The Evolving Role of One CISO
Today, Paidhrin is more involved in policy development. He's also pushing to improve awareness of the policies in every sector of the hospital. "A policy does no good if it sits in a folder and no one reads it," he says. And he now advises area physician group practices on data security issues.
In an interview, Paidhrin, who serves as the equivalent of a chief information security officer, singles out his top three priorities for 2010, including:
He also describes his hospital's annual risk analysis process, which is supplemented by a consultant's audit every three years "to make sure we're not deceiving ourselves."
HOWARD ANDERSON: This is Howard Anderson, managing editor at Information Security Media Group. We are talking today with Christopher Paidhrin, security compliance officer at Southwest Washington Medical Center in Vancouver, Washington. Thank you for joining us today Christopher.
CHRISTOPHER PAIDHRIN: My pleasure.
ANDERSON: Please tell us a little bit about your hospital size and mission and the area that it serves.
PAIDHRIN: Southwest Washington Medical Center, despite its name, is in the northwest of the U.S. We are a 400-plus bed, regional hospital with specialties in cancer care and a number of other specialties that we have received recognition for. We have been a six-time recipient of the Solucient Top 100 Hospitals Award and that puts us in the top 1 percent for our size. And we have been around over 150 years.
ANDERSON: And how long have you been in current role of security compliance officer?
PAIDHRIN: I have had the pleasure of working at Southwest for 10 years. I was originally brought in as a consultant to redesign the perimeter and the firewall, and one thing led to another and I have been happy here ever since.
ANDERSON: So are you the equivalent of a chief information security officer then?
PAIDHRIN: Yes I would say the role is the same as a CISO. I serve on several committees to promote and oversee all things IT security and compliance. And while I am a single-person security office, I do have a broad information security support team, but they all have other primary duties. I have on-demand technical network systems, applications support. I have great support from my CIO and the executive team, and we have got two key councils. One is the Information Security Council where I am a co-chair, and (the other is) our Continuous Regulatory Compliance Committee, which addresses, of course, all of the regulations that apply to healthcare. So we have quite a focus upon security and compliance here.
ANDERSON: Well it sure sounds like it given that you have been in the role 10 years. That is pretty early in the game for a hospital to have a full-time security person, so you must have been one of the first in that role.
PAIDHRIN: I was certainly here. We have had security roles before but it was evident with the introduction of HIPAA and state regulations and the requirements for policies and procedures that we (needed to) have someone take a higher posture, as well as for the community. The community has been...looking to Southwest for leadership and information and expertise in all things compliance and HIPAA. Very few of the providers out there, the small clinics and one- or two-doctor physician offices, can afford a compliance officer or a security officer, so they look to us to set the standard and provide them support.
ANDERSON: So to whom do you report and has that reporting relationship changed in the last 10 years?
PAIDHRIN: I report directly to the CIO and I have been since the beginning. Some organizations want their CISO or their CSO to report to the chief executive officer, or even to the board of directors. But here at Southwest, there has been no need for that. We have had no reporting or process concerns, and I have considerable independence and yet there is still oversight. As I mentioned there are those two committees; there is considerable oversight and policies and procedures that guide what I do and the oversight of when, where and how I do it. I don't act in the dark, and appropriate parties are notified every time I do something, so there is no question about propriety for my auditing and review processes.
ANDERSON: So how has your role evolved over time and how do you expect it to evolve in the months and years ahead, especially with all the focus on HITECH Act compliance?
PAIDHRIN: Well it has always included HIPAA and state regulatory (compliance), and for our accreditation here at Southwest that includes the Joint Commission. But, my role has matured to include policy development, of course the HIPAA/HITECH advice for our community of partners and providers, and most recently a larger role in IT service management, our use of COBIT and ITIL to hardwire best practices and quality improvement into our services. In that regard, it has expanded into integrating security awareness and privacy throughout all service areas of IT.
ANDERSON: A recent HIMSS survey of hospitals determined that only about half of hospitals have a full-time chief information security officer, so you are still somewhat of a rare breed. Do you think all hospitals need someone in this full-time role?
PAIDHRIN: Hospitals certainly, yes I do...Spreading the responsibility of the role across several positions invites problems, especially for accountability and...not having the critical responsibilities of the CISO...invites problems to take root and manifest in those gaps, in those unmanaged areas, and that is a risk no healthcare organization should accept.
ANDERSON: That HIMSS survey also showed most hospitals spend less than 3 percent of their total IT budget on data security. Do you have an estimate of how much your organization spends on security?
PAIDHRIN: I would estimate that we are near the 3 percent number, but I don't know whether that measurement is fair because IT budgets have huge sums devoted to the core business needs, new business systems applications, maintenance. Plus, operating costs are huge for IT, and, of course, staffing is always an issue. I would say security costs will always be a small percentage in comparison to those costs, so they should instead, in my opinion, be measured against an organization's risk acceptance standard, which is directly related to IT security.
So an annual risk assessment will tell both the CISO and the executives exactly what the cost benefits are for a given organization's vulnerabilities, and the budget should be directed toward that, addressing the real risk acceptance.
ANDERSON: So what are some of your top priority data security projects for the year ahead? What are you working on?
