Emory's Dee Cantrell on Thin Clients
In an interview, the CIO of the integrated delivery system, which is affiliated with Emory University and includes four hospitals and a 1,500-physician clinic, outlines her risk management strategy. For example, she describes why Emory is:
HOWARD ANDERSON: This is Howard Anderson, managing editor at Information Security Media Group. We are talking today with Dee Cantrell, CIO at Emory Healthcare in Atlanta. Thanks so much for joining us today Dee.
DEE CANTRELL: It's my pleasure to join you, thank you.
ANDERSON: Could you please give us a brief overview of Emory Healthcare and what it encompasses?
CANTRELL: Emory Healthcare is a large integrated delivery system focused in the Southeast where our home base is in Atlanta, Georgia. We have four hospitals with close to 1,600 beds and a very large physician clinic of about 1,500 physicians. We are an academic health system, so we have a lot of opportunity for integrating clinical research with our clinical care itself at the bedside.
ANDERSON: Tell us a bit about your information security team. Do you have a full time chief information security officer with a staff, and how has that staff evolved in recent years as you've ramped electronic health records and computerized physician order entry?
CANTRELL: Well we do have a full-time team dedicated to security...and we take all efforts to ensure that the privacy of our patient data and security is appropriate. The focused team really looks at that from a day-to-day perspective but also looking out toward the future for opportunities for how we improve...and leverage new technologies that may come on the market.
We do have a director of security as well as a chief security officer that we share with the Emory University. So we are very focused on ensuring that anything that we implement and the way we architect everything is compliant with federal regulations for HIPPA as well as some of the accrediting agencies that we deal with, like Joint Commission, as well as specific societies like the American College of Cardiology and the clinical lab accrediting organization. We have a lot of people who look at us, so we have to make sure that our house is in order.
ANDERSON: Has the size of that security team grown in recent years?
CANTRELL: It has. We have probably added about three to five people to that team just over the past five years, and the reason for that is we've been on a very heavy path of implementation for clinical automation. As we add more and more systems that deal with more and more patient data, we need to add the support staff to be able to ensure that we're doing all the right things from a security and privacy perspective too. Not to mention, the amount of log-on IDs and passwords and things like that, that have to be managed on almost an hour-by-hour basis, because we have a revolving door with the number of residents and fellows that come on each year. As they change rotations...we have to ensure that they have appropriate access for their roles and for the locations in which they are providing care.
ANDERSON: I understand you are using Citrix virtualization technology in conjunction with thin clients through much of Emory Healthcare. Tell us why you chose that technology and how it works and how it influences your approach to information security specifically.
CANTRELL: We were an early adopter of virtualization technology. Actually, back in 2002 we implemented our first wave of virtualization. Technology has definitely improved from that time. And as new technologies come out, they allow us to do even more to support a very mobile work force. Virtualization is key to that. We continue to refine and adopt our strategy for that. But one of the things that we looked at when we embraced virtualization, one of our core business drivers, was the need to ensure that we mitigate risk for any breach of patient data security or privacy. With virtualization technology, what we're able to do is stream information from a very secure location over secured network connections to the device that the end-user is using, and none of that information resides on that device.
So we don't have to worry about a laptop getting stolen that has patient information on it, or some other device, whether it's the PDA or our mobile work stations on wheels, because our patient data does not reside on the device itself. It is all served up virtually from the servers in the secure data center.
ANDERSON: How can physicians access your clinical systems remotely, and how do you ensure that the information remains secure?
CANTRELL: Well one of our other drivers as we looked at adopting virtualization early on, not only was security, but the ability to support a mobile work force because our physicians roam across the state of Georgia and actually into surrounding states. We have a large teleradiology presence in the Southeast as well, so the ability to support physicians no matter where they may be located with secure access to patient information was imperative.
We've created is what we call My Desktop. That essentially is a virtualization portal that gives the end-user access based on their security levels to all the enterprise applications that they need to do their job for providing care at Emory Healthcare. Now this also works for our mobile office workers as well, because we've virtualized the entire Microsoft Office suite so that all business applications, e-mail, Word, Excel, etc., are served up virtually through this portal.
And so even if they happen to be on vacation in California, on the beach somewhere, and there is an issue that comes up where they need to get to all their files and be able to share a presentation with people back home, they log in to this secure web portal into our virtualization desktop and they are able to get to everything just like they are in their office.
