CISO: Building Risk Management Support
Six-Hospital System Implements a Security StrategyMurphy, who conducted a risk assessment when he became the six-hospital system's first information security officer 15 months ago, is helping form a governance council to address privacy and security issues throughout the enterprise.
Boston-based Caritas Christi Health Care System recently was acquired by private equity firm Cerberus Capital Management and became part of the newly formed Steward Healthcare System, which plans to acquire additional hospitals.
In an interview (transcript below) with Howard Anderson, executive editor of HealthInfoSecurity.com, Murphy describes how the organization is:
- Expanding its use of encryption, using technology from Sophos. The hospitals are implementing full-disk encryption of laptops as well as desktops in unsecure areas and encrypting all data transmissions, both internal and external.
- Hiring more staff and outsourcing certain security projects to address gaps identified in a risk assessment.
- Conducting additional risk assessments tied to its three electronic health records applications in preparation for applying for HITECH ACT EHR incentive payments.
- Studying whether the "private cloud" model of using cloud computing for data storage is cost-effective and provides adequate security controls.
Murphy has more than 15 years of information security experience, including managing and performing risk assessments, designing and implementing network infrastructure architectures, developing policies and procedures, and conducting system audits. He previously worked at Deloitte and the Federal Reserve Bank of Boston. He holds the CISSP, CISM, CIPP, GSEC, GSLC and PMP certifications.
HOWARD ANDERSON: First, tell us about the size and scope of Caritas Christi.
JIM MURPHY: We have been recently purchased by a private equity firm, Cerberus Capital Management. We've changed our legal name from Caritas Christi to Steward Healthcare System, which is a holding company for our current six hospitals. We are looking to purchase additional hospitals in the New England region ... but we are speaking with hospitals ... from Florida ... up to Maine. We currently employ approximately 13,000 ... across multiple hospitals and multiple facilities.
ANDERSON: I understand that your role as information security officer has evolved. Please provide some insights on the policies you are now working on.
MURPHY: When I first joined the organization approximately 15 months ago, they never had an information security officer and they were unsure what the role was going to be within the Caritas Christi system. I spent my first 90 days doing an assessment to determine what the gaps were. A lot of gaps were operational gaps, but we also had administration gaps and risk management and policy and procedure gaps.
It has been determined there is a need to have a governance risk management council to address the security and privacy needs for the hospital chain across different business verticals within the Caritas/Steward environment. ... We have a new management team in place. ... We have a new chief technology officer and a new chief information officer, and we're trying to develop a governance risk management council to address the security and privacy needs of the organization. We're also looking to hire some additional staff and outsource components of our security program to a third-party provider to help us remediate some of the gaps we've identified during our recent assessments.
Information Security Program
ANDERSON: What are the key elements of your information security program today, and how are those components likely to change in the years to come? For example, how is your use of encryption evolving?MURPHY: We have an information security policy manual ... marking the governance of information security within the organization. I'm actually following ISO 27002 to align the goals and responsibilities of information security with this framework. Below that ... we have numerous policies and procedures ... like an encryption policy and a password policy. As part of the security program we also have multiple risk assessments. And the last component is a security awareness training program that we are slowly kicking off. That seems to be a little more on the back burner until we actually address some of the gaps in our environment. ...
We had a policy written years ago that we do require encryption for outbound communication using e-mail and file transfer protocol. That process was implemented years ago, but we're also now trying to push more encryption across the board for transmission within our network and outside of our network as well as encryption of data at rest. So one of the initiatives we took on in the last year was to offer full disk encryption to our laptop users and also to any workstations that are in an unsecure area to make sure the information is protected from any theft or loss.
We're also deploying encryption to any type of USB or third-party device, such as flash media ... to make sure that if there is any information on those drives it is encrypted and no unauthorized user could intercept that data.
Electronic Health Records
ANDERSON: Do you anticipate that all of your hospitals will apply for the HITECH Act electronic health record incentives? And how is that effecting your privacy and security strategies and priorities?MURPHY: We've already started to address this "meaningful use" initiative. We've been working diligently ... to review what's required with the different elements of meaningful use. My area of concern is ... information security risk assessments for each of our EHR applications. We're reviewing each of the applications we've deployed in our environment and we're reviewing security configurations to make sure they comply with our current policies and procedures. Based upon these risk assessments, we've identified several gaps, and we're trying to remediate those gaps to address the issues we've discovered during the risk assessments.
But there's more than just information security to [achieving] meaningful use. There are a lot of interface feeds that need to be implemented into the environment, as well as a lot of applications that need to be upgraded to comply and be accredited as certified to achieve meaningful use.
We have three EHR applications. ... One is Meditech; the second environment is eClinicalWorks and the third is the Amalga/Microsoft Health Vault environment. These three applications are major critical applications ... and we're scheduled to upgrade these environments this year to comply with meaningful use.
Cloud Computing
ANDERSON: Is your organization using cloud computing at all yet, and if so, what security issues does that raise and how are you addressing them?MURPHY: We do perform a lot of business with third parties using their applications that are not on our sites; I consider those to be application service providers in the cloud. ... As we're moving forward, we are strategizing on how to utilize private cloud technology for some of the e-mail and storage retention policies we have. We're trying to determine whether or not it is more cost-effective to use the cloud computing architecture versus doing it on-site and whether or not the value is worth the risk. We are concerned about ... what controls they have in those [cloud] environments; our concern is we don't want our data to be co-mingled with other people's data. Is there a separation between physical equipment and virtualized equipment? ... And what type of third-party [security] reviews [do] these vendors have? ...
ANDERSON: So what advice would you give to other chief information security officers, based on your experience, about handling risk management challenges?
MURPHY: I think the biggest issue for chief information security officers is to address risk management by working with the business. The risk is not ... solely a security issue. A lot of the risk management issues that organizations face deal with the business and the operational side, as well as legal and financial risk. What I've been trying to do, working with the different business units and verticals within Steward Healthcare, is to develop a framework for risk management and how to weigh ... security risks, privacy and patient safety. Every single business unit within our environment has ... a risk it needs to address, and we try to balance different concerns. We want to make it really secure, but we also don't want to impact patient safety or patient's medical information.
So we have to ... determine whether or not the risk is greater than the benefit. ... We've been trying to work with the business units to develop a type a framework and get their buy-in so as new projects are being developed or discussed, information security is actually involved with the discussions to make sure that the business understands what the information security needs and requirements are, and information security management understands what the business requirements are. This way, we'll notice no surprises at the end of the project. We are trying to bake into the methodology that we address all the risks from all different business verticals within the organization.