Charles Christian: The Security Challenges of Community Hospitals
Charles Christian, CIO at Good Samaritan Hospital in Vincennes, Ind., also serves as the defacto chief security officer, dividing up many data security tasks among the two dozen members of his team, each of whom also are multi-taskers.
In this interview, Christian, the former chairman of the Healthcare Information and Management Systems Society, describes his team's many ongoing projects, including the:
He also provides a real-world example of the value of an intrusion detection system. The system immediately pinpointed the room where someone visiting a patient unplugged a PC and plugged his laptop into the hospital's network.
HOWARD ANDERSON: This is Howard Anderson, managing editor at Information Security Media Group. We are talking about data security today with Chuck Christian, CIO at Good Samaritan Hospital in Vincennes, Indiana. Chuck is the former chairman of the Healthcare Information and Management Systems Society. Thanks so much for joining us today Chuck.
CHUCK CHRISTIAN: Thank you very much for the opportunity.
ANDERSON: You are CIO of a 247-bed community hospital in southern Indiana. How big of an IT staff do you have now, and do you expect it to grow next year?
CHRISTIAN: In this economy, no, I don't really see it growing, even with some of the things we have on our plate. We are going to try to do a little bit more with as little as we have.
ANDERSON: Do you have a full-time chief security officer or someone else designated to be the full-time point person on data security?
CHRISTIAN: I wish I could say I had somebody designated for that. Being a community hospital, many of us wear a lot of different hats. I have a gentleman that has been with me for a long time that does all of my perimeter security, remote access, that kind of stuff. I am the policy guy and have the moniker of being the security officer for the organization.
So the responsibilities of what you would typically see in a chief security officer are spread among quite a few different folks, and it has worked really well for us.
Ultimately I am responsible, as CIO, for making sure that it gets done. But my manager of technical services has a piece of security, and I have got a few other folks that have pieces, and we work really well together to make sure everything is covered.
ANDERSON: So it sounds like of your staff of 25 perhaps the majority of them touch data security at some point?
CHRISTIAN: Well we do. If we have to be the audit police, then that's what we are, looking for inappropriate access to medical records and those types of things. So I have a tendency to involve quite a number of my staff when we have to go and do some forensics.
Knock on wood, we have never really had a big (virus) infection or anything like that. But every once in a while, someone will stupidly click on an attachment to an e-mail that will launch something off a web site that will stick in some kind of mass mailer or something and we will be "all hands on deck" to get that fire put out.
ANDERSON: A recent HIMSS survey determined about half of hospitals have a full-time CSO. Do you think your hospital will eventually have one?
CHRISTIAN: Trying to justify a full-time position to do nothing but security for a community hospital our size is going to be pretty tough. It is a matter of resources and resource utilization. We have done a really good job with securing the perimeter. So when you make it look really easy then it is hard to justify that position. It is kind of like if you have a car that is working pretty well, you don't really want to go get another one until that one is not working anymore, depending upon what your finances are.
For some of the heavy-duty (security) stuff, we call in some outside folks to come in and do audits and checks and make sure we are doing the appropriate things and then we do our best to do the prudent practice checks. It would be a wonderful resource to have (a CSO) because I can't think of everything and neither can my staff. If we had somebody that was doing that full time, then there is a whole other litany of things that they could do and another level that they could take you to.
ANDERSON: That HIMSS survey also showed most hospitals spend somewhat less than 3 percent of their total IT budget on data security. Do you spend about that level and do you expect the percentage to grow in the years ahead?
CHRISTIAN: Since we have got it (security) spread over so many different folks and it is all part of what they do every day, I don't really have a good handle on what percentage is spent just on security. But I think we probably spend less than 3 percent of my total budget on it. It's like everything else; you have to do the best you can with what you've got, particularly in light of the current economics.
ANDERSON: Only half of the hospitals in the HIMSS survey said their organization has a plan in place for responding to threats or incidents of a data security breach. Where is your hospital at in developing such a plan and what are some of the major components?
CHRISTIAN: We have got a breach notification policy that we put in place. We put together with our public relations department an emergency communications plan. Our PR director has always had one, but we now beefed that up. I am hoping, once again knock on wood, that we never have a breach that requires us to notify the press ourselves, but the regulations require us to report event the minor breaches to HHS on an annual basis.
ANDERSON: So how else are you preparing for compliance with the new federal data security breach notification rule? For example, have you been working closely with your various business associates altering the terms of those contracts?
