CIO Halamka on Security Lessons LearnedOutlines Key Steps Beth Israel Deaconess Has Taken
Breaches and other security emergencies can be strong catalysts for change, says CIO John Halamka of Beth Israel Deaconess Medical Center in Boston. The organization has made a number of moves to beef up data security and privacy in the wake of several incidents.
Two of the catalysts for change were the 2012 theft of an unencrypted laptop containing data about thousands of patients, and the aftermath of the Boston Marathon bombing in April 2013, Halamka explained in a Sept. 8 presentation at the Healthcare Information and Management Systems Society's privacy and security conference in Boston.
Although security cameras helped law enforcement in identifying and arresting the thief who stole the laptop computer from the office of a physician who had just purchased the computer, the device was never retrieved, resulting in a costly investigation by forensic experts and regulators. The device contained information on 3,900 patients. "$600,000 later and two years of attorney general and Office for Civil Rights activity, we're close to signing a settlement," Halamka says.
As a result of the incident, the medical center has strictly tightened up its policies for encryption of all corporate devices as well as personally owned devices used for work purposes. Staff members now must attest to their personal devices being encrypted before they can be used for work purposes.
In the aftermath of the Boston Marathon bombing, Beth Israel Deaconess not only provided care to about two dozen victims, but also to the two bombers. As a result, the medical center faced increased scrutiny of government regulators and law enforcement to protect those patients' privacy.
The provider organization put red banner reminders on it systems to remind staff they faced possible termination for violating the privacy of marathon patients. The medical center scrutinized the records access audit trail and questioned any individual suspected of privacy violations. "Because of the aggressive approach there was no inappropriate access," he says.
The experience with the disaster later prompted the medical center's board to order a third-party audit to see how the organization stacked up in regards to information security compared with the Department of Defense, banks, and e-commerce retailers, Halamka says.
The audit found that "we were as robust as other healthcare institutions in America," which isn't exactly a compliment, Halamka acknowledges.
As a result of the audit, the organization is implementing a number of changes. That includes a change in how the organization handles its internal risk management. "We didn't have a formal risk management [framework], which made it hard to compare from year to year," he says. Since then the organization has implemented the NIST 800-66 framework, he says.
Other changes include revamping ID management to regularly review users' roles to determine appropriate authorization to access data and applications. User awareness training now includes testing employees by sending phony phishing e-mails to see who clicks - and providing extra education to those who do.
In the aftermath of the laptop theft, the medical center beefed up physical security, with guards on duty at all facilities after hours.
Beth Israel Deaconess is also bumping up its information security staff by adding 14 full-time employees over two years, says Halmaka, who in addition to his role as CIO is the medical centers acting CISO. "Security takes 50 percent of my time," he says.
Former Beth Israel Deaconess CISO Mark Olson left the medical center about a year ago to take on the CISO post at records management vendor Iron Mountain.
In another step to bolster security, Beth Israel Deaconess is being selective in its use of cloud-based services.
For example, it's blocking user access to Drop Box because the vendor will not sign a business associate agreement, which is a requirement under HIPAA. Users now have a choice of two cloud services for file storage and sharing - an internal cloud storage system or a third-party service with an unnamed vendor that has agreed to sign a business associate agreement, Halamka says.
Network access controls have also been beefed up to deny access to devices not recognized, and biometric thumb print authentication will be phased in for internal users to comply with regulations of the Drug Enforcement Agency. To prevent unsecure patient records from being e-mailed by physicians and other clinicians, clinical documents are automatically transmitted using the Direct secure messaging protocol.
"Doctors don't like fractured workflow ... so we tell them how we're automatically [securing documents] on their behalf," he says.
Dan Berger, CEO of security firm Redspin, says Halamka's willingness to discuss his information security mishaps and lessons learned in a public venue is helpful to other healthcare entities.
"When you hear about these lessons from a leader like BIDMC, it shows that breaches are inevitable even in the best organizations with visionary proactive, CIOs. It's not about compliance, but managing risk," Berger says.