Cleveland Clinic Tackles HIPAA OmnibusInformation Security Director Discusses Plan
Creating a new risk assessment framework for breach notification is among the steps the Cleveland Clinic is taking to comply with the HIPAA Omnibus Rule, says Mark Dill, director of information security.
The academic medical center has formed a steering committee to tackle HIPAA Omnibus compliance. "You need to divide and conquer the rule and come back [as a group] to find out what your gaps are first and then prioritize those gaps," he explains.
"The goal for any compliance program is trying to be right-sized," Dill says in an interview with HealthcareInfoSecurity (transcript below). "You have to accept the fact that you really can't protect everything from every threat, but you have to take reasonable steps to mitigate the risks that you identify."
Cleveland Clinic is also focusing on making sure business associates are HIPAA compliant. "What can you do contractually to make sure that they raise the bar to be at least as secure as you are so that they don't become the weak link?" Dill asks.
In the interview, Dill also discusses:
- Other top priorities for the year ahead, including data loss prevention and "electronic data stewardship;"
- How to be in a "continuous risk assessment mode;"
- The recently completed development of a tier-three data center with redundant security controls. The organization moved thousands of systems to the new data center with zero down time. The experience was "like performing open heart surgery on a patient while running a marathon," he says.
Cleveland Clinic is a multi-specialty academic medical center with more than 3,000 physicians and scientists; it has more than 5 million patient visits annually.
Dill has worked in information security at the Cleveland Clinic for more than 20 years, including the last 13 as its director of information security. He has more than 25 years of IT and technical management experience, with a focus on implementing strategic and tactical security initiatives.
Top Security, Privacy Priorities
MCGEE: Tell us what your top security and privacy priorities are this year at the Cleveland Clinic.
DILL: The name of the strategy has remained the same for quite some time. It's 'defense in depth.' But what we've done is add to it business enablement. Innovation is one of the cornerstones of our organization. We're trying to find a way to not stifle innovation and keep things with a reasonable security profile.
These days it's all about understanding the enemy, whether they're external or internal, and what our high-value targets are how we should protect them - and then adjusting our tactics to be safe. For us, it's beyond tools. It's about developing a culture of compliance. It's about maturing our program. It's about looking at risk, rather than in silos.
You've got information technology risk; you've got enterprise risk; and you've got litigation risk. We have implemented an enterprise risk management system that allows us to raise our top-level threats all the way to the board level if we have to so that we have a reasonable view of which threats are most important.
We're also in pretty much continuous risk assessment mode these days. We're looking at: What are the threats, what are the vulnerabilities? On the technical side, [we're] not losing sight of the basics. If you look at the root causes in healthcare, there appears to be systematic weaknesses, and so you really need to pay close attention to mobile devices, laptops - theft and loss - as well as back-up tapes. ... And once you're beyond the technology, it's still about paper. You have to pay attention to how your paper is disposed of.
MCGEE: With those priorities in mind, what are some of your top security and privacy projects this year at the Cleveland Clinic?
DILL: In the security space, two of the projects that are big on my radar screen this year are data loss prevention and electronic data stewardship. It's really a bundling of important processes, talent and tools. We're looking at protection against advanced persistent threats. That's ultra-silent spyware that only has one purpose - and that's to steal your data. What are the tools we can put in place to protect against that? [For] data loss prevention, it's all about enforcing your appropriate use of rules and protecting your intellectual property, trade secrets and things like that. Make sure that you understand how the data is being used at rest, in transit and on end-points as well. We're looking at raising the bar on proactive privacy monitoring - being able to tell in real time when appropriate use rules may not be being adhered to, as well as fraud detection. The good news is that you know 99 percent of workers are not committing fraud. The bad news is 1 percent are and you need to catch them in the cycle before it costs your organization millions.
We also built a Tier 3 data center, and I understand its one of maybe six or seven in the entire country. Tier 3 as opposed to Tier 2 implies that all of your controls are redundant. We spent the majority of last year moving thousands of systems out of our old data center into a new data center. As my boss has described, it's kind of like performing open-heart surgery on a patient while they're running a marathon because we did all that with zero downtime.
I'd say we're in a heavily regulated business, perhaps not as much as banking, but if you look at HIPAA and HITECH, meaningful use, the HIPAA Omnibus Rule, Payment Card Industry [standard compliance] and the Joint Commission [accreditation requirements], the list of regulations seems endless. We're not required to be compliant with SOX [Sarbanes-Oxley Act] because we're not-for-profit, but we do have an internal control effectiveness program to make sure that the accuracy of our financials and the controls are where they need to be for that as well.
