Case Study: Focus on Risk, Not ComplianceAdventist's 37 hospitals look at the big picture
"A risk management approach allows hospitals to highly focus the resources they have available to the most critical areas," she stresses. "If you look at security purely from a compliance-based approach, you may be missing a huge area of technical or administrative risk within your environment."
In carrying out Adventist's risk-based approach, Finney has learned several lessons, including:
- Risk assessments must be conducted for each environment, including hospitals, clinics and data centers, because each faces different threats.
- Data loss prevention, or DLP, is growing in importance as providers share more data with more organizations.
- Encryption is essential for mobile devices and e-mail. Adventist is investigating whether to encrypt all workstations and databases.
- When it comes to two-factor authentication, physicians and nurses want to be able to choose from several options.
She urges hospitals scrambling to comply with the HITECH Act's security provisions or to qualify for federal electronic health records incentives to keep the big picture of risk assessment in mind, rather than honing in solely on compliance.
Finney, who joined Winter Park, Fla.-based Adventist two years ago, is shifting from annual to biennial in-depth risk assessments. That way, each hospital can complete administrative and technical risk assessments, conduct vulnerability scans and set goals one year and then carefully measure progress toward those goals the next year.
"The process of getting policy changes and technologies rolled out is time-consuming and must be done in a very methodical manner," Finney says. "So doing a full-blown risk assessment annually was just not providing maximum value for us."
In assessing risk, it's important to conduct studies for every business unit, based on its specific functions, she says. "What is a risk at a physician office may not be a risk at a data center," she points out.
The risk-based approach "is based on how they actually use the data, how they function as a business unit, and what their workflows are," she adds. That yields a much more effective strategy than if the focus was on an "arbitrary standard applied to all" and focused more on regulatory compliance, she contends.
Finney offers the example of compliance with the HITECH Act's breach notification rule, which requires hospitals and physicians to notify federal regulators of major breaches. By conducting a risk assessment, which led to, for example, encrypting of data on laptops, "that helped us to be well-positioned to prohibit us from having to notify regulators of a breach," she says.
In addition, Adventist conducts audits to make sure its encryption policies are actually carried out.
Adventist also has implemented a formalized process for assessing any breach that may occur from both a technology as well as an administrative perspective to help determine steps to take to avoid similar incidents.
Adventist hired Cynergistek, Austin, Texas, to help conduct some targeted risk assessments for certain units, augmenting Finney's staff. Cynergistek also helped Adventist implement data loss prevention technology.
The role of DLP
Based on its risk assessments, Adventist is making broad use of DLP from Code-Green Networks Sunnyvale, Calif., to help keep its e-mail secure. The DLP software monitors all network packets for e-mails being transmitted outside the organization to determine whether they contain sensitive patient health information.
For example, if an e-mail containing patient information reaches the network perimeter, the DLP system automatically sends it to a secure e-mail system instead, notifying the recipient that they have a secure message waiting at a portal.
The DLP system also can identify viruses and stop outgoing traffic until the issue is resolved.
In addition to using DLP to automatically trigger secure e-mail, Adventist staff members can initiate a secure, encrypted e-mail by simply clicking the "mark secure" button within Microsoft Outlook to select the secure e-mail option.
The organization encrypts data on all mobile devices, such as laptops, that store patient information, as well as thumb drives. It also encrypts data on certain PCs that store substantial quantities of patient information. "We will be reviewing whether to encrypt all workstations," Finney says.
Adventist has not yet applied encryption to the databases at its three centralized data centers because of concerns about slowing the performance of the more than 1,000 applications each data center supports, Finney explains. But it's continuing to work with database vendors to examine encryption options it eventually might adopt. Adventist, however, already applies hardware encryption to its storage area network, or SAN.
Clinicians working at Adventists' hospitals do not yet use two-factor authentication when accessing clinical systems. "We are considering it as part of our single sign-on strategy and looking into the options," Finney says. A key concern, she says, is enhancing security while continuing to offer rapid access to systems.
For physicians who access systems remotely, primarily through a portal, Adventist is using a variety of two-factor authentication methods, including phone-factor authentication, which uses smart phones to offer ever-changing security codes, and hardware tokens on key fobs, which display codes on demand. "We have found that physicians want options," Finney says.