Kenneth Bradberry: Risk Analysis Is Never-Ending
In an interview during the HIMSS Conference in Atlanta, Bradberry said:
HOWARD ANDERSON: This is Howard Anderson, managing editor with Information Security Media Group. Today we are talking with Kenneth Bradberry, vice president and chief technology officer at ACS, A Xerox Company, at the HIMSS Conference. Thanks so much for taking some time today.
KENNETH BRADBERRY: Thank you very much. Great to be here.
ANDERSON: What advice would you give to organizations preparing to comply with the HITECH Act breach notification rule? Are there certain steps they should be taking now if they haven't already?
BRADBERRY: First is to keep track of the...HIPAA and HITECH regulations as they change. They seem to be updating the regulations on a regular basis, and keeping track of that is important to understand what your requirements are to stay compliant.
From there you really have to have good security practices all around...at every layer of both infrastructure and application delivery, and then consider how you interact with your patients, and how you interact with outside providers.
When you are communicating information to your patients, when you are communicating to the insurance payers and when you are communicating to the community, there is a big push toward health information exchanges and personal health records, especially delivered in the cloud architecture. So it is very critical that you understand that no technology is going to solve your security issues as much as having great policies and following your policies and keeping your caregivers and your hospital staff compliant....
ANDERSON: HITECH enables organizations to forego reporting breaches if they use a specific type of encryption. So are you advising clients to apply encryption more broadly to e-mail, mobile devices, and even data at rest?
BRADBERRY: You have to have ways of controlling how data is sent to those devices, how it is transmitted back and forth between not only mobile devices but through the different e-solutions, like e-referrals, e-prescribing and a variety of ways that data is getting moved in and out of hospital organizations. So having encryption in place...is really of paramount importance, especially when it comes down to extending electronic health records and personal health records out to a variety of portable devices. It is just a critical piece of infrastructure.
And if you don't have good security practices at the foundation, as you extend out to these different, newer capabilities, you are just going to exacerbate your security problems. There is no way to mask that, and you have to have a solid foundation in security...
ANDERSON: Should hospitals be conducting a risk analysis on an annual basis and what should the key components be?
BRADBERRY: I think annual would be too minimal. You really need to have a proactive security model in place. It is so critical, especially as we evolve out of paper charts; you really need to have a proactive strategy for security compliance.
CIOs...and others have to understand at all times what their risks are and have a way to proactively do that through vulnerability scanning, through constantly making your security and the protection of patient records your key design criteria whenever you are implementing new systems, adding or patching. It just has to be part of your culture.
ANDERSON: So you think a risk assessment is kind of a never-ending, ongoing story?
BRADBERRY: I guess in the past it has implied that it was a one-time event, you get a report, it gets put on a shelf and you will consult it. Whereas a proactive approach to security means that your risk assessment is part of your operational awareness. You know, in the military you always deal with situational awareness where you want to know where everything is at and what the status is; and it is the same thing in healthcare. As we move forward, you need to have your operational awareness.
The days of being surprised and ending up having your facility on CNN because somebody found patient records should be over. It is really a question of what type of infrastructure you have got in place, and the systems and practices that you are deploying. Being proactive about security is really a critical design requirement.
ANDERSON: As a result do you think all hospitals need a full-time chief information security officer?
BRADBERRY: A privacy officer evolved out of the HIPAA requirements. For a security officer, the focus needs to be someone who has the responsibility for the strategy of that provider system. Is it appropriate for every provider system? I guess it is a question of scale.
Larger systems I would say yes; smaller systems potentially might have it as part of the CIO role....If you have a 50-bed or 100-bed hospital, you probably aren't going to staff a dedicated security strategist, although you might have a security director or manager who has a technical role as well as a strategic role. But I think it is a very valid role to have within your organizational hierarchy.
ANDERSON: Thanks Kenneth. We have been talking to Kenneth Bradberry of ACS, which is now a part of Xerox. This is Howard Anderson of Information Security Media Group from the exhibit hall at the HIMSS Conference.