John Glaser on Encryption
Earlier, Glaser explained why he was making data encryption a top-priority task and urging others to do the same.
In an exclusive interview, Glaser reveals his security to-do list, including:
- Encrypting hard drives on mobile devices;
- Implementing encrypted e-mail;
- Updating all security policies and procedures to reflect current state and federal regulations;
- Lobbying for additional security staff; and
- Ramping up disaster recovery capabilities.
Encryption is vital, Glaser stresses, especially because so many of the major breaches reported so far have involved lost or stolen mobile devices, rather than major hacking attacks. "It's just like more lives are lost on any particular weekend by drunk driving than by airplane crashes that draw the headlines," he says.
The CIO also reminds his peers that federal regulators are about to ramp up HIPAA privacy and security audits, creating yet another reason to get serious about risk assessments and security plans.
At the end of March, Glaser concluded his role as a senior adviser to the National Coordinator for Health Information Technology at the Department of Health and Human Services, which is taking the lead role in implementing the HITECH Act.
As CIO at Partners, Glaser headed IT efforts for Massachusetts General Hospital, Brigham & Women's Hospital plus several community hospitals and a long list of clinics.
HOWARD ANDERSON: This is Howard Anderson, managing editor at Information Security Media Group. Today we are talking with John Glaser, CIO at Partners Healthcare System in Boston. John recently completed about 11 months of work as senior adviser to the National Coordinator for Health Information Technology at the Department of Health and Human Services. Thanks so much for joining us today John.
JOHN GLASER: My pleasure.
ANDERSON: Please tell us a little bit about why you chose to become an adviser at ONC and some of the main projects you worked on while you were there.
GLASER: Well I think it was clear to me, Howard, as it was clear to everybody in this industry, that the ARRA economic stimulus legislation would contain a significant stimulus for electronic health records along with providing funding to the Office of the National Coordinator that dwarfed any funding that it had received before. So I realized that there was going to be opportunity and a likelihood that we would engage in significant change in this industry.
So I contacted ONC and said, given the likelihood of legislation passing, I would be interested in working with you guys to help frame both the regulations and rules that result from the legislation but also the various programs that would obviously be put in place to help the adoption of electronic health records be accelerated in this country.
So that was of interest to them, and Partners was gracious enough to say that is of interest to us and we are willing to grant you essentially half time to be devoted to working with the folks in D.C. to putting all of this in play....David Blumenthal then was announced as being the person who would assume the role of the Office of the National Coordinator. I have known David for quite a while, both back to his Brigham and Women's hospital days but also his more recent days with Massachusetts General Hospital....
So I decided to do this because both parties were interested in having me do this and obviously because we were about to be engaged in a major change in the way this industry functioned. So I thought it would be very exciting to be in the middle of all of this.
I was an adviser and I was not a federal employee, and I worked a lot with the federal advisory committees, the HIT Standards Committee and the HIT Policy Committee, to help them get up and running and to help them size up their initial wave of challenges, a proposed definition for "meaningful use" EHRs while also looking at the EHR certification process and how that might work, along with framing some of the initial standards that are required by statute....
So I worked a lot with those committees and their various workgroups to help them come to a set of recommendations, which formed the backbone of a lot of the rules and regulations, which were released in early January of this year. And then I also spent time with David Blumenthal and his folks, helping them think through some of the grant and contract programs; whether it be regional extension centers or health information exchanges or the areas of research that became the basis for the SHARP program. So there were a lot of discussions and a lot of contributions on the contents of the rules, but also the specifics of the grant and contract programs.
ANDERSON: In working with the ONC, which is carrying out the mandates of the HITECH Act, what did you learn about the major privacy and security challenges facing healthcare organizations as they ramp up their use of electronic health records?