CHRISTIAN: Well we put together an internal group that involves finance, the compliance officer, internal audit, myself, the HIPAA privacy officer, public relations and our vice president of medical affairs. There is too much for one person to do, so we spread out that work among quite a few different folks. When the HIPAA regulations took effect, internal audit was responsible for making sure the business associate agreements were in place and were appropriate. That department is now reviewing those agreements and making sure that all the "i's" are dotted and the "t's" are crossed. We are making the determination, particularly if we do happen to have a breach, whose responsibility is it to do those notifications.
We are also doing education internally. All of our employees will be required to participate in the online education, and there is a test that they will take to make sure that they have competency. We are also taking a version of that education and making it available to our medical staff to be used in their offices. We do two or three education sessions (a year) for all of our associated medical staff offices in the area. We are planning to do an education session (on security) for them early in the year. And then each practice will be given copies of the PowerPoint to take back and do education for the rest of the staff in 2010.
ANDERSON: Tell us a little bit about other data security projects that will be priorities in 2010.
CHRISTIAN: We have had single sign-on in place for a long time. But one of the things that I am really interested in and I have been doing a lot of research on is identity management and provisioning. There are several companies in the market that have really good products. But I think that is something that we need to do because we have multiple applications that we use every day, and trying to manage that security and be prudent about password resets and those types of things is just a resource hog.
And we will continue to try to be diligent on our perimeter defense. This is not something that you just do once and let go. We are always finding new threats on the outside that we need to worry about. And then the other thing that I am more concerned about than the perimeter stuff is the internal threats. Making sure that everything is locked up as tightly as it possibly can be so that we don't have folks installing rogue wireless access points that have no security on them whatsoever.
We had a gentleman that came into the hospital to sit with his mother sometime back, and he was an IT professional. On our internal intrusion detection system up popped his laptop. So we started hunting him down, and I found him and he was sitting in his mother's room in critical care and had unplugged the PC and plugged his laptop into the network. So when I walked in and introduced myself as the CIO and the chief security officer, he said, "How did you find me?" I said, "Well I have my ways." I asked him to unplug his laptop and please not do that any more.
The next day, the staff saw him bringing his laptop into the hospital inside of a pillowcase, and so we collected that from him until he left. So that is the level of diligence that we try to do. We do have a guest network that visitors can access with their own equipment. We can provide those guest services to our visitors and our patients if they need to be able to do work--and keep that off of our network.
ANDERSON: Are you making much use of data encryption at this point?
CHRISTIAN: Any data that we send out gets encrypted. Our e-mail gateway scans the e-mail before it goes out and it checks for things that are related to HIPAA and identifiable personal health information. And it will automatically encrypt that and the recipient of the e-mail will get a secure e-mail that says you need to go pick this up (on a portal).
We also have the ability to automatically encrypt an outbound e-mail if we want to. But any file, or any piece of data that we share, we encrypt. We encrypt anything that goes outside of the building. We have some things that we encrypt internally, but most of the stuff that is in the building is not encrypted. We also have a policy in place that anybody that is using a laptop is not allowed to keep any kind of patient-related data on that piece of equipment.
We have folks that are moving data, so we are using the flash drivesï¿½USB drives that are encrypted at military grade. The only thing that worries me about that is if you put your password in 10 times wrong, the drive will destroy itself.
ANDERSON: As the former chairman of HIMSS, you had the opportunity to meet with a lot of other CIOs all across the country. Based on those meetings, do you believe that hospitals, physician group practices and other healthcare organizations will view data security as a higher priority in the years ahead?
CHRISTIAN: Well I think that there is still a lot of education that needs to take place. In the larger organizations, they are typically going to be able to have the resources to have full-time security folks. That's appropriate because the larger organizations have more potential for something falling through the cracks or incidents of abuse.
The organizations that are really going to be challenged with this are the smaller facilities--critical access hospitals and physician practices. The larger physician practices can afford to have their own IT staff who will be made responsible for security. But again, the smaller group practices just cannot afford to have that, so they are going to do one of two things. They are either going to depend upon the vendor who is taking care of their network or their other equipment, or they will rely on the community hospital, like us, to provide some expertise.
We can't provide services because we are precluded by federal law from doing a lot of things. But we can give advice, and that doesn't cost anything. And we can provide education and support. There is a significant amount of education that is going to have to take place. The reason that we are doing community education to help get that word out is because I want to make sure the information that we are providing is kept as secure as possible. I think that we have still got a long way to go.
ANDERSON: Thanks very much Chuck. We have been talking today with Chuck Christian, CIO at Good Samaritan Hospital in Vincennes, Indiana. This is Howard Anderson of the Information Security Media Group.