William Bria M.D.: Physicians and Data Security
In this interview, William Bria, M.D., chief medical informatics officer at Shriners Hospitals for Children, describes how the organization's 22 charity care hospitals are striving to provide doctors with easy access to a wealth of clinical information while minimizing the risk of privacy violations.
Dr. Bria, founder and president of the Association of Medical Directors of Information Systems (AMDIS), stresses that the security and privacy of data are essential to improving the quality of care.
The CMIO describes in detail the organization's use of:
HOWARD ANDERSON: This is Howard Anderson, Managing Editor at Information Security Media Group. We are talking today with Dr. Bill Bria, chief medical information officer at Shriners Hospitals for Children. Dr. Bria also is the founder of the Association of Medical Directors of Information Systems, or AMDIS. Thanks for joining us today Dr. Bria.
DR. BILL BRIA: Thank you Howard.
ANDERSON: Please briefly describe your role as CMIO for the 22 Shriners hospitals, which provide free care to children. Explain how you get involved in addressing privacy and security issues, especially as it pertains to clinical information.
DR. BRIA: My role as chief medical information officer is really a bridge between the use of information technology and the practice of medicine, to state it simply. The use of electronic medical records is now going into its sixth year in our healthcare system, and I am happy to say that they are available essentially in our entire hospital system.
One of the reasons why I took this job is because IT was done out of a central location. Tampa, Florida is the informatics hub for the entire healthcare system, and every one of our hospitals has a slice of the database that is the Shriners Hospitals for Children Information System. It is my job to continue to enhance, improve and adapt...information technology for the purposes of quality and safety of care.
Privacy and security of clinical information is an inextricable partner with the improvement in the quality and safety of care for so many reasons. For children who we care for with, for example, very severe burns, we (must make sure) that the information is given to who it needs to be given to and not to those who don't need it. Interoperability within our system is a constant concern, as we often have patients who are cared for and given different services at different hospitals in our system, as well as transfer of that information after the child is cared for and is going to return home or to another location. It has been a key focus in this organization and my role since the beginning, and it is a job of continued and everlasting vigilance.
ANDERSON: I understand that your organization doesn't have a full-time chief security officer, but that the CIO pretty much serves in that role. Can you shed some light on that?
DR. BRIA: Inasmuch as the nervous system of Shriners Hospitals for Children is its electronic medical record, our CIO...is the effective CSO, because the electronic medical record is the most consistent element among all of our hospitals...from Springfield, Massachusetts, to Honolulu, Hawaii; from Montreal, Canada, down to Mexico City, Mexico.
Our legal department has, from the very beginning, been our close partner with regards to compliance, security standards, and (ensuring) information access (only) by those who need to know that information.
The distribution of services and care is a shared responsibility in our system, basically making each hospital in our system their own security entity. And so (our CIO) and his staff have been the architects and the maintainers of the technology for that structure from a security standpoint throughout our 22-hospital system.
ANDERSON: What steps is your organization taking now to begin preparing for compliance with the new federal security breach notification regulations? Is that a function primarily of that legal team you referred to?
DR. BRIA: It is primarily the role and responsibility of our legal team. The necessary data reporting and review of policies and procedures I certainly get involved in, but it is primarily the legal department that actually manages the review and investigation of compliance and security issues.
ANDERSON: Can you give us a flavor of some of the key data security technologies that your fellow physicians on staff there use as they are accessing clinical data systems day to day?
DR. BRIA: Strong two-factor authentication is the front end of our security environment. We use smart card technologies as well as a regular password system, but both must be available.
Newer technologies include a key fob (hardware token) for clinicians with authorization for remote access to our electronic medical record. This third level of security requires them to have the proper digital sequence, a series of numbers generated on the synchronized key fob device. The sequence is known only in the machine room in Tampa, and if those numbers don't line up you don't get access remotely to our system. We spent a good bit of time trying to get the highest level of security.
And we are always looking at other things. We have had demonstrations of everything from face recognition technologies to other strategies as we go forward in trying to strike the critical balance between necessary access and unacceptable risk of loss of data integrity and confidentiality.
ANDERSON: Are you making very extensive use of encryption so far?
DR. BRIA: All of the communications that occur through the system have encrypted communications. We have also added...a secure e-mail system. (The technology) reads the e-mail communications that are occurring throughout our system and if screens are met if, for example, a Social Security number or a patient number from our electronic medical record is included in the Outlook e-mail, it will automatically encrypt that e-mail communication.
If it is a communication between individuals within our system, that encryption is essentially transparent to the sender and receiver other than both see the word "encrypted" in the header of their e-mail.
If, however, the communication is going outside our system, then what would occur is that an automatic message without any patient identifiable information is sent to the intended recipient of that e-mail message, and they must sign on securely to a portal where that e-mail message could be obtained after we authenticate that that person is who they say they are.
ANDERSON: Finally, what advice would you give to folks who have responsibility for data security at other hospitals about how to reach out to involve physicians in the selection and adoption of security technologies and creation of security polices?
DR. BRIA: If a technology makes sense from the standpoint of protecting the relationship between the clinician and the patient or the patient's safety and privacy...then physicians can get behind those technologies even if it provides them some degree of inconvenience or change.
If, on the other hand, they perceive a security addition to their environment as inhibiting communication or somehow compromising their ability of reaching their patients and communicating with them, they strongly oppose it and they should.
ANDERSON: Thank you very much Dr. Bria. We have been talking today with Dr. Bill Bria of Shriners Hospitals for Children. This is Howard Anderson of the Information Security Media Group.