Top 10 Information Security Projects at Johns HopkinsStephanie Reel outlines the priorities
In an interview, Stephanie Reel, vice president for information services for the Baltimore-based organization, spells out a top 10 list of data security priorities. The list also includes a massive effort to deploy new multi-factor authentication and broader use of encrypted e-mail.
Reel is one of the nation's longest serving CIOs, with nearly 20 years of experience at Johns Hopkins. In addition to heading I.T. for the health system, she serves as vice provost for I.T. for all of Johns Hopkins University.
HOWARD ANDERSON: This is Howard Anderson, Managing Editor at Information Security Media Group. We are talking today with Stephanie Reel, vice provost for information technologies at Johns Hopkins University and vice president of information services at Johns Hopkins Medicine in Baltimore. Thanks so much for joining us today Stephanie.
STEPHANIE REEL: My pleasure Howard, happy to help.
ANDERSON: For starters, please briefly describe Johns Hopkins Medicine for us and the size of your IT staff.
REEL: Johns Hopkins Hospital was founded in 1889 and really is credited with changing the way medicine is delivered in the United States. The Johns Hopkins University School of Medicine opened in 1893 and became America's first teaching hospital.
Today Johns Hopkins Medicine includes that hospital and that school of medicine, also three other acute care hospitals in the Baltimore area: the Johns Hopkins Bayview Medical Center, Howard County General Hospital and now Suburban Hospital in the Washington, D.C. suburbs. We also have a long-term care facility on the Bayview Medical Center campus. And we have one of the largest home care groups in the mid-Atlantic region, and a couple of dozen outpatient care facilities around the state of Maryland, including some community physicians.
So to support all of Johns Hopkins Medicine from an IT perspective, we have about...250 people who just support Johns Hopkins Medicine from a central point of view. And then there are an equal number...out in the departments and the divisions and affiliates and the entities.
So at the central level we try to provide the infrastructure that allows our affiliates to be as attentive as they need to be to the unique needs that they have. When I look at my entire IT staff across the John Hopkins University and all of Johns Hopkins Medicine, and if I attempted to aggregate all of them together, it would be in excess of 750 people reporting up to IT Central.
ANDERSON: I understand that your organization has a chief security officer as well as a data security team focusing on ensuring the privacy and security of all the clinical information systems. How long has that team been in place and how big is it?
REEL: We hired our very first chief information security officer four and half years ago. (The CISO) has a small team, about a half a dozen people, who focus on information security across the enterprise. The reason his team is so small is that over the years...we have come to value the fact that security expertise also needs to be embedded within our teams--within our application teams and within our infrastructure teams. And so the CISO not only has solid-line reporting responsibility for the people who report directly to him, but a matrix reporting relationship with the other people who have responsibility for security within the other teams of our IT organization.
Our privacy officer however, is not within the IT department...she reports up to our general counsel's office and we made that decision deliberately. We felt that it was best to have someone looking out for the welfare of our patients from a privacy point of view and not strictly focused on information technology, but really more broadly thinking strategically about the need for privacy. And, in fact, the CISO has a joint reporting relationship both to me and to our general counsel to ensure that he has the ability to identify and call attention to any issues that he may feel are important...
ANDERSON: I understand that you and your team are working on a long list of data security projects. Can you give us a feel for what you are working on?
REEL: From the standpoint of priorities, at least for the current year, the first on our list is to complete our annual application risk assessment. We update it comprehensively every two years, but we pay attention to it and update it in a smaller way every year. This is to satisfy the requirements of HIPAA, and now also to meet the needs of "meaningful use" (the Medicare/Medicaid incentive payment program for "using" electronic health records) and the ONC requirements (federal data breach notification rules, etc).
But what goes hand-in-hand with that is our second priority, which is training and workforce development, which is truly a continuous process. We pay attention to those things for which we are held accountable or for which we get recognition and reward, and security is not something that gets a glamorous amount of attention I would say. So the CISO spends a great deal of time visiting with departments and divisions, decentralized IT shops as well as our own central team, making sure that they are being attentive to the issues associated with information security.