PAIDHRIN: So many. The top three? First strengthen our data loss prevention capabilities and we are going to automate our...access controls and reporting to address that. Second we are going to align better, more closely our IT goals with our organizational goals and hardwire excellence. Here at Southwest our vision is exceptional medicine, extraordinary care, every person. My role is to expand our IT service management program, like I mentioned, using COBIT and ITIL and lean techniques to support that vision.
Third, one of my favorite projects is to develop a centralized knowledge management resource because I believe for sure that we are leaving the information age and we have begun to enter the knowledge age where information, and there is lots of it, is not valuable unless it can be quickly accessed, put to use and produces some good. Those are my goals.
ANDERSON: What are the data security implications of knowledge management?
PAIDHRIN: Huge because you can have all the technologies and solutions in place, but if your workforce is not aware, awake, attentive, mindful of the policies, procedures, appropriate protocols, all those security controls and functions and tools can be undermined, circumvented, ignored. So the knowledge management is everyone is trained, everyone has access to the right information, the right processes and procedures, and thereby they can follow them. A policy does no good if it sits in a folder or in an intranet and no one reads it. That is where that hardwiring comes in; it has got to be a part of everyone's everyday practices, and that is the bigger umbrella; the meta-layer is knowledge management.
ANDERSON: About 55 percent of those surveyed by HIMSS said that they conduct a risk analysis on an annual basis or more often. Do you conduct one annually and can you give us a flavor of what the analysis covers?
PAIDHRIN: Yes, we do an annual assessment. I would say IT security...is becoming more central because without the IT security controls, most of the rest of one's audit compliance posture will fall down.
Now Southwest does conduct internal IT security and compliance audits every year, and about every three years we contract out with an external, full-spectrum assessment to make sure we are not deceiving ourselves and give us that real world reflection.
ANDERSON: Only half of the hospitals in the survey said their organization has a plan in place now for responding to threats or incidents of a security breach. Do you have such a plan in place?
PAIDHRIN: Yes we do. We have not only a plan, we have about 50 IT security policies to address most aspects of information protection. Those policies, of course, have procedures to go with them, specifically addressing incident management, incident response, auditing, securing of confidential information. And we even have a policy that is titled IT Security Plan, which establishes the governance and scope of our entire IT security program. So I think we have addressed most of what we need, all of what is required, and some extra to keep us going in the right direction.
ANDERSON: Along those lines, besides crafting a breach reporting plan, what other steps is your hospital taking to prepare to comply with the new HITECH Act data breach notification rule? For example, have you been working with your business associates who now must comply with the rule?
PAIDHRIN: We have always been working with our business associates. Southwest deploys an array of security-centric auditing solutions to maintain not only the logs of access but situation awareness so that we know what is going on across our network and with our information. And these tools monitor several layers of activity, from the data packet layer up through application into the meta or compliance layers.
So we have been reviewing and revising our policies and procedures, adding a few new ones, aggressively working with our partners so that we maintain a common standard because we are sharing information and we need to have common security and control standards.
But our business associate agreement, the contract between us and our peers and our partners to maintain confidentiality and compliance with HIPAA and the HITECH Act, that has not required hardly any modification because it was well-written to begin with. But now we just stress the pieces that
HITECH asks us to add in, and that is just a couple of lines.
ANDERSON: Under the breach notification rule, organizations that encrypt patient data don't have to report breaches because the data is assumed to be unreadable. Please describe how your organization is using encryption so far and what is on the horizon.
PAIDHRIN: So far we have been using encryption extensively. All of our laptops that contain PHI (protected health information) are full disc-encrypted and in the future all of our laptops, all of our mobile media will. Where we allow USB drives, you know the thumb drives, not many are allowed, but they too must be encrypted; that goes for smart phones too. All of our electronic transmission is also encrypted...VPN tunnels, secure email, all of it is encrypted. In fact, anything that is mobile, it has to be encrypted.
We don't want to be the poster child on the front of the newspaper that says we lost a truck full of tapes or an unencrypted laptop, so we go a long way toward encrypting all of our data. We are not there yet (with encryption) at the information at rest in our databases inside our network, and we are exploring that, the costs and the performance. The costs are coming down and the performance is going up for the hardware encryption on discs, but we are exploring that as the next layer of adding encryption.
ANDERSON: Finally, is your hospital planning to participate in the Medicare and Medicaid incentive program for electronic health records and if so, how will that participation affect your data security strategy, if at all?
PAIDHRIN: Yes we will participate, most definitely. We have an initiative under way to see how we can leverage our compliance efforts with the incentives that are out there. We have mapped the "meaningful use" matrix to our IT security, IT department goals, IT strategy. We have mapped it all out, planned out a three- to five-year roadmap for how we can meet "meaningful use" criteria to take advantage of some of those incentives. But I don't know that it is going to impact our security posture. I am hoping that the maturity of our security program is such that we are already at the vanguard, the front end of what we need to do. So I don't think it is going to impact our security strategy, at least certainly not in the next several years.
We are working with local and regional healthcare consortiums, our peers, to collaborate on a health information exchange...Confidentiality, integrity, availability, all those things will be core tenets of all of those relationships, all information sharing. And we sure do hope to capture some of those incentives from the government.
ANDERSON: Thanks very much Christopher. We have been talking with Christopher Paidhrin of Southwest Washington Medical Center. This is Howard Anderson of the Information Security Media Group.