CIO: Breaches Spurring Security ActionSharp's Bill Spooner Analyzes Survey Results
Fear of bad publicity, and potential fines, stemming from breaches are leading healthcare organizations to increase their emphasis on improving their security profiles, says Bill Spooner, CIO at Sharp Healthcare, a seven-hospital system in California.
"Almost every week there is some kind of a reported breach around the country involving thousands of patient records being potentially compromised," Spooner notes in an interview about the Healthcare Information Security Today survey results (transcript below).
Improving regulatory compliance and security training - as well as detecting and preventing breaches - are top priorities for healthcare organizations this year, the survey confirms. Spooner says those issues are critical for healthcare organizations.
Another priority at Sharp HealthCare this year, Spooner says, is implementing "a more formalized governance, risk and compliance program."
The survey also shows that top security technology investments for 2013 include an audit tool or log management, a data loss prevention system and a mobile device management system.
"Like many organizations, we are implementing a mobile device management product that includes a security suite to help secure mobile devices in recognizing that we are seeing more and more requests to use iPads and other similar mobile devices on our system," Spooner says. "We really need to ensure that we're providing adequate protection around that."
In the interview, Spooner also discusses:
- Why winning support from senior executives for security investments can be difficult. "Unfortunately, I think the key to winning senior executive support is to have a breach or have your neighbor have a breach," he says. "There's nothing that gets your attention more than a bad experience."
- His surprise that less than half of survey respondents say their organizations have a documented information security strategy, which he sees as essential;
- Why updating a risk assessment annually is an important way to deal with emerging risks;
Spooner has been at Sharp HealthCare, a San Diego-based provider organization, for about 30 years, and he has served as CIO for more than 15 years. In 2009, he was the recipient of the John E. Gall Jr. CIO of the Year award from the College of Healthcare Information Management Executives and the Healthcare Information and Management Systems Society. He was chair of CHIME in 2006.
Top Security Priorities
MARIANNE MCGEE: Our survey shows that the top three information security priorities for the year are improving regulatory compliance efforts, improving security awareness and education, and preventing and detecting breaches. Why do you believe that these are the top security priorities for healthcare organizations, in general, and what are your security priorities at Sharp for this year?
BILL SPOONER: I think that the priorities are right in line with our thinking here at Sharp, and when you recognize that almost every week there's some kind of a reported breach around the country involving thousands of patient records being potentially compromised, the fines, punishment, plus the poor public relations, it's increasing the emphasis, rightfully so, on improving our security profiles. When you add on top of that the fact that the technology is changing all the time or we're getting different kinds of attacks that we need to protect against all the time, we have to continue to raise our game just in the same way that hackers are raising theirs.
On top of the three priorities that you mentioned that came out of the survey, one of our priorities additionally this year is implementing a more formalized governance, risk and compliance program. That's a series of processes to ensure that we're evaluating risks around new applications and new processes to ensure that we're looking at these things consistently and that we're thoughtfully assessing the risk of whatever we do in terms of our IT program and related processes so that we feel defensible and comfortable in terms of the level of risk that we're taking.
Along with that, we're putting in a computerized tool set to facilitate the analysis that we do to track the decisions that we make. That, along with the three priorities that you mentioned, are pretty important to us.
MCGEE: When we asked about security technology investments for the year ahead, the top responses were audit tool or log management, data loss prevention and mobile device management systems. Why do you believe organizations are investing in each of those technologies and can you tell us a little bit about the investments that Sharp plans this year?
SPOONER: I already talked about the investment in the GRC program, but in addition to that we're raising our game in a couple of areas. We're implementing a data scrambling tool for our non-production environments where we want to ensure that we're not using real patient data as we're testing applications. That will happen this year. Like many organizations, we're implementing a mobile device management product that includes a security suite to help secure mobile devices, recognizing that we're seeing more and more requests to use iPads and other similar mobile devices on our system. We really need to ensure that we're providing adequate protection around that. We're upgrading our wireless infrastructure to some extent to better segment the mobile device traffic out of the internal network. We're improving our logging system so that we're tracking activity on the system so that we can do effective analysis in terms of who's on the system and what they're looking at. Those are some of the key investments that we're making, some of the key priorities that we have this year.
