Evolving Security Challenges for CIOsThe Need for a Long-Term View
As CIOs are asked to assemble more data to demonstrate their organization is providing high-quality care at a lower cost, their role in ensuring privacy and security is evolving, says technology specialist Harry Greenspun, M.D., of the Deloitte Center for Health Solutions.
"They've got to build these very robust capabilities" to gather all necessary data, he says in an interview with HealthcareInfoSecurity (transcript below). "The amount of data and the way that it's flowing, both inside and out of the organization, poses some new privacy and security concerns. They have to really beef up the work they do in this area, expanding the capabilities, bringing in new people with new skill sets and [enhance] the leadership within their organization to meet these challenges."
As a result, many organizations are attempting to add privacy and security specialists, Greenspun says. "The challenge people are having is identifying high-quality individuals experienced in healthcare who can manage that kind of responsibility."
CIOs must lead the effort to develop a roadmap of "what their privacy and security challenges are going to be, how they're going to manage that and how that might change in the future so they have a flexible way of responding to those needs," he emphasizes.
In the interview, Greenspun also discusses:
- The biggest privacy and security challenges facing CIOs;
- The steps CIOs can take to improve privacy and security at their organizations;
- The somewhat conflicting regulatory pressure put on healthcare organizations to share, yet secure, health data. "On one hand, CIOs are pushed to get the right data to the right people in the right place and the right time. But the penalties for messing up have gone up significantly."
Greenspun is the senior adviser for healthcare transformation and technology at the Deloitte Center for Health Solutions, which is part of the consulting firm Deloitte LLP. Previously, he served as chief medical officer for Dell Inc. and chief medical officer for Northrop Grumman Corporation. He is former chairman of the Healthcare Information and Management Systems Society's Government Relations Roundtable.
Deloitte Center for Health Solutions
MARIANNE MCGEE: Tell us very briefly about your organization and your role.
HARRY GREENSPUN: I'm a physician and I work in the Deloitte Center for Health Solutions, which sits outside the functional components of our consulting organization. ... We are the research and think-tank arm that supports the needs of our clients and also our providers.
Challenges for CIOs
MCGEE: Based on your recent study, tell us what the biggest challenges are that healthcare CIOs are juggling. Where do security and privacy issues fit into those challenges?
GREENSPUN: Our goal was really to find out, on one hand, what CIOs were dealing with now, but, more importantly, the challenges they face in the coming three to five years. We surveyed CIOs from around the country at various different types of healthcare provider organizations. One of the most interesting things was that most are dealing right now with what we call foundational issues of getting EHRs implemented, building electronic or enterprise data warehouses and ICD-10 [coding] conversions. All of them saw this expanding role of responsibility. They're building analytics platforms, becoming a data-driven organization, and there are a lot of privacy and security issues that arise from that as data starts flowing in and out of an organization, not just within its four walls. It's on mobile devices, it's pulled from odd types of data sources and it poses a lot of new challenges.
MCGEE: What are some of those challenges?
GREENSPUN: One of the biggest challenges they face is dealing with the loss of a secure perimeter. In the past, information was controlled within the four walls of institutions, and now you have health information sitting on mobile devices. You've got people accessing information remotely. Data is being shared across organizations, and from organization to organization. With stricter HIPAA requirements for privacy and security and issues around the False Claims Act, there are lots of new requirements to make sure that the data has been secured and that people accessing it are the appropriate folks, because the penalties for not doing it properly have really grown.
Security, Privacy Responsibilities
MCGEE: What responsibilities do healthcare CIOs have in security and privacy strategies of their organizations?
GREENSPUN: It's really an evolving aspect in the sense that CIOs in the past have been focused simply on implementing applications and "keeping the lights on" in an organization. Now they're part of the strategic positioning of an organization. And one of the challenges they face is looking at the evolving landscape of privacy and security they're going to face and having to work with others in the organization to put together a roadmap of what their privacy and security challenges are going to be, how they're going to manage that and how that might change in the future so they have a flexible way of responding to those needs.
MCGEE: How is the role of CIOs changing as it pertains to privacy and security at organizations? For instance, is this something that they delegate to others? Is it something that they lead?
GREENSPUN: We see a mix in the sense that the role of CIOs has changed to become a much more strategic role in an organization. As healthcare moves from our volume-based reimbursement model to more of a value-based reimbursement model, CIOs are being tasked with pulling their data together that's not only clinical, but financial and administrative, to show that an organization is producing high-quality care at a lower cost. They've got to build these very robust capabilities to demonstrate that. The amount of data and the way that it's flowing, both inside and out to the organization, poses some new privacy and security concerns. They have to really beef up the work they do in this area, expanding the capabilities, bringing in new people with new skill sets and largely trying to beef up the leadership within their organization to meet these challenges.
MCGEE: Can you describe the relationship that CIOs have with chief information security officers and chief privacy officers, if their organizations have those positions? If an organization doesn't have a CISO or a privacy officer, do the CIOs take on that role?
GREENSPUN: It really depends on the size of the organization and the complexity of the data they're dealing with. Many organizations have a very robust CISO and chief privacy officer organization and apparatus in place. Other places, the CIO has to manage those roles. But those responsibilities are becoming more distinct and more critical to the successful function of the organization. As I mentioned, the penalties for failing in any of these areas is going up considerably, and the complexity of this is increasing rapidly. Therefore, we're seeing organizations beef up those roles. The challenge people are having is identifying high-quality individuals experienced in healthcare who can manage that kind of responsibility.
MCGEE: You mentioned some of the regulatory pressures that CIOs are under. What sort of role are CIOs taking when it comes to regulatory compliance at their organizations, especially when it comes to HIPAA Omnibus?
GREENSPUN: The challenge is ... on the one hand, there's a priority to secure information, and the penalties for not securing it properly are very high. The flip side of that: The need to share information within an organization and across organizations for care coordination and even consumer engagement is going up. If you look at [the HITECH Act] meaningful use [electronic health record incentive program], there are requirements for getting data out to consumers. Making information available to providers and others within an organization at the point of care requires much more movement of data, which makes securing that data that much harder. On the one hand, CIOs are pushed to get data to the right people in the right place at the right time, but also the penalties for messing up in that process have gone up considerably. It's really a dual challenge. The stakes have been raised.
Improving Security, Privacy
MCGEE: Finally, what steps should CIOs take to improve security and privacy practices in their organizations?
GREENSPUN: Fundamentally what they need is to have a proper frame of mind around this in the sense that this is not about securing individual applications or individual systems; it's looking ahead the next three, five or 10 years and thinking about where their information will be, who's going to be using it and for what purposes. How are they going to architect a system? How are they going to create governance? And how are they going to build relationships, in a leadership organization, to manage that process? It's going from a tactical privacy and security approach to one that's very strategic, and I think that's going to be the challenge for a lot of organizations moving forward.