Security Spending Up at Rural HospitalBreach Prevention, Compliance Lead to Investments
In an interview (transcript below), Kloewer describes:
- Top security projects for 2010, including network infrastructure upgrades, encryption of backup media and continuation of business continuity and disaster recovery improvements;
- How plans to apply for HITECH electronic health record incentive payments are influencing security strategies, including plans for a gap analysis;
- Why the hospital does not allow patient information to be stored on desktops, mobile devices or thumb drives.
Kloewer wears many hats in his executive role at Montgomery County Memorial Hospital, a critical access facility in Red Oak, Iowa. He serves as CIO, risk manager, privacy and security officer and director of planning and development.
HOWARD ANDERSON: For starters, why don't you tell us about your hospital and your recently completed data center project?
RON KLOEWER: Montgomery County Memorial Hospital is a 25-bed critical access hospital and we're located in rural southwest Iowa, about an hour's drive from the Omaha metro area. Our net patient revenue is about $28 million, and we have about 300 employees here, and we have 11 local primary care physicians and about 30 visiting specialty and consultant physicians coming out of Omaha. ...
Our hospital just recently completed a significant addition to our medical campus. We took our 100,000-square-foot campus and we added 50,000 square feet. ... One of the significant additions to the facility was a new data center. With the growth of IT over the last 21 years, we had accumulated four separate rooms that were acting as wiring closets and server rooms. They were crowded, overheated and terribly inadequate. So as part of the renovation and addition design concept, we added a data center ... and now we've got plenty of room to grow and lots of space for the servers and the gear we have. ... So that's helping us out a lot on the security side, both physical security, access security and our ability to log and track who enters the space and who does what. ...
ANDERSON: So how big is your IT staff now? Will it grow in 2011? And who handles security issues for you?
KLOEWER: Well our IT staff, I'm very fortunate to say, is at an appropriate size for our facility. ... We've got 11 people now on staff in the IT department including me -- and I do have some COO responsibilities throughout the organization and so that does pull some of my time. ...
Our current annual IT operating expense budget is 1.3 million. That's approaching about 4.5 percent of our total operating expenses. So I don't anticipate growth in any more staff this coming year. In 2012, 2013, I can anticipate possibly an additional FTE, but we're going to try to move also in more of a distributive mode to some of the departments that really need to take ownership of their own automated tools. ... Rather than add more IT staff, I would like to work on getting certifications and additional knowledge and training into some of the departments and embed those folks so their sense of ownership is with a department rather than with IT.
ANDERSON: So do you take the lead role on information security issues or do you divide that up among your staff?
KLOEWER: The security responsibilities are primarily handled between my network administrator and an outsourced contractor. We do have two primary contractors that we use for outsourcing and one individual is dedicated to security. So the primary responsibility for the day-in day-out operations falls to those two individuals. The outsourced contractor is here one day per week, and they handle a variety of issues including security. As CIO, I'm responsible to review all policies, procedures, practices and also perform the risk assessment and auditing that is necessary under the new HITECH security rules. So we have a number of security practices that are in place and others are being added as we ramp up response to changes in HIPAA and the additions of the HITECH Act.
We're making a concerted effort to get some of these security practices more embedded in all of the IT staff so that they are responsible for various areas, trying to drive that down deeper into the IT staff rather than have it be simply at a high level. But primary responsibility lies with my network administrator.
ANDERSON: Do you have a feel for what percentage of your IT budget will be devoted to security issues in 2011, and is that up from this year?
KLOEWER: Security is going to take a much larger bite in 2011 than last year, and depending on how I characterize it, I'm going to suggest that about 20 percent of the IT capital budget will be dedicated to security-related matters for the coming year. That is going to be up from probably around 5 to 7 percent for last year.
The priorities for this coming year are going to really fall under a couple of broad categories. Network infrastructure upgrades are going to take a significant part of that capital budget. Our network infrastructure has had to grow and respond to the facility additions that we did, but it also is more of a legacy network. It does not have some of the modern features, like port-level security, that we need, so we'll be making a concerted effort to install new network backbone components that will get our network security up to where I want it to be.
