Mark Ford of Deloitte on Risk Management
In an interview, Ford offers advice on how to:
He also predicts the HITECH Act will serve as a catalyst for hospitals to standardize on fewer clinical information systems to help them simplify their security assurance efforts.
Ford is principal of security and privacy services in the healthcare provider practice at Deloitte. The former officer in the U.S. Army Military Intelligence Corp. has 14 years of information security and controls consulting experience.
HOWARDANDERSON: This is Howard Anderson, managing editor at Information Security Media Group. We are talking today with Mark Ford, principal of security and privacy services in the healthcare provider practice at Deloitte. Thanks so much for joining us today Mark.
MARK FORD: You bet.
ANDERSON: One of the tasks that chief information security officers are tackling now is compliance with the beefed-up HIPAA privacy and security regulations under the HITECH Act, which includes new breach notification requirements. So what advice would you give to CISOs about educating their board of trustees as well as senior executives at their organization about these new requirements?
FORD: Well I think now is the time to really be doing that. We are in the early stages of the HITECH Act and assessing what will also be impact coming out of the healthcare reform that was just signed by the President. It is important now to start the education process, and the way we are helping our clients do that is to really get some discussion going on with senior management about what the impact may be coming out of the HITECH Act...things like the breach notification rule and how patient health information is being handled within the environment, and the...potential impact if some of that information is divulged inappropriately.
There is more "teeth" (for enforcement) in the HITECH Rule than the HIPAA Rule and tougher fines.
ANDERSON: What specific steps should hospitals, clinics and other provider organizations be taking right now to comply with the breach notification rule?
FORD: Well for sure you need to start to get your arms around the rule itself and what your requirements are going to be for response. To do that it really takes some understanding of where your data is vulnerable, where this information is today and how it could be potentially breached.
Many healthcare organizations today still have this information in hard copy, and they have it under physical protection and controls, and under the HIPAA rules there were a lot more stringent safeguards put in place around that. But as they move toward...electronic health records, there is a need to take a look at where that information may lie and in what forms it may be available inside the hospitals systems, inside the payer systems and outside.
They have to also make sure they have a breach notification process and that it is up to date.... So if you can have the capability to be able to understand where the potential for a breach exists...and respond to it, then you have the opportunity to maybe stem that flow before it becomes something that is a significant impact to your reputation....
What we are finding is that many of the breaches are coming from...unstructured data that is carried around by people on their laptops or on their handheld devices or is streaming over a network line that is outside the organization but unencrypted. And those are where the mistakes are happening; where a breach can actually cause you the most pain....
It is really important also that your management is involved with this program and that there is a tone from the top that this is very important. Because what we have seen traditionally, especially in the health provider sector, is a certain amount of...a backburner-type of attitude toward IT and IT systems because, let's face it, the providers are there to deal with the patient situation and to save lives first and that is their job....But at the same time, this information is also very important, and the privacy of this information and what its impact is to the people is significant, which is being recognized and realized due to these new breach notification rules.
ANDERSON: Many hospitals took a best-of-reed approach to acquiring niche clinical applications from multiple vendors over the years, so today they face the challenge of making sure those dozens, if not hundreds, of applications are all secure. What advice do you have on how to tackle that enormous task?
FORD: We have seen a very similar type of process, I would say, equating it back to the 1990s, when we had the Y2K event and the same type of issue was on the table for companies. There were disparate systems all over the place that had data and they needed to get the date problem fixed and they had to get through a pretty comprehensive program to be able to assess where that information was and change the systems to effect it and that was pretty laborious to go through. Or, in some cases they took the opportunity to upgrade their systems to newer, more modern, systems that provided the capability in the box so to speak....That really helped organizations jump ahead of that problem they had with Y2K, but it also provided a lot of value to the organization.
I anticipate that that's one of the things that is going to happen now, especially for those environments where you have the ability to fund that type of investment. In fact, we are starting to see that with some of the major hospital systems today.
For those who may not be able to go in and put in a big new clinical information system, they may need to take a very risk-based approach on how they are addressing the problem. What I mean by risk-based is to find out where your most vulnerable applications are and what it takes to fix those first and really zeroing in on where is the potential for you to have a breach, and then taking care of those on a prioritized basis so that it gives you the best possible way of dealing with it.
And in some cases you may not need to change many of the information systems because you may be able to tell from your risk analysis that it is just not something that is going to be a high potential for it to be breached and the potential costs associated with changing it is just not something that you want to factor in. So that is what we are always recommending...
ANDERSON: So do you think hospitals may be gradually moving away from a best-of-breed approach toward using software from fewer vendors so they are easier to manage and easier to keep secure?
