A CIO Calls for Security Vigilance
His Mid-Size Hospital Plans Risk Assessment, Technology InvestmentsChristian, who was recently named 2011 CIO of the Year by the Healthcare Information and Management Systems Society, says the 232-bed hospital is preparing to hire a security auditing firm to help prepare an updated risk assessment. The assessment will help ensure the hospital is meeting HIPAA and HITECH guidelines and taking appropriate steps to mitigate all risks, he says.
In an interview (transcript below), Christian:
- Explains why the hospital, which lacks a full-time chief security officer, recently gave its internal auditor security oversight responsibilities.
- Describes plans to automate the user provisioning process for access management.
- Outlines plans for aggregating all audit logs for the various components of its electronic health record system so access can be monitored proactively and alerts for suspicious activity can be triggered.
- Predicts that a key issue in the months ahead will be determining how health information exchanges can strike a balance between providing access to patient information when it's needed and protecting the privacy of that information.
Christian, who has been CIO at Good Samaritan Hospital for more than 20 years, is the former chairman of the board of directors of HIMSS, an association for information technology professionals. He has 39 years of experience in healthcare.
ANDERSON: For starters, tell us about your hospital's size and scope and the size of your IT staff.
CHRISTIAN: We are a 232 bed hospital out in southwest Indiana. We are an acute care hospital, and we do a little bit of everything, from open heart surgery to primary care. We recently started employing a significant number of physicians, and we do about 32,000 visits to the ER a year, about 10,000 in-patient visits, and somewhere around 250,000 outpatient visits a year. IT staff is 25, me included.
Security Staff
ANDERSON: We want to talk to you today about your information security priorities for the year ahead. Are you planning to add any staff devoted to handling information security issues in 2011, and how do you handle those duties now?CHRISTIAN: We recently made a change and made internal audit more responsible for security from an oversight standpoint. We had a consulting group come in, and they decided that since I was the CIO and also the security officer, it was kind of like a fox watching the hen house. I don't necessarily disagree. I think there needs to be some other oversight to make sure that we are doing the appropriate things. So I actually welcome that change. But as far as adding staff, I would love to have a security officer that does nothing but that, but I can't justify the expense. ... So I've got those duties spread across myself, from an administrative standpoint, to my chief technical officer to other members of his staff. We've taken a multi-layer approach to security and we've decentralized how the responsibilities of managing those components go.
ANDERSON: Can you clarify what the audit staff is doing for you now?
CHRISTIAN: The internal auditor, who reports to the board, is providing the oversight as far as our security plans and making sure that we're doing what we say we're doing. He also is providing another set of eyeballs related to the industry, what others are doing and making sure that we're keeping up with prudent practices. ...
Security Spending
ANDERSON: Do you have a feel for what percentage of your total IT budget will be devoted to security next year, and is it changing at all?CHRISTIAN: One of the things that we're going to be doing, and I've been asking for a long time, is automating our user provisioning processes. Now we've got a pretty good portfolio of applications that we have to manage. Providing user access appropriately, and being able to audit and manage that, is just a manpower killer as far as I'm concerned. So what we're going to be doing is adding that software piece. In that light, our investments are going to increase related to that over time, but we really haven't figured out what pieces (of the budget) are just related to security, because there are a lot of things that are embedded in the applications themselves. And we have had single sign-on here for quite some time now, so that is kind of an ongoing expense. But really the next investment we are going to make is going to be in the user provisioning.
ANDERSON: And why is user provisioning such a priority?
CHRISTIAN: By doing a gap analysis related to meaningful use of EHRs (to qualify for the HITECH incentives), one of the things that we need to ensure that we're doing appropriately is making sure that we have good role-based access to the systems. The other thing is providing a way of auditing who has access to what, not only in the building but also at the physician practices, because all of our owned physician practices and the independent practices have access to our electronic medical record. They are not really good about letting us know when people terminate, so we have to constantly be vigilant. ... So we are looking for ways to unload some of those manual processes and automate them, and then be a little bit more proactive.
The other piece that we're also going to be investing in is related to an aggregation of our audit logs. We have audit logs in all the components of our EHR, so if we have a suspected breach or if we're doing just one of our routine regular audits of who is looking at what, then it's four or five individuals that we have to tap in order to go look at that. So we've looked at an application that will help us aggregate those audit logs so we can do two things: One is have one place to go and run our routine audits; the other thing is to have them proactively run and also set up alerts. You can get as granular as employees that are looking at patient records of those who live on the same street as they do. So we can kind of catch that at the very early onset and address those issues without having to do a retrospective review. We want to know who is looking now.
HITECH EHR Incentives
ANDERSON: Will your organization be applying for Medicare or Medicaid incentive payments under the HITECH Act for using EHRs?CHRISTIAN: Yes we will apply for both. We've been running about 65 percent Medicare service for many years and we are running right at 10 percent on Medicaid. So that qualifies us for being able to participate in both of those levels of program. Now we won't be able to attest to being a meaningful EHR user for stage one until 2012, because we've got physician order entry and a few other things to do before we get there. From a clinical documentation standpoint, we are really in good shape. ...
The other thing we are going to be doing as part of this is identifying a firm that will come in and do a very focused security audit for us to make sure that we're doing everything we need to so we can check that box off as far as meeting all the requirements, the HIPAA guidelines, both ones from 1996 and the new ones out of HITECH, and we can mitigate any of those issues that are identified.
ANDERSON: So when is the last time you conducted a risk assessment there?
CHRISTIAN: About two years ago, and so it falls really well into our cycle of doing those risk assessments about every 36 to 48 months.
ANDERSON: So what do you see as the most important trends in healthcare information privacy and security overall in 2011 and beyond? And how do you expect those trends to affect your job as CIO?
CHRISTIAN: I think we just need to get more vigilant. If you look at some of the discussion that is happening in Washington right now about privacy and security, the volume is going to be raised.
Indiana is kind of the unique place; we're doing a lot of health information exchange. We've got some fairly sophisticated legal models related to how that data is going to be shared and when it is going to be shared. But depending upon some of the access models and the (consumer) opt-in and opt-out discussions that are taking place, the landscape may change a little bit.
I think for us in healthcare, it has always been a very delicate balance. How do we provide the right people access, but also make sure that we are protecting the patients' information and privacy at the same time? I've got some physicians that would want to make sure that we maintain the "break the glass" approach to accessing information rather than asking permission and being granted access, because it could delay care in some cases. If I'm in the emergency room having a heart attack, I can tell you I don't really care who looks at my record if they are there to help save my life.
Now if there's a 14-year-old kid down that street that is just wanting to kind of cruise through and just see what is happening with Mr. Christian, then yeah I've got a problem with that. The question is: How do we qualify who is accessing the record and at what level?