Halamka Reveals Compliance PrioritiesCIO Says Mobile Device Security Critical
Beth Deaconess Medical Center recently reported a data breach involving the theft of a physician's unencrypted personal laptop computer, which has led to stepped-up efforts to make sure that its policy requiring encryption of all mobile devices, including personally owned equipment used for work-related purposes, is followed.
Halamka says security is the "highest area of growth" within his operating budget, taking up a third of his capital budget. "It's a very significant resource area," he says.
Other top projects for this year include improving virus detection, reducing security risks of desktops, as well improving the ability to identify breaches through audit logs, he says.
In the interview, Halamka also describes:
- The process the organization used to rank compliance projects;
- How much budgets for security and privacy projects are rising;
- The need to address data security as Beth Israel Deaconess launches an accountable care organization. "Getting the right data to the right place at the right time are important for accountable care organizations to function," Halamka says. "I have to share more data for more reasons with more people. But at the same time, I'm being held accountable for security and privacy breach reporting."
Beth Israel Deaconess includes a 631-bed medical center and a health system with 3,000 affiliated physicians, 14,000 employees and several affiliated Boston-area hospitals serving 2 million patients in Massachusetts.
Halamka, a practicing emergency physician, writes the blog, Life As A Healthcare CIO. He is co-chair of the HIT Standards Committee, an advisory group to the Office of National Coordinator for Health IT. Halamka is professor of medicine at Harvard Medical School. He also is chairman of the New England Healthcare Exchange Network in Massachusetts and is co-chair of the Massachusetts HIT Advisory Committee.
MARIANNE KOLBASUK MCGEE: Tell us a little bit about your organization and your role there.
JOHN HALAMKA: Beth Israel Deaconess is a hospital, but like many healthcare organizations in 2012 we're an evolving accountable care organization. We have many community hospital affiliates ... So instead of security and privacy for a single building, we're truly a heterogeneous organization [spread out] over 450 square miles of eastern Massachusetts.
I'm responsible as the CIO for clinical, financial, administrative and the security aspects of all these organizations, in-patient and out-patient and emergency department facilities.
Summer of Compliance
MCGEE: You recently dubbed this summer as the "summer of compliance." What does that mean?
HALAMKA: If you look at the regulatory and compliance environment in 2012, there has just been a significant change in the requirements of IT organizations. Massachusetts' data protection laws require that mobile devices be encrypted. Federal laws like HIPAA and HITECH don't specifically require encryption, but they do give you a free pass if a device is lost or stolen and it has been encrypted. So there's huge motivation to ensure the encryption of devices to prevent reportable privacy breaches.
At the same time, it's clear that issues of getting the right data to the right place at the right time are important for accountable care organizations to function, so [that's] an interesting challenge. I have to share more data for more reasons with more people, but at the same time I'm being held accountable for more security and privacy breach reporting.
The notion of a "summer of compliance" is looking at the risks we face and what are those mitigations that we will put in place to reduce our risk profile.
MCGEE: What is on that summer list for compliance? Is there an extra sense of urgency about getting them done sooner rather than later?
HALAMKA: What we do is we put together compliance, legal professionals and IT professionals. We had several weeks of retreats and we ranked all of the risks to the organization involving technology. Once we identified these risks, we looked at them in nine dimensions, such as what's the impact of this particular risk and the consequences if this particular risk would happen? What's the cost to mitigate capital and operating? What's the difficulty of mitigation? What's the behavioral change required, the impact on the organization and its staff?
With all that data then, we were able to come up with a list of projects that we felt were high priority and doable in the context of our FY13 budget. We're really looking at a year to 18 months of projects, but the summer has been the time to set the priorities and to kick off the most important ones. For example, some of the safeguards for mobile devices and laptops that are seen as such a high priority, they really have to be put in place this summer.
MCGEE: Are there many projects that are being held for later, and if so what are they?
HALAMKA: Some of the projects are desirable, but so hard and so expensive that they will be deferred. As an example, you walk down to the Apple store today. You buy a brand new MacBook Pro. I don't know about it as the CIO. You walk into the hospital. You connect to the wireless network and you download 100,000 e-mails, some of which contain patient identified data. Well interesting, it's an unencrypted laptop. It's something I have no control over, but you the employee have violated policy and downloaded patient-identified data. What technology controls can we put in place to prevent that? Well, such things as network access control don't allow any device to connect to the network unless it has been registered, logged, encrypted and appropriately virus-protected ahead of time. Nice idea, but the amount of effort required to implement and support network access control is pretty significant. So we look at encrypting everything that we purchase, ensuring that we're doing advanced detection of malware, viruses and attempts at intrusion, breach detection of audit logs - all of these are very doable and certain things that are desirable but expensive and hard may be a "next year" kind of project.
MCGEE: What's the estimated cost of your summer compliance list and what percentage of your IT budget annually is allocated for data security and privacy? Is the trend going up or down?
HALAMKA: When we looked at the comprehensive list of work we wanted to do, this [was] more the 18 months at work [and] about $11 million of capital; when we looked at what we really could do this summer and into our fiscal year FY13, we looked at about $4 million of projects we could just get done. The $4 million ends up being about a third of my capital budget. When I look at my security funding, I spend about $1 million a year in operating expense on security staff and security tool licenses. I will be spending about 30 percent more than that next year.
What we're seeing is security is the highest area of growth of my operating budget and will eat up a third of my capital budget. So it's a very significant resource area.
Preparing for Next Steps
MCGEE: How will meeting the summer compliance to-do list prepare you for the fall, and briefly what's on the list for the fall?
HALAMKA: Well I guess one asks, "What's risk?" I have always thought of risk as the likelihood of something bad happening times the impact of it happening. So you could say the likelihood is vanishingly small, but the impact is devastating. Therefore the risk is high. But hey, if you discover there's a particular likelihood of badness but the impact is negligible, then maybe you don't need to do that one right away. What we've done in looking at these nine different dimensions of risk ... is create a project plan that will by fall, and certainly through FY13, substantially reduces our risk profile.
Here's a way to think about it quantitatively. There's a product we use from Rapid7 called Nexpose. ... This particular product generates a risk score of a desktop, a laptop or a device connected to the network. Well, sometimes these risk scores can be very high. So imagine you have people who downloaded Adobe 7 and haven't actually updated Acrobat in three years or Java hasn't patched it in years. They're going to have a desktop that may have a score in the million range. Our goal by the fall is to get all desktops in the organization down to the under a thousand range. So in effect, what we do as we march through all these projects is reduce our risk profile, reduce the likelihood of a breach and reduce the impact of anything that may happen.