Michael Frederick: Baylor's Compliance Strategy
In an interview, Frederick, who heads a staff of 22, describes how the framework is helping him achieve several goals, including demonstrating 100% HIPAA compliance. He also:
Frederick, who became Baylor's first full-time CISO two years ago, serves the entire health system, which includes 13 hospitals and more than 100 clinics.
HOWARD ANDERSON: This is Howard Anderson, managing editor at Information Security Media Group. We are talking today with Michael Frederick, chief information security officer at Baylor Healthcare System. Thanks for joining us today Michael.
MICHAEL FREDERICK: You're welcome.
ANDERSON: How long have you served as chief information security officer?
FREDERICK: I have been the chief information security officer for two years now. I have been at Baylor for a total of five years. Previous to that I was the manager of security operations for the healthcare system, and I do have the scope of responsibility for the entire healthcare system.
ANDERSON: So were you Baylor's first CISO? How has the role evolved in the two years you have had it?
FREDERICK: Yes, I am the first one to have the title of chief information security officer here; prior to that it was a corporate director position. As far as the evolution, it has really gone from an IT-focused group to one that is more corporate-focused. We spend a lot more time with processes and dealing with people issues and have a lot more visibility at the board level. One of the first things that I did when taking over was to form a governance group. We have a security council that has representatives from HR, legal, compliance, internal audit and IT. We have some operational representation from finance and from some physician leadership. The group is actually sanctioned by our board of trustees, so it is actually a board-level function at this point.
ANDERSON: So do you have a security staff?
FREDERICK: I do. Including myself, my department is about 22 people. I have three functional areas that report to me. One of them is identity management; they deal with everything that is user name and password related. I have got another security assurance team that is responsible for policy and procedure management, assisting me with the governance process. They do a lot of risk assessment work on applications, and they also have business continuity responsibilities. And then I have a monitoring and response team, and they are really the operational component. They run our intrusion detection systems, all of our antivirus, our URL filtering, our e-mail encryption, our PC encryption, hard drive encryption and they also do a lot of forensic support for the legal, HR and compliance folks.
ANDERSON: I understand that making use of encryption is one of your top priorities for this year. Are you encrypting e-mail, data on portable devices as well as data at rest on hard drives?
FREDERICK: We are. We are doing all of the above. We have some software in place that is a rules-based product for e-mail so e-mail that goes outside of our gateway--outside of our network--is encrypted if it contains certain information. Right now we are monitoring for things that would be considered PHI (protected health information) and/or some known financial type of information that could be sent out via email.
We are encrypting, or we have plans to encrypt, all portable devices. We have started with our laptops. The software that we purchased for that has port control capabilities, which are going to allow us to encrypt thumb drives or any external storage device that is attached to them. And we have just started rolling out that encryption to PCs in addition to the laptops. We are encrypting everywhere that we reasonably can.
ANDERSON: So in your data center will the hard drives eventually be encrypted as well?
FREDERICK: We do not have any immediate plans on the servers. We are still looking at potential solutions both native to some of our database vendors as well as third-party products in order to encrypt some of what I would say are sensitive databases, but we have not implemented any of that to date.
ANDERSON: Another one of your priorities is making sure you have audit trails that can help you produce reports that demonstrate compliance with federal and state security requirements. Please tell us a little bit about that.
FREDERICK: Sure. About a year and half ago we purchased a log aggregation security event-monitoring tool and we decided that we were going to make that the cornerstone of some of our regulatory requirements when it came to reporting on access to personal information. So...we started with all of the infrastructure first, meaning active directory, some of our network devices, VPN, and getting those audit trails into this product. We are in the process of hooking up applications to the tool as well.
Our main electronic health record application, which is from Eclipsys, we have had hooked up for a year. So we are getting their audit trails and we have two more enterprise applications that will be there within the month. And we are doing an ongoing readiness assessment with the rest of our application portfolio to see which ones are going to be easy and which ones are going to be a bit more difficult.
So we have a lot of work still to go on. But so far it has been pretty successful, and through that automation we have been able to help keep the manpower or labor required to do some of these tasks to a minimum.