GLASER: Well I think there are certainly two broad categories of challenges. One is, and this is particularly true of privacy, it can be really hard to get a national consensus. There are people who have very strong ideas on both ends of the spectrum, and forging a consensus is very difficult at times because there is a lot of emotion in the conversation at times. There are very visceral beliefs because there is a real absence of facts....
So one of the major challenges was just getting agreement on what the policies should be, what are some of the procedures and processes and technologies that ought to be in place. So that is one major challenge, the real diversity of often strongly held positions.
The other challenge reflects the shear diversity that exists within healthcare. You have very large organizations, such as Massachusetts General Hospital, but you also have solo practitioners and very small community hospitals. So arriving at a technology requirement or standards requirement or regulatory requirement that traverses that range well is really very difficult to do. Things that might be handled by Massachusetts General are just overwhelming for the solo practitioner. Things that might work for the solo practitioner might be regarded as insufficient by the larger organizations.
So I think in this area, and it is true in all of the regulatory areas...getting that right balance is really, really hard to do. An example could be recent conversations here at Partners on how much do you spend on security. That's a good question. How do you know when you are spending too much and how do you know when you are spending too little?
To a degree, regulations will give you an example of the floor, but how far beyond that you go is a very subjective exercise in...assessing risks.
The major challenges were the diversity of opinions and the difficulty of getting a consensus and arriving at one that was practically and financially implementable across the range of sizes of organizations, the types of organizations, of access to IT talent or lack of IT talent that exists across the healthcare system in this country.
ANDERSON: Getting a bit more specific, what advice would you give to hospitals and physician group practices about steps they should be taking now to comply the HITECH Act's breach notification?
GLASER: Well it is not only the HITECH rules, but it is also the state rules. And so we have in Massachusetts some state rules that are more demanding in lots of ways than the federal rules.
You have to become educated about what some of the requirements are. And education can be forthcoming through professional societies or state medical societies, and soon the regional extension centers obviously will have a role in helping people become educated about why these rules and regulations are in place and what some of the options are for implementing them, what some of the options are for some of the technology that ought to be put into place....
The second thing to realize is that it is difficult and will be a challenge to balance the time and the costs of these things and the protections that they introduce with a lot of the stressful workflow demands that exist within most provider organizations. So one just ought to be aware that there is not a magic answer here for implementing a lot of these things.
I think the third thing to be aware of as part of this is that you could argue that a lot of the HIPAA regulations just weren't enforced. And so people felt, "Well you know if I do it, I do it and if I don't, I don't, but the consequences of not doing it are not all that significant." And I think that is really changing. We are seeing a lot more Centers for Medicare and Medicaid Services interest in following up on security audits, and we are likely to see more Office for Civil Rights interest in following up, let alone whatever the states decide to do or some of the accreditation organizations decide to do.
Given all of that this, you have got to learn about it and you have got to understand that it is difficult and you ought to understand that it is real and there are bunch of reasons for doing this, some of which are compliance with regulations, but also some of which are just to protect the asset that is now used to support a range of important and critical clinical operations and care delivery activities that are going on within your organization.
I would also start with some of the simpler things that range from changing passwords to encrypting disc drives on a lot of portable technologies. Some of the simple things are even just making sure that you have at least done some assessment of what are the risks if I were to lose my data today, what would I do and how would I go about that. And you know, do I have reasonable protections from people coming in and trying to phish or whatever else they might be trying to do and make sure that I have covered a number of the fundamentals.
Because regulations aside, what you don't want to do is wake up some day with a busy clinic and find out that the systems aren't functioning. Or, to wake up and find that some data has been compromised and possibly extracted and you have not only an angry set of patients, but also an angry set of regulators looking at you....
ANDERSON: Based on the list of major breaches reported to federal regulators so far, it appears that the most common threat is lost or stolen devices or documents rather than outside hackers. Does that surprise you, and what are the implications for risk management strategies?