We have a clinical auditing tool and we're looking at implementing a newer one that's a little bit more comprehensive than the product that we're using today.
MCGEE: The survey also shows that less than half of organizations have a documented information security strategy. Why don't more organizations have one, and what should be in that strategy?
SPOONER: I was a little bit surprised by the results that organizations actually have not documented their security strategy given that the HIPAA requirements have had security assessments, [the HITECH Act] meaningful use program has a security assessment, and the people that I talk with do have a pretty formalized security strategy. ... This isn't something that we look at as apart from everything else we do in the organization. It all folds into the overall strategic planning for the organization. But I really think that in order to ensure that you're effectively assessing the risks, you really have to identify your goals and include a security strategy.
As I look at our organization, we update a risk assessment organizationwide every couple of years; and that includes technology risks as well as business risks, and the security strategy fits right in with how we respond to our overall risk profile as we believe it to be. Absolutely I believe that should be a part of every organization.
Best Approach to Security Funding
MCGEE: When it comes to funding for information security, the most common approach is to ask for money to be allocated out of the overall IT budget as needed for security projects, according to the respondents. What do you see as the best approach to security funding, and how's that approach evolving at Sharp?
SPOONER: It's pretty natural that security budgeting be part of the overall IT budget because we have security ingrained in many aspects of our operations; for example, account management, which may be managed by the traditional technical assistants or help desk in terms of establishing role-based security as part of it. So they're a piece of your FTE budget that goes into managing the role-based security. The people who manage both our wired and wireless networks have a piece of the security profile and it's just part of their job.
In addition to that, we have a dedicated security staff that deals with it on an overall basis. They deal with the overall risk assessments and deal with some of the tools that we put in. It really is ingrained around the department.
But beyond worrying about specifically how much money we're spending on security, it's really the organization's perspective on security and how seriously we take it. I think that any organization could be spending half as much as another one, but be taking it seriously and communicating the message from senior leadership that it's important to us to protect the patients' information, to not let rogue devices on our network and to really ensure that the work that we do doesn't compromise our security.
To me, I believe that the leadership commitment is in many ways more important than the absolute amount of money that you're spending on it. For certain, you have to have tools to monitor, track and ensure that you're having good security, but I'm not sure that another X dollars makes your security that much better as compared to X commitment from leadership that it's important.
Difficulty in Winning Support
MCGEE: Despite all the publicity about major health information breaches, the survey shows that only a little over a third of organizations expect their budget for information security to grow this year. Of those that reported what percentage of their IT budget is devoted to information security, most reported only spending 3 percent or less. You touched upon this just a minute ago - about the support from senior executives. Why is winning support for investing in information security so difficult, and what's the key to winning senior executive support?
SPOONER: The reason that I believe it's difficult to win the support for investing in security is the balance between ease of use, employee productivity and patient care. To ask [someone] to use a larger password or to have to go through additional steps in terms of authenticating themselves on the system or to do other things that they would believe slows down their work in terms of taking care of patients meets resistance. Therefore, we have a political argument in terms of how much we're willing to respond to the caregiver's belief that you're getting in the way of patient care. Some of its real; some of it is imagination. But you have to strike a reasonable balance. That's another area where the senior executives are using their political capital to make this stuff happen.
Unfortunately, the key to winning senior executive support is to have a breach or have your neighbor have a breach. There's nothing that gets your attention worse than a bad experience, and, unfortunately, we see those things happening around the country. Typically, the organization that has the breach finds themselves implementing more rigorous procedures, things that they probably should have had in the first place. It's unfortunate that has to happen. More recently, with the number of reported breaches that we're seeing in the news almost every week, it's not quite as difficult of an argument as it was five or 10 years ago because we realize that we're all vulnerable.
Is a CISO Essential?
MCGEE: About 30 percent of those that we surveyed said that their organization does not have a full-time chief information security officer or an equivalent role. Is such a position essential for organizations of a certain size? Does Sharp have a CISO?