ANDERSON: I understand you are devoting more resources to disaster recovery and business continuity efforts. Please tell us why that is a priority and describe some of those investments for us.
FREDERICK: Sure. As information moves to an electronic platform, some of the old standbys of the pieces of the paper that were floating around are going to be disappearing. And so whenever a caregiver on the floor needs information, the systems are going to have to be up and available. There is not going to be a lot of tolerance for extended outages, unplanned outages, large maintenance windows or any of those types of things.
So some of what we have done is we have made a concerted effort to make sure that we have a criticality assessment done on all of our applications to determine which ones really have that up-time requirement. We have also, for anything that was ranked high from an availability standpoint, created disaster recovery plans where we outline what the recovery procedures are and how long it will take us to get it back up.
And then for some of the enterprise applications we have--and we actually got some national recognition for this--we have built a downtime viewer so while providers will lose the capability to do additional charting or whatnot when a system is not available, any of the information that was in there prior to the outage is still going to be available on a "read only" format through a separate system that is housed at a totally separate data center from where the production live version is.
And so those are some of the investments. There has been a greater appreciation for spending the additional money to build something that is redundant instead of waiting until you have proven your point with an outage. So I actually have three people that are dedicated to those processes on my staff.
ANDERSON: Baylor is using the HITRUST common security framework. For those who may not be familiar with it, please describe the framework and why you chose to use it and how it has helped you achieve some of your security goals.
FREDERICK: Well the common security framework from HITRUST is really a framework that was built through collaboration within the industry and professional services firms to try and get a single tool that can be used that if you are compliant with this framework you should be compliant with most of the regulatory requirements that you have in the marketplace.
We were one of the first to join on. I actually led the provider review group, the industry review group during the development of the framework. And what was intriguing to me about it was, first and foremost, being able to drive consistency in how people address security issues. Of course being in a major metropolitan area with multiple competitors in the marketplace I was increasingly frustrated with physicians and providers coming up with the argument whenever I tried to impose a control that the hospital down the street doesn't make me do that so why should you make me do it and therefore just artificially keeping the bar low when it came to security.
So we viewed this as a way to get something that is accepted by the industry that would bring some consistency so that Baylor didn't have to differentiate itself; it wasn't at a market disadvantage or advantage by its security posture.
The other part of that is in the vendor space, being able to vet vendors and their risk position and their control posture before you purchase a product or service, or before you agree to share information with somebody. It is very important, at least to us here at Baylor, that we would be able to rely on somebody's security posture when we are giving our patient's information or turning that over, whether that be through an ASP arrangement or with information flowing freely between organizations (such as through a health information exchange). You know when a patient gives us their information we have a duty to that patient to protect that information, and turning it over or sharing it with someone who may not have or share the same tolerance for risk is something that we look at pretty closely. We thought that this would be a good vehicle for solving that problem. The third piece of this deals with the certification. There has been a lot of talk and speculation about "meaningful use" (the federal EHR incentive payment program). The one thing that is consistent is they require you to be 100 percent HIPAA compliant. There is nothing really out there that you could latch on to that would act or fulfill that burden of proof. We believe HITRUST can do that.
If an organization goes through and gets certified against the common security framework, they will have an independent third party attest to the fact that the controls are in place that meet the HIPAA regulations. That is huge for us.
ANDERSON: What steps is Baylor taking to comply with the new HITECH Act breach notification rule?
FREDERICK: We have been working jointly with our compliance folks and our medical records department. We have a system in place where my monitoring and response team does a lot of the tracking of incidents. The compliance officers report to us and ship us updates. We essentially keep the case log for each of the incidents, and then our compliance department is the one that has the burden for reporting anything to HHS on a quarterly basis or annual basis. So it is really a collaborative effort.
We do have a committee of people that are pulled together in the event that we have a breach of over 500 records, and that would include our PR folks, our legal department, compliance, my department and the medical records department. So in the event that we have a breach of that magnitude, we have a rapid reaction force that is already in place.
ANDERSON: Thanks for taking some time with us today Michael. We have been talking with Michael Frederick of Baylor Healthcare System. This is Howard Anderson of Information Security Media Group.