Overcoming ID and Access Management StrugglesSeattle Children's Hospital CISO Cris Ewell on Web Portal Challenges
Pediatric hospitals face an assortment of ID and access management challenges when managing Web portals that provide access to patient data, says Cris Ewell, CISO at Seattle Children's Hospital.
"In the pediatric space, once you go from a provider or workforce member status that has a 'need to know' or 'need to access' that protected health information, and you go to a parent or a family [member], or guardian, or the patients themselves, there are many additional challenges," he says in an interview with Information Security Media Group.
"Depending on the kinds of data - such as reproductive health data or psycho-social data or chemical dependency/substance abuse data - those all [have] additional requirements - state and federal requirements - that you have to protect that level of data," he says. "That makes it very difficult to display certain elements in a patient portal - or any other kind of patient access [vehicle]."
Other complicating factors for patient portal access involve dealing with "blended families," court orders, foster parents and social workers, he says. "The court systems, in addressing who can actually [legally] access the records - and keeping up with that and ensuring that the patient portal addresses all those elements - are very challenging for pediatrics [providers]," he says.
On top of that, adolescent medicine adds even more data access challenges for patient portals, he says. That includes access to records by teenage patients who have eating disorders.
"Displaying the weight to those individuals can actually be detrimental to their health, especially if they are underweight, and have anorexia or any other eating disorder, and [they see] 'I've gained a half an ounce ... therefore I have to not eat for the next couple of days.' Those are real issues that happen that you have to deal with in the pediatric-adolescent medicine atmosphere that general patient portals - especially adult medicine - don't have to deal with as much."
Because of these and other complicated issues, "typically it's a very limited data set that gets put into a patient portal" by pediatric and adolescent health providers, he says.
In the interview (see audio link below photo), Ewell - who is a featured speaker at the Healthcare Information Security Summit in San Francisco Sept. 17 - also discusses:
- A pilot project that is testing a third-party, two-factor federated authentication and access management system for internal and external systems access, including cloud-based systems;
- The challenges involving ID and access management and the cloud;
- The kind of "pushback" Ewell sees from clinicians when asked to use multi-factor authentication to access patient data;
- The pros and cons for using biometrics in healthcare settings, and also the challenges involving mobile devices being used as "a key" in multi-factor authentication.
As CISO of the not-for-profit pediatric hospital, which is an academic medical center and research institute, Ewell is senior leader in the organization's information security program. Previously, he served as the director of information security operations at the University of Washington, chief security officer for PEMCO Corp. and chief technology officer for Breakwater Security. Ewell also serves as a professor and guest lecturer at several universities. His current research area includes information security risk management.