SPOONER: We have a person who has that role. That's not his title. He's director of information security. It's a dedicated, full-time position and he has a staff of about five people supporting him. I'm not sure what size of an organization it takes to indicate that there really should be a specific FTE. I can imagine some organizations that are smaller might embed it in a function like internal audit or it might be embedded in someone else's job within IT. If you look at the breaches that are happening ... that certainly gets your awareness big time in terms of having a real security professional leading the program and helping to truly assess your risks and ensure that the organization is managing appropriately.
I would recommend at a smaller organization that felt that they couldn't justify a full-time security officer that perhaps they use some kind of a consulting agreement with a security firm to give them advice on an ongoing basis. I just don't think that you can, in today's environment, get along with no professional leadership around that area.
Updating Risk Assessments
MCGEE: HIPAA and HITECH both require risk assessments, but our survey shows that about a third of organizations have not conducted an assessment within the past year. Should assessments be conducted annually, and why is it important to make sure these assessments are kept up-to-date?
SPOONER: I would begin by saying that I hope that the third aren't people who have already attested to meaningful use [under the HITECH ACT electronic health record incentive program] because risk assessment is part of Stage 1 meaningful use requirements and it will continue with Stage 2 and Stage 3. But I would expect that a security assessment should be conducted periodically, and it may be more rigorous one year than the next. But it certainly should be updated annually. There should be a plan in place to address the higher risk areas.
In my organization, we do a risk assessment internally within our information security department within IT. We also utilize an outside firm that's engaged by our organization's audit and compliance committee that takes a look at our risks and helps us balance the approach that we're taking. Whereas we don't go through and do a ground-up assessment every year, we update what we've seen in the prior year. We look at the results of the various audits that we've done during the course of the year and we identify where we need to make course corrections. I think that the environment is just too dynamic to believe that you wouldn't want to update it annually. It's probably the same thing as whether you need to get an annual physical or not. If your health condition is changing, you better be going to the doctor. In the same sense, as you recognize that new threats are coming to you in the security environment, you [should] be thinking about how you're responding to them. That really is the risk assessment process.
Revising Security Policies
MCGEE: Related to all of that, the survey shows that for those with an updated risk assessment, the most common action taken as a result of the analysis is revising and updating security policies, followed by implementing new security technologies. What kinds of updates in security policies are generally needed, and should technology acquisitions be primarily driven by the risk assessment results?
SPOONER: In our thinking, if we've devised a really well thought-out information security policy, it won't require a lot of revision. But then there are standards beneath it that will need to be adjusted as new things come on the market. For instance, if there's a new protocol for Wi-Fi, how do we embrace that? Earlier, we talked about mobile device management. The infusion of mobile devices into our environment required some new thinking around them, but, in general, that isn't changing our overall policy that says that we assess the risks of things that we've been bringing into the organization.
That leads to the second question: Should technology acquisitions be primarily driven? No. Technology assessments and acquisitions have to be balanced. At the same time, if a product is identified as not having adequate security built into it, it should be rejected for sure. It's just a question you can't say, primarily, any one feature like that is going to drive the selection. It has to be a balanced approach and that really leads to the thinking that, when you're shopping for any kind of a product, it's dangerous to get to one finalist too early because you may run into an issue that is unacceptable to anyone of the stakeholders and you need to back off and look at product number two.
Clearly, if an organization - in our case software vendors - doesn't have adequate security profiles and we can't identify how they're building sound security into their system, it's probably not something we want to bring into our organization.
This has particularly been of issue lately as organizations are evaluating cloud-based offerings because we're putting, in many cases, our patient information outside of our own data centers. We're very concerned about how well-protected that data would be in whatever remote data center that this vendor is operating. We need to be ensured that the vendor has good security policies in place and the vendor is having its security audited in the same fashion that we would expect it to be done internally. I would think that those kinds of offerings would be the ones that would be at most risk for being rejected if they have not established a sound security profile in their cloud-based solution.