? How are you going about addressing those risks?

MUCHA: Well there are two parts to it. One is the obvious benefit of moving things to electronic databases and having all of the feeds of accesses. But then there are opportunities for people who don't have the best intentions to access more records, to run queries, to do malicious things remotely, the kinds of things that you didn't have in a paper-based world.

So you have that double-edged sword, but then you also have to bring the tools that come with an electronic world. We are bringing in an event correlation system where we are aggregating the logs from all of these different clinical and infrastructure systems and then applying business rules on top of that to monitor for if you see someone hunt through 100 records in 300 seconds. There is one of two things that can generally be. It is either someone on a phishing expedition to look to violate people's privacy for a variety of reasons or they can also be a quality check where someone is going through and checking one thing in a bunch of records at a specific time. So we have rules that will look for those things and then sift them depending on what department you are in, which log rule you are using, and applying a new set of tools.

With remote access, and the need to provide service over the Internet in the modern world, I think that is moving healthcare closer to a problem that the financial world has had for a number of years where they were being exposed to the Internet, which caused a lot of problems. You had organized crime and groups all over the world looking to take advantage of or to exploit your online access to try to steal things. In our case it would be patient data, and we would also have a good amount of credit card information.

So I think healthcare is moving in that direction where we are going to have the same sort of risks as the financial world, but I am not sure we have all realized that just yet. I've been watching my peers in the financial world and how much trouble they have had, the kinds of issues like authentication and how do you know that a person is the person they claim to be when they are coming from somewhere out on the Internet.

ANDERSON: So how big a staff do you have devoted to information security now and how much has it grown as a result of all of this automation in recent years?

MUCHA: We have about 30 people; 25 of those are specifically on the information security team and another half a dozen or so who are specifically focused on privacy and the privacy of the electronic medical records.

And so you can kind of break that down into people who you have in the security bucket, who deal with things like your enterprise access management and access control, and the people that run the RSA servers if you are using two-factor authentication and things like that, the people who run your firewalls. And then you have some people who are specifically focused on the challenges of our clinical information system and the privacy challenges there, looking at audit reports and looking for people who have been red flagged.

ANDERSON: As you have adopted more clinical information systems and achieved Stage 7 recognition, what have been some of the top priority data security projects that went along with that? For example, are you making wider use of encryption now?

MUCHA: So I mentioned the event correlation system, which has been a big project. With HIPAA and now with the HITECH Act, there is a general need to take a look at your role-based access and see if it complies with the rules. The culture of healthcare that has been in force was to grant house-wide access, whereas the laws are moving more toward granular access. So there is a large project where we looked through all of our role-based access and reviewing both at a privacy level and a business level.

We have broadened our use of encryption and we intend to broaden it as widely as possible, in light of the safe harbor provisions of HITECH and just generally good security operating practice when you have so many mobile devices and the desktop form factors are getting much smaller.

And there is so much data mobility; to expand your encryption footprint as much as possible really can save you a lot because you are going to lose laptops. You are going to lose mobile phones, whether through theft or just misplacement. And documents are occasionally going to get misrouted and things are going to get faxed to the wrong places and all of these sorts of problems that you have with mobile data and mobile devices.

So if you can expand your encryption footprint as widely as possible, a lot of those incidents that could be a crisis for both yourself and for your customer can become a much more routine affair.

ANDERSON: So what is the status of your encryption efforts now? Have you encrypted virtually all of your mobile devices and are you using secure email? And what about encryption of data at rest on the servers?

MUCHA: So all of our laptops are encrypted now. When they roll out the door and are sent to somebody they are encrypted out of the box, and our desktops are also.

Mobile phones are more challenging. It is clearly our policy that they need to be encrypted, but there is so much change in the mobile device space that one vendor's encryption is not up to the same standards as this other vendor's encryption. We are still fighting that a little bit because on the laptop side, it is just easier to pick a product and roll it all out. But there is more diversity on the mobile phone side.

So we are more in an audit mode now to see how it all works because it is has been more challenging on the mobile side because of all of the change in the mobile world.

Secure e-mail you mentioned, yes we are doing that. We have had a product in place for about two years and gone through a couple of different vendors. But really our main drive for using secure e-mail is the relationship between the provider and the patient, and that actually comes as part of our EMR. There is e-mail functionality built into the EMR that integrates with Microsoft Exchange and that is basically our core secure e-mail system. But we have a standalone secure e-mail product for all of the other instances of e-mailing that don't involve the patient and clinician.

Then we are also looking at a lot of other things like some document encryption. We are experimenting working with some partners on that and we haven't rolled it out enterprisewide.

We basically like to encrypt every platform. It is a good idea generally, but then when you look at the HITECH safe harbor it kind of gives you this clear ROI. It is pretty unusual in security to have such a clear ROI, where you are just driven to encrypt as much as possible. So we have a formal project where we are looking at all of our platforms and trying to encrypt all of them. I don't think we will end up encrypting all of them--some for feasibility, some for lack of tools, but that is our driver: to encrypt as much as possible.

And we are looking at other messaging avenues to see if there are ways to apply encryption to those. I don't think we will be able to encrypt everything but we are going to address everything and say, "Yes we have encrypted this, yes in this area the tool set will be available in two to three years and we will look at it then, and then this area over here it is just not feasible to encrypt right now and we understand that and we will move on."

And then we will take that roadmap and give that to compliance and when there is an incident, they can say "Okay, this is one of those devices we know is encrypted versus one of this category where we know it's not encrypted."

ANDERSON: So when it comes to data at rest, is that one of the areas you are studying now on whether to apply encryption or just rely on physical security?

MUCHA: I think the models are there from the vendors but we are in the process of validating if this could really work and not cause more problems in itself....We encrypt in some database and in other ones we find it more problematic from either the performance or they don't provide the toolset, depending on the database....The key thing about data at rest is if the data is not really mobile there are lots of ways to secure it at rest, including the platform encryption. If it is mobile data, then you have got a much more serious problem for data at rest and the tools are not as mature.

ANDERSON: So what is next on your "to do" list in terms of security, privacy and risk management for this year?

MUCHA: Data loss protection or DLP. We are really viewing that as an extension of the encryption project. But marketwise it is a different sort of animal and you can get a lot of different vendors and a lot of different techniques and the ROI is not as clear because the definition of DLP changes depending on which vendor you talk to and what they are selling.

So we are really spending the year trying to get our arms around DLP as a way to extend the encryption project to cover as much as possible. We need to get past the platform encryption and go into these other areas, like something that can look at your data on mobile devices or look at the data that travels across the wire and make some decisions about whether this looks like protected health information or does this look like sensitive documents, does this look like a credit card or a Social Security number. That is a big one for us.

Really the event correlation and the platform and encryption, those things are such big projects they are going to take quite a long time to roll out. So we have significant wins in there and things that are done, but we will be working on that for a long time to come.

ANDERSON: Finally, what advice about information security would you give to other organizations, especially those that are moving gradually toward achieving Stage 7 status for clinical automation?

MUCHA: Besides the obvious about compliance being much more serious now between HIPAA and HITECH, and how the U.S. regulatory environment has changed to be more inline with some places like Europe, ...there is a lot of worry about things that can go wrong with moving to electronic systems.

A lot of the issues of sharing data and role-based access and those sorts of things are already buried in the business processes of your organization. And you have got to tease those out before you get too worried about whether you are really confronting something new.

ANDERSON: Well thanks very much Mike. We have been talking with Mike Mucha of Stanford Hospitals and Clinics. This is Howard Anderson of Information Security Media Group.

Around the Network