Insights from Cross-Industry ExperienceInfoSec Leader Applies Lessons to Healthcare
Complying with the HIPAA Omnibus Rule requires careful planning, says John Pritchard, information security manager at St. Charles Health System in Oregon. That's why he helped formed a task force to lead the effort.
"We're going to look at individual things that are published within the final rule and figure out how we're going to respond to each of those," Pritchard says in an interview with HealthcareInfoSecurity (transcript below).
Pritchard says the final rule aids in reducing much of the ambiguity that existed around existing HIPAA and HITECH Act regulations.
"One specific example ... is that the final rule has actually made it easier for healthcare systems to work with their communities to improve the health of their population," he says. "For example, it's now possible to more easily release immunization records of our patients to schools to show that we're complying with those mandates."
Before the omnibus rule was issued, St. Charles Health System launched a number of security initiatives. For example, it implemented full-disk encryption on all computers to protect data in case of theft or loss. It also rolled out a records access auditing system.
In the interview, Pritchard also describes:
- Why the healthcare sector needs to better apply the concepts of repeatability, consistency and continual process improvement;
- The biggest security threats to healthcare and other sectors;
- How security information and event management systems and data loss prevention technologies, commonly used in other industries, can also improve security at healthcare organizations.
Before joining St. Charles Health System, Pritchard worked at a security operations center in positions ranging from front-end security analyst to leading a senior security engineering team. He also served as a principle engineer of the internal security operations team at a multi-national corporation. Over his career, his security work has spanned several sectors, including financial services, government, energy and automotive.
St. Charles Health System
MARIANNE KOLBASUK MCGEE: First, tell us briefly about your organization and your role.
JOHN PRITCHARD: St. Charles Health System is a non-profit health system. We have four acute-care hospitals and 20-plus outpatient clinics. We serve the central Oregon region. ... We're on the east side of the Cascade Mountain range, which isolates us from most of the large population centers in the state, and that actually gives us an extended service area of about 30,000 square miles. ...
I run the IT security team. We support the entire healthcare system, and one of our central missions is to enable the business and execute on their mission and strategic objectives while keeping data security and patient privacy in mind. We've got a pretty bold and ambitious vision for our organization ... creating America's healthiest community.
MCGEE: Based on your background outside of the healthcare industry, what are some of the lessons that healthcare organizations can learn from those other industries in terms of improving data privacy and security?
PRITCHARD: First, let me start with giving your listeners an understanding of some of the other industries I've played in. Originally, I started off doing consulting, and as I was doing consulting I worked extensively in the financial sector. I worked in the Washington, D.C., area in a managed security services capacity, and that enabled me to interact with a number of different industries, whether that is the financial sector, government sectors, automotive industry, energy sector and those kinds of things. I've had an interesting opportunity over the course of my career to see a lot of the different industries. ...
What's interesting about healthcare - and I've only had two years in the healthcare industry - is it's really unique and challenging in the sense of the complexity involved. Some of that complexity comes from the sheer number of players involved, whether that's people providing care to the patients, or the insurers ... [plus the] number of systems involved and the number of applications involved, and then the state of rapid adoption of technologies. A lot of these players in the healthcare industry are transitioning from paper-based processes into electronic systems, and what that means for them is to have to change work flows and business objectives, adopt technology and do that in a good way.
... The biggest thing that healthcare can glean from other industries is the idea of really careful planning. You need to articulate the business objectives to the organization and make sure that whatever kind of technology you're putting in place, whatever kind of change you're making, is well-planned and designed, resourced appropriately ... and that you can execute in a successful fashion. Then, behind all that is the idea that you're never just done; you need to be able to go back and follow that plan and see how it went, check, and then be able to iteratively improve whatever it is you put in place - look for gaps and have that continual process improvement going on.
MCGEE: What particular kinds of security technologies and best practices do you think that healthcare organizations should be tapping more?
PRITCHARD: The technologies themselves that healthcare organizations should be tapping are less important than the concept that whatever it is they do, they need to focus on repeatability and consistency. ... There are things that you can put in place and it will work. It will do what you need to have it do; but in order to be successful you may need to throw bodies at it. That's not necessarily going to scale for an organization, so really this comes back to planning and business objectives. You really need to think carefully about what your overall business objective is and how to execute against that. This is where things are so complex and you need to look at automated solutions to be able to succeed effectively.MCGEE: What about best practices that healthcare providers should be tapping more that might be something that has worked well in some of the industries that you have experience in?
