CIO John Halamka on Security PrioritiesAlso Describes Test of Google Glass in ER
"In some ways, today, the CIO should be the 'compliance information officer,'" Halamka says in an interview with Information Security Media Group. "The theme this year is increased security maturity throughout the entire healthcare system."
Top security and privacy priorities at the academic medical center for 2014 include deploying security technologies that address risks that include distributed-denial-of-service attacks, medical identity theft, social engineering and malware. Another important effort, he says, is workforce HIPAA education and training to help prevent missteps that can lead to substantial financial penalties from federal regulators for compliance failures.
"You're seeing record-setting settlements for simple things like stolen laptops ...," he says, referring to recent Department of Health and Human Services actions in the wake of breach investigations (see $4.8 Million Settlement for Breach). "So on one hand, a whole lot of work has to go into policymaking, training and education, and physical security. ... And there's all this compliance, regulatory work. But there's also a vast amount of technical work."
The Boston medical center has long been an early-adopter of new technologies. To address the potential privacy and security risks involved, the organization created a "change control board." The panel, which includes infrastructure and security experts, meets weekly for two hours, Halamka says. "Anytime a new technology or a changing configuration of an existing technology is suggested ... [the board takes] a collaborative, multi-disciplinary look at what vulnerabilities a change or new technology might introduce. Only once formal sign-off is given is that change executed or that technology acquired."
The medical center is now testing Google Glass, which Halamka describes as "like an iPhone you wear on your face." Physicians in the emergency department are using the devices to get timely access to patient information, such as medication allergies. But the organization has taken several steps to help ensure data security of the devices, including the use of multi-factor authentication.
In the interview, Halamka also discusses:
- The biggest emerging cybersecurity threats he sees, and why he thinks "the Internet is increasingly a swamp;"
- The important role network forensics tools played in scrutinizing user access to medical records of victims injured in the Boston Marathon bombing last year;
- The impact that the HIPAA Omnibus Rule has had on regulatory compliance efforts.
"Our real efforts over the last year have been to categorize every individual by role and to give them access rights that are minimal for that role and give them constant education about their responsibilities for keeping data safe," he says.
Halamka, a practicing emergency physician, writes the blog, Life As A Healthcare CIO. He is co-chair of the HIT Standards Committee, an advisory group to the Office of National Coordinator for Health IT. Halamka is professor of medicine at Harvard Medical School. He also is chairman of the New England Healthcare Exchange Network in Massachusetts and is co-chair of the Massachusetts HIT Advisory Committee.