FORD: I do think so. I think over time we are going to see more and more of that. This HITECH Act is going to be one of the, I would say "events," kind of like the Y2K was back in the 90s, to get this process done. Sometimes it takes that in the IT world, some type of an event like this that really spurs the investment, something that the hospital system has been wanting to do for many years but this is the event that really kind of moves them forward to invest the money.
The thing is that, nine times out of ten, you are going to come away with a much more secure but also much more efficient system, and it is going to give you the opportunity to really enjoy a much longer success with the new systems as opposed to having all of these disparate systems that don't interoperate that well together, are not really connected so that they can leverage electronic medical records effectively, as an example.
ANDERSON: The breach notification rule in the HITECH Act includes a safe harbor stating that organizations that properly encrypt data using a specific form of encryption don't have to report major breaches. So what is your advice on how widely hospitals and clinics should apply encryption to mobile devices, desktops, e-mail and even databases on the backend?
FORD: You need to start this out on a risk-based approach. So if you are thinking about encrypting everything everywhere and just going and doing it, sometimes that is not the most economical way. It is kind of overkill. That may not be what you need to solve your problem....
So taking an approach that is to understand where your data lies and what information really needs to be encrypted is the first step.
If data is...moving through the system across your network in some form or fashion, then it should be encrypted in some form....
I mentioned earlier that one of the biggest vulnerabilities we have is unstructured data, that information that is not contained within the clinical information system, or the databases that support it, more that it is pulled off as a report and is kept on someone's laptop. So if the laptop is unencrypted now you have data, private information, that is riding around on somebody's laptop, the laptop gets stolen, you know just fill in the blank there.
So where you may have very strong controls within the application itself and within the database and surrounding the database, if you are not also thinking about where that data may end up on a PDA for example, then you have to rethink how your data is moving across the organization and how do you manage that.
I know Deloitte itself has a lot of laptops and we deal with client data in the same way; we treat it just like a hospital system would treat patient health information. We had to go through a whole process where we needed to encrypt all of our laptops and we also use PDAs, so the PDA is a big concern for us as well, although that is a little bit more challenging when it comes to encrypting the information that is sitting on a PDA.
ANDERSON: To wrap up, what other advice would you offer to hospitals and clinics in terms of taking a risk management approach to information security rather than just a regulatory compliance approach?
FORD: First, like I said earlier, you need to get a handle on what the compliance requirements are going to be and then to apply that to your organization it makes sense to be looking at it across the organization from a holistic perspective.
We are typically helping clients assess what we call a common security framework and that will allow them to start doing standardized programs and processes within their security and compliance programs that address the problems that they may be having, both based on what their business needs are, such as access to the data to provide patient care in a clinical environment, or looking at it from what HITECH or HIPAA rules compliance. And so there is a regulatory component, a compliance component and a baseline security tools and policies component, and that is what you build into a framework type of program.
One approach we use that is hoping to become an industry standard is the HITRUST framework. These types of frameworks come available on an industry basis and it allows the industry to start to come up with common ways of doing business so that it is standardized.
A good example of this in the merchant industry is PCI, or payment card industry standards, that came out around security. There were security rules specific around payment cards and how do you appropriately handle credit card information. So that standard is another good example of what we think is going to emerge and what our clients are going to be getting their arms around.
The other thing I mentioned as well is really getting senior management involved early on in these types of issues. What you typically see in a client's environment is management really not having a "hands-on understanding" of what the security vulnerabilities are. It is an IT issue, so the business side of the house tends to want to say, "Well that is an IT thing and I am going to leave it up to IT," and kind of throw it over the fence....But it is a business issue....
So the business is really going to have to embrace what the requirements are and make sure that they have a compliance program that is linked well into their security program. They may even consider moving the traditional information security program into a more business risk type of program, or at least combining those together to start to connect the dots between business risk and compliance with IT security.
I think it is a real trend that we have seen in many other heavily regulated industries like financial services, and that trend has been going on for quite a while now and I think it will continue. The regulations are there because there is a need.
I know our Congress wouldn't have gone through this level of pain and agony to get these types of regulations out there if it wasn't a demand by the citizens to have these kinds of things in place....Protection of patient information is very important, and our clients are taking the necessary steps to get there, and a lot of that is being driven by the regulations.
But at the end of the day I think we are all going to be the better for it, especially when we get to where we have electronic medical record systems that are properly secured and properly protected but also available for the health systems when they need to provide care....
ANDERSON: Thanks very much Mark. We have been talking today with Mark Ford at Deloitte. This is Howard Anderson of Information Security Media Group.