ANDERSON: Tell us a little bit about how you handle user authentication both on the campus and for remote access.
CANTRELL: We do two-factor authentications right now. We are looking at adopting another level of authentication. But because of what we've been able to do with our virtual desktop, two-factor authentication actually works very well for us because there is so much other security around it. The other thing that we've been working on too is a more seamless way of providing user authentication not only Emory Healthcare but also Emory University, because we do have faculty and staff that go between the two different service lines. One of our projects right now is taking a look at a more ubiquitous approach to streamlining user authentication to access systems whether they are healthcare-specific or academic-specific.
So one of the things that we'll be embarking on will be a virtualization strategy for the university side as well. And, of course, user authentication will be something that we'll have to really look deeply at.
We have single sign-on authentication that is integrated and built into our virtual desktop, which also allows much better management of authentication through all the different layers of the applications that our users are accessing, and we have got technology from IBM as well as ActivCard and some Citrix components as well in order to try to make that authentication and user access experience as seamless as possible and as quick as possible.
ANDERSON: So is the two-factor authentication a hardware token or biometrics?
CANTRELL: Right now we've tried a little bit of all of those in different pilots and in different situations, and in the emergency department we use proximity cards. We've also done some work with biometrics. We've even looked at retinal scanning.
Right now, the basic two-factor authentication is a login ID and password plus your secure connection into the virtualization portal. But we have pockets of trying all of those different authentication technologies out there. It's been a little difficult to settle on one particular enterprise authentication process.....For example, with the proximity cards, even though it may also be your ID badge...people will still use each other's cards for access. That's why we're considering we may need not only the proximity badges but fingerprint sign-on as well, and maybe some other technologies, which gets back down into really looking at doing more three-factor or even deeper authentication.
A challenge in healthcare settings is getting the right combination of things that the clinicians will actually use, and that will also provide the level of security that you as an IT professional see as a real need.
ANDERSON: Tell us a little bit about how you're applying encryption and whether the use of the Citrix technology affects that strategy.
CANTRELL: For our virtualization initiative and our virtual desktop, from an encryption standpoint we use PGP whole disk encryption for mobile devices. We don't have to do any more specific encryption to the server or the network, because we are a closed system. The data is encrypted within the transmission internally from the PCs to the servers. We do, from a secure e-mail perspective, use transport layer service, or TLS, as our default for this, which means that when we send or receive e-mail to or from a third party that is outside of our network, the e-mail is transmitted encrypted....
Typically on the clinical care side, TLS has been pretty much a standard adopted, but as you move into the academic arena, there are...different kinds of encryption used by the third parties that may be interacting with faculty. So that gets to be a little bit more of a challenge.
ANDERSON: Please update us on the status of your move to computerized physician order entry, and is the move to electronic orders raising any new security issues that you've had to tackle?
CANTRELL: We are fully deployed with computerized physician order entry throughout our hospitals, and we've actually had very good experience with physician order entry and are up in the high ninety percentage as far as compliance with entering all our orders electronically by the provider.
There haven't been any additional security issues or concerns that we didn't already have, because our physicians have access to the EMR through the virtual desktop and so they already had all the access they needed no matter where they were and it was secured access. But again, this gets back to that you can't underestimate the importance of human behavior, offering education, training, and certification annually, which is what we do for both our staff and our physicians.
We make sure everyone understands and appreciates the importance of the security guidelines that they need to adopt and they don't share passwords and they do the appropriate things with information, whether that be electronically or verbally or on paper. So I just continue to emphasize that even the best security technology in place can be disrupted by human behavior. So education, training, compliance monitoring of these things are vitally important no matter what.
ANDERSON: Finally, you are one of those rare CIOs who also is a registered nurse. How does that background help you as you develop strategies for giving nurses and other clinicians access to clinical information while ensuring it also remains secure?
CANTRELL: I think that being a clinician adds a lot of credibility to my role, because I've been there, I've done that....In addition to myself being a clinician though, I have other clinicians that are part of my staff as well.
So having a blend of clinicians and true IT professionals offers the best chance of success for moving things forward in a healthcare system, because it takes both perspectives coming together to ensure that the right thing happens for patient care and for providers and our nurses. So in my opinion, I think I have the best of both worlds here.
ANDERSON: Well thanks very much. We've been talking today with Dee Cantrell of Emory Healthcare. This is Howard Anderson of the Information Security Media Group.