PRITCHARD: If we wanted to take a deep dive into specific technologies that I've seen in other industries that work really well, security information and event management can be a very powerful tool for an organization in terms of being able to pull in data from lots and lots of different sources and evaluate that in an automated, repeatable fashion. This kind of comes back to that original thought of how you want to approach things. There are technologies that are very successful in the financial industry, [such as] data loss prevention technologies ... that automate the ability to look for patient data that may be moving around your networks and help with understanding where it's moving and making sure that it's moving in a secure fashion. If you're looking to evaluate how your employees and business partners are interacting with patient data and making sure that's done in an appropriate and secure manner, there are automation solutions that you can look to there as well.
Impact of HIPAA Omnibus
MCGEE: What's the impact of the recently released HIPAA Omnibus Rule on St. Charles' data security and privacy project plans? For instance, do any of your priorities need to be shifted?
PRITCHARD: That's a really interesting question and I think everyone was waiting with bated breath until the end of January when the final rule came out. ... The good news is we all knew it was coming. There was an opportunity to be preparing for what the final rule would come out with. At St. Charles, the way we're responding to it is we've established a task force and we're going to look at individual things that are published within the final rule and figure out how we're going to respond to each of those where they're relevant.
By and large what's really nice about the final rule is it reduces a lot of the ambiguity that existed within the original HIPAA and HITECH regulatory stuff. There are some really nice advantages to that. One specific example is that the final rule has actually made it easier for healthcare systems to work with their communities to improve the health of their population. For example, it's now possible to more easily release immunization records of our patients to schools to show that we're complying with those mandates.
Privacy & Security Projects
MCGEE: What kinds of privacy and security-related projects are on St. Charles' to-do list?
PRITCHARD: This is a really fun one, and this is one where I'm going to get on my soapbox and I'm going to explain that security isn't something that you achieve. It's something that you do every day. It's a lot like quality. It's that continual process improvement. In that respect, there's always something to do to be more secure. There's always something there. What I would like to share is some of the stuff that we've done over the last couple of years that we're really proud of at St. Charles.
Starting in 2011 and completed in 2012, we rolled out full-disk encryption to our entire health system. ... What that basically [means] is it's a military-grade encryption that we place on our computer systems so that, in the event [that] a computer was lost or stolen, we've taken ample steps to protect any data that may be residing on that physical device to make sure no one is going to be able access it if they weren't authorized. Within that product, there's that continual lifecycle that we have that's now embedded within the fabric of our organization and something that we have to continually work with and improve.
Another really interesting example that's helping us achieve a lot of these HIPAA final rule objectives is we've rolled out a tool called FairWarning Audit ... This tool is a framework for automating your review of your employee access to patient data and making sure it's business appropriate.
Top Security Threats
MCGEE: What do you think will be the biggest security threats facing healthcare organizations looking ahead, and how should they be preparing for them?
PRITCHARD: With respect to the biggest security threats that healthcare organizations are facing, we need to look at the context of the rapid change within the healthcare environment. This [includes] electronic medical record systems that may be rolled out for the very first time at organizations. With that there are going to be massive changes in workflow as they transition from paper to electronic records, the interaction of all the different back-end systems that may be talking together and interacting.
When you look at the biggest security challenge, it comes down to things like people, planning, process and understanding business objectives - making sure that as organizations transition into this new electronic age they're doing so in a thoughtful, well-designed manner.
If you're looking for specific technologies, the kinds of things that keep me up at night in terms of security threats facing both the healthcare sector as well as other sectors in general is the massive consumerization of electronic devices within the workplace. If we look at the doctor with the iPhone or the patient with the iPad ... these are all becoming part of the daily fabric of our society. They're coming into the healthcare environments as well.
There's amazing opportunity here if we understand these devices and how they can interact and work with our mission to provide patient care. At the same time, there's a huge risk if we jump into that feet first without really taking the time to think and plan appropriately, understand what a mobile strategy would look like and how to execute that against a long-term vision for what the future-state should look like two, three or five years down the line.
In my mind, that's one of the biggest threats. There's so much change going on, and change is happening so rapidly that organizations really have to be prudent with what they do, when they do it and how they do it, and make sure that their appetite and their expectations are set so that they can execute in a high-quality manner and keep patient privacy and security in the forefront as a key component of high-quality patient care.