Even in IT disaster recovery, we can replicate our data from the EMR in real-time out to a hot site, but we also have a private cage at our hot site, and we've made investments to keep most of our critical infrastructure spinning warm so that we could [quickly] restore should there be a disaster.
On the privacy side, some of their top projects are re-evaluating the risk assessment process to now account for what constitutes a breach and getting away from the harm threshold, something far more objective [to comply with HIPAA Omnibus]. Last year, I rewrote all of the information security policies. We're implementing them now, and the privacy office will have to do the same. It's a lot about training for them - communication, privacy compliance, awareness obviously, and revising the notice of privacy practices - revising them, hosting them, communicating them and distributing them as well.
HIPAA Omnibus Compliance
MCGEE: You mentioned regulatory compliance. What steps are you taking right now with HIPAA Omnibus compliance?
DILL: There are some general steps and some specific steps. In general, the goal for any compliance program is trying to be right-sized. You have to accept the fact that you really can't protect everything from every threat, but you have to take reasonable steps to mitigate the risks that you identify. To do that, we use internal resources for gap and risk analysis, and we also look to external third-parties to help us out with that. We don't use checklists, but we perform real analysis. We're trying to be defensible.
[It's important to] develop a book of evidence to gather all your artifacts so that you could be ready to present that if asked by the Department of Health and Human Services. Being mindful of the due-care and due-diligence principle, that's the value of using qualified third parties. They can also help you assess where you are in contrast to your peers so that you understand what your level of maturity should be for selecting the right process, improvements, tools and the talents that are appropriate for us. Our threats and risks are different than another healthcare organization. That, combined with strong governance, makes a big difference.
Specifically, in order to adapt to the rule, you have to read it. It implies collaboration between the law department, compliance, security and privacy, fundraising, IT marketing and research. You need a steering committee. You need a task force. You need to divide and conquer the rule and come back to find out what your gaps are first and then prioritize what some of those gaps are. Some are going to take a little longer to address, and frankly there's just not a lot of time to be compliant.
[When it comes to] updating policies, certainly every time you do that you're going to have to change your awareness program, pull out those finer points and make sure your entire workforce understands. We think sometimes that the new hires become the weakest link, especially if they're coming in from outside of healthcare. They don't know a lot about the regulations that govern us. We want to make sure that they have full training and awareness before they start their roles. That's important.
Also [important is] continual IT and compliance risk assessments with documentation, documentation, documentation. We're trying to create a risk assessment framework for the breach notification, really dealing with the removal of the harm threshold and into more objective criteria. [For] incident response plans, document, document, document. It's about making sure everybody is aware of the notification timelines too.
Then, dealing with our business associates, the information security team must work with the law department to first understand what the risk profile of the business associate is, and what can you do contractually to make sure that they raise the bar to be at least as secure as you are so that they don't become the weak link.
Biggest HIPAA Challenges
MCGEE: What would you say will be the biggest challenge of HIPAA Omnibus compliance?
DILL: I think being in continual readiness with that compliance, the culture of compliance we talked about. Paper records are still a big challenge and a root cause of a lot of breaches. Security guys talk a lot about digital security, but paper can't be forgotten.
On the privacy side, it's dealing with the updates to notices of privacy practices, revisions of the policies and the procedures, and then delivering those notices. Review, revise, implement and train.
We're developing internal standards for documenting the probability of a compromise and response to all reported incidents. From the privacy side, they work with me to be ready for any sort of OCR or HHS audit that might occur.
MCGEE: As an information security leader, what are your biggest security and privacy challenges, or the biggest challenges of the job, right now?
DILL: I think that we're at a nexus of forces. There are a couple of drivers in the marketplace. Cloud - anything to do with cloud, a shared services model - there are some opportunities for savings [but] it comes with additional risk. Mobile devices are going to challenge any organization, particularly the BYOD programs. You have to find a way to apply the reasonable security standard there for personally owned assets.
Social media - there are great uses for it. You have to go into that with a plan, but the privacy office has concerns about how it's being used. People can all-too-easily post pictures and content that may not be appropriate to their own Facebook page, and now we have a patient or somebody who didn't authorize their picture to be taken in the background, so those are some concerns.