GLASER: Well I think one of the things that is coming out of all of this is actually getting better data about what the risks really are and what level of threat prevalence really exists....We heard big sensational stories about people attempting to hack the power grid from China or whatever it might happen to be....which can lead one to believe that hackers are really a predominant threat....But obviously now we are getting data about what the real challenges and threats are.
So in some ways I guess it is not surprising, no more so than it is not surprising that there may be more lives lost on any particular weekend by drunk driving than there are by airplane crash, although when airplane crashes happen they are quite spectacular and draw the headlines....
The fact is that the use of portable devices like laptops, iPhones, iPads...along with the thumb drives is growing and becoming quite extensive for all kinds of really good reasons. They do get lost, and people do steal them, and it is a lot easier to steal some of that or to lose some of that portable technology than it is to go in and have someone heist a server out of a server room or to try to crack into some of the hospital sites.
Also, if you are a hacker and want to go off and do malicious damage, hospitals really aren't number one on your list. There are other targets for which there is more "hacker glory," whether it is the NSA or the CIA, where there is a greater potential upside when one is stealing credit card information and financial information....
ANDERSON: Given that so many of the breaches have involved lost or stolen laptops, hard drives and such, what would be your advice for ways to prevent those kinds of breaches?
GLASER: Well I think encrypting. I mean there are technologies that are available to do that. Sometimes they are a little squirrelly, sometimes they don't work very well with much older equipment, but there clearly is an ability to buy encryption technology that encrypts hard drives and encrypts thumb drives, and I think that is probably the best step you could possible take.
If nothing else, even if you lose a device, the likelihood that someone would be able to decrypt it is lower....To the degree one is worried about a punitive action on the part of the state or the federal government, the likelihood of that is lessened because you took the step that was prudent to ensure to the degree that you were capable that the information is not compromised.
ANDERSON: Well let's talk a little bit about your priorities now that you are back at Partners full time. What are you working on in the area of risk management and security this year? And why are those the most important tasks to tackle right now?
GLASER: Well part of it is responding to the federal and to the state regulations. So we are in the middle of encrypting all of the hard drives and all of the thumb drives that we can. We are particularly challenged certainly at Partners, but I suspect it is true in other organizations too, because actually we don't have a full inventory of all of the assets for which encryption should be applied. That's because a lot of folks buy their own stuff and we are not aware of what they have bought and we have people who come and go, whether they are investigators or contract nurses or physicians who are infrequent admitters, and we don't see them on any particular day.
The number one issue is going though and making sure that we encrypt those disc drives and to a very large degree that is driven by state breach notification regulations.
We are also beginning the process of encrypting e-mail that has confidential information. The core part of that is the patient information, but it also can include business information. So we're making sure that there is a secure way of exchanging e-mail when there is sensitive information as a part of it.
Those are the major two things, along with ensuring that we have appropriate policies and procedures across the board. Some of those are quite old, some of those have not been updated recently and some are non-existent. So we are making sure that we have those things up and running and current.
It is a tight budget year, but we are exploring adding additional staff in the security and the privacy realm for all kinds of different reasons. And while everybody understands the need to do that, in a tight budget year...it draws some scrutiny and a level of attention. So we are spending some time paying attention to that and worrying about that.
We also are finding that we are outgrowing our data centers.... It's a complicated financial proposition because they are not cheap, but we also have to accommodate...the better levels of disaster recovery because of our dependence on the technology to deliver care on any given day.
And we're finding that the encryption stuff is hard and it is hard for people to get used to....A lot of our docs use e-mail with their patients and they are finding it challenging and sort of annoying because it is an additional set of extra steps that they have to go through.
Anyway, in our particular realm it is security and it is the encryption of data, encryption of e-mail, strengthening of policies and procedures to make sure they are up to date and reflect the various laws and the maturity of this particular field, but also dealing with disaster recovery and a new data center.
ANDERSON: Thanks very much John. We have been talking today with John Glaser, vice president and CIO at Partners Healthcare System. This is Howard Anderson of Information Security Media Group.