Another significant chunk of that will go to HITECH and HIPAA compliance issues. ... There are certainly some best practices in IT that we want to follow, but they also fit nicely in the HITECH compliance requirements, things like file encryption, back-up technologies and also a continuation of our disaster recovery and business continuity preparedness. We did make a lot of strides last year with some significant investment in business continuity and disaster recovery; those covered our primary mission-critical systems. But now we need to go beyond that and cover systems that are in the next tiers out from that.
ANDERSON: Tell us a little bit more about how you'll be expanding your use of encryption.
KLOEWER: Currently, we are using very traditional back-up methodologies. We back up to tape, and those tapes go offsite and they're not encrypted. Anyone with the appropriate software could read those tapes, so that is a compliance issue and we need to address it. So we'll be moving into back-up technologies that allow us to take our data offsite but have it be encrypted and protected appropriately.
Also, we're taking other steps internally via group policies using, for example, Microsoft's active directory group policy concept, to limit use of thumb drives and CD writers and so forth. We basically disable those via group policy. So there is no question that someone can walk up to a computer, stick in a thumb drive and remove data. It's just not going to be possible.
So by eliminating those means and methods of removing data, we also can maintain compliance. Any data that would leave our facility would be via some sort of encrypted back-up methodology; otherwise it doesn't leave.
ANDERSON: And do you have plans to encrypt data on desktops and laptops, or do you primarily use thin clients that don't store data?
KLOEWER: We primarily use thin clients. We have a policy in place that data is not stored on local desktops. We do this by group policy by limiting access to the "my computer" capabilities and forcing all saved files to go to network drives via thin client applications, remote desktop or other thin applications. We do not allow locally saved data. I have no trouble with a laptop walking out the door because I have complete knowledge that there is no ability to retrieve data because the data doesn't exist on the device. And that's applicable to not only laptops, notebooks and other mobile devices, but also desktops that are in the environment. There is no locally stored data. We've had that practice for quite a number of years.
HITECH EHR Incentives
ANDERSON: So will you be applying for Medicare or Medicaid incentives under the HITECH Act for using electronic health records, and if so, how will that affect your security plans?
KLOEWER: We do intend to apply as a critical access hospital; we are able to use the local regional extension center that was created under the HITECH Act. In Iowa, this group is the Iowa Foundation for Medical Care, IFMC, and they've been around for a long time as a quality group primarily in the physician clinic community. But IFMC has won the grant to become the regional extension center, and they are providing consulting services to critical access hospitals at a deeply discounted rate with grant funds from the stimulus bill. So we'll be using the IFMC group to help us do some gap analysis and get ourselves prepared for the application for stimulus money. I believe, based on some of what I've already done in analysis and study, that we've got some security issues we've got to address. So as we wrap up our gap analysis, any other security-related issues, we'll address those also so that we can attest to compliance for stage one of the incentive program.
HIPAA and HITECH Compliance
ANDERSON: Finally, what do you see as the most important trends in healthcare information privacy and security overall in 2011 and beyond? And how do you expect those trends to affect your job as CIO at a small rural hospital?
KLOEWER: The trends for this next year really revolve around HITECH and the changes to HIPAA. What the HITECH legislation and the stimulus bill do is they really drive compliance with security as a means to get to the stimulus money. Certainly there are many components to stage one compliance, and the adoption of certified EMR technology as one. But if you dig under the covers a bit, security is a big component of compliance. And even though the stage one compliance requirements are maybe not as deep and broad as they will be in subsequent years, I think one needs to look forward to the stage two and three requirements under HITECH. We know about where they are headed so that we can address them. So our goal is to ... make sure that whatever foundation we are laying today is adequate to support those requirements that come down the line. And if we can go ahead and meet those longer-term tests then we'll go ahead and do that. I see that as the biggest, most important trend in privacy and security for 2011 and beyond.
The big issue for me, as a CIO in a smaller hospital is, as always, resources: Making sure that I am adequately prioritizing the resources for compliance. So it's about competition for resources. One of my big challenges is making sure that I get the priorities lined up adequately and accurately so that I can build a good foundation for the future but also address stage one meaningful use and qualify for EHR incentives. ...