Hiring of CISO Signals New EraCatholic Health Initiatives Ramps Up Security as it Rolls Out EHRs
In a move characterized by CIO Michael O'Rourke as long overdue, Catholic Health Initiatives has hired its first corporate chief information security officer. The new CISO, Sheryl Rose, spent more than 12 years at First Data Corp., a financial transactions processor, where she most recently served as vice president of global security operations and disaster recovery.
Catholic Health Initiatives, which has 73 hospitals, 40 long-term care facilities and more than 300 clinics in 18 states, also recently worked with a consultant to update its enterprisewide risk assessment and create a five-year security plan, which the new CISO will fine-tune and implement.
Automation PushThe organization is investing heavily in electronic health records to "give physicians access to data to make better decisions and achieve better quality outcomes," O'Rourke says.
"And as healthcare reform comes, it will require us to report on our core quality measures to be able to compete well with other organizations based on our outcomes."
To help defray some of the costs of the massive project, the organization will apply for extra reimbursement under the HITECH Act's Medicare and Medicaid EHR incentive program. That program's "meaningful use" standards require participants to conduct a thorough risk assessment to identify security risks and address them.
Intensified Security EffortsThe organization plans to spend more than $100 million of its $1.3 billion clinical automation budget on security as it ramps up efforts to make information more accessible to physicians beyond the four walls of a particular hospital, O'Rourke says.
"We have had a security program in place, but the challenge and the momentum of now deploying EHRs everywhere has really raised the ante," he says.
The nation's third largest Catholic healthcare system will expand or introduce EHRs at all its facilities and provide remote access for physicians as well. "So we really have a sense of urgency now to focus our attention on the protection of patient information more than we ever have before as we start to push information across various different venues," O'Rourke says.
In most communities that the organization serves, several hospitals and other facilities are served by a regional IT director. "Those directors are trained in security requirements and processes," the CIO says. "But they are not full-time security professionals. Sheryl will be looking at their skill sets and what all our employed IT resources look like on security and will probably be making some changes to amplify and bolster our security programs in our hospitals."
Corporate ChangesAt the corporate level, the new CISO will take over the existing information security operations, which had been reporting to a chief technology officer. "We are in the process of revamping that whole security structure," O'Rourke says.
At the organization's headquarters in Englewood, Colo., a corporate security team, as well as an identity management team and some managers of hardware and IT infrastructure, had been working on security issues.
"Security is being raised to a new level of importance, and we have to focus our attention on security now like we had focused our attention in the past on hardware or disaster recovery," O'Rourke says. "That's why we've shifted the responsibility from the chief technology officer to our new chief information security officer.
Rose, the new CISO, says Catholic Health Initiatives needs to move from a "granular" approach to security, such as a focus on user management, to a broader "data protection perspective."
Growing PainsO'Rourke acknowledges that the organization's rapid expansion through a series of mergers and acquisitions led to growing pains. Catholic Health Initiatives had $8.6 billion in revenue last year.
"When you grow in that way, you can see lots of variation comes with that," the CIO says.
Previously, the regional IT offices serving local hospitals developed their own security plans, and then the corporation developed an enterprisewide plan encompassing those. When O'Rourke joined the organization, he determined it needed a robust corporate security plan that then could be deployed in each local market.
Catholic Health Initiatives has a central data center that houses the core clinical information systems that its facilities use. Hospitals, clinics and other sites access the systems through a high-speed private communication network.
Finding the CISOThe Catholic healthcare system conducted a national search for its first corporate CISO. "We interviewed candidates from banking, healthcare and even utilities because all three of those areas have a necessity for security programs," O'Rourke says.
Rose already had a connection with Catholic Health Initiatives, having served for 18 months as a member of its board's audit and compliance committee, lending her security expertise.
At First Data, Rose headed a team of 80 security professionals. She says she "had worldwide responsibility for security, ranging from a security operations center to an investigations team to firewall management to identity management." She anticipates that her experience in dealing with financial regulations will help prepare her for dealing with the healthcare regulatory environment.
Rose, who starts her new role Oct. 4, holds several certifications from the Information Security Audit Control Association, including Certified in Risk and Information Systems Control (CRISC), Certified Information Security Manager (CISM) and Certified Information Systems Auditor (CISA).