So those are our two very top priorities for this year. The others are probably similar to other organizations.
We are working on something where we may even be a little behind the curve, and that is multi-factor authentication. I know a lot of institutions have invested heavily in this area for years, and we really have not. We have explored some solutions but not invested heavily. So at this point we are choosing to recommend soft token access to our virtual private network, which is really a combination of solutions with configuration and IT addresses and secondary questions that will be used to secure VPN access. We didn't stumble upon this lightly. We have had a couple of concerns over the past three years that have led us to explore carefully what solutions we should embrace and endorse and enforce, and this is one that we believe is sufficiently mature that we will be able to complete this year.
We are also continuously monitoring all of our applications. As we implement a new system, or as we embark upon a new project, or as our systems go through upgrades and enhancements, we monitor whatever security tools and solutions might be available to us and try to strengthen the perimeter as much as we can for our applications.
Included in that is really the next priority, which is encryption and again, this came to be a priority because we had had some concerns, much like our colleagues around the country. We have had laptops disappear or left in the back seat of a car never again to be seen, and we had to focus a great deal of our energy over the past three or four years on encryption. But it remains a priority because, in spite of our best efforts, people do neglect it or forget about it or purchase new devices over which we have no control.
So we are trying to pay a bit more attention to encryption in all aspects, both in e-mail, which is an important priority for us, some of which is encrypted but not all, and also in devices and media controls, like USB ports, ensuring that we have encryption.
We have had policies for many years that clearly explain what our expectations are, and those policies have been appropriately vetted and very appropriately communicated. But like anything else, people get distracted by more pressing priorities and forget to pay attention to some of these things. So it is a continuous effort and it is a significant challenge to keep people informed and aware without "the sky is falling" type of a syndrome, which we don't like to do either. There are too many major issues; we don't want to create one that isn't real.
We also are spending a fair bit of time on web application security. Our CISO will tell you that he believes many breaches happen inadvertently because people unintentionally will post something through a web application that they never intended to be publicly seen. So we have purchased a web application firewall that we know will help, and we expect it will supplement some of the controls that we have already put in place. But this is an area that I don't think is completely safe. I think all of us need to be attentive to the risks associated with building more and more of our applications in the cloud and placing more data on web applications where they are shared by others. We are also working this year on network security forensics. Over the years, when we have had concerns or issues, or even pre-emptive work, we had done a little bit of outsourcing. We have invited colleagues in who are experts and specialists in network security forensics...We continue to use those partners when necessary, but we also recognize that some of the work is best done by our own team. So this year we hope to acquire and implement a few tools that might help us to do a better job internally of security forensics. We have a strong team. The people that we have recruited are very good, but they don't always have the tools handy to do the kind of work they want to do. So we are focusing a bit of energy on acquisition of those tools this year.
We also, in concert with the deployment of those tools, are doing more proactive penetration testing and system testing and doing it more routinely. And this seems to serve us well. Again, I am not sure we would be an example of the best practice, but I think we certainly are trying to be as attentive to this as possible without being inappropriately intrusive to the project teams and the work that they are doing.
And then lastly, I have already alluded to the "meaningful use" criteria that were published by the Office of the National Coordinator, and there is an expectation that with some of those incentive payments comes responsibility for both risk assessments, which I listed as my first priority, and (breach) disclosure tracking, which is listed as my last, although certainly not least, priority. We are all going to be held accountable to do a much, much better job of disclosure when there is a breach.
The wonderful thing about Hopkins, and one of the things that makes me so proud to be here, is that we have taken the high road in cases where we have had breaches and always immediately notified people who might have been affected by a breach, even if we were relatively certain there was little or no risk. Our general counsel's office has been phenomenal in ensuring that we take the high road and we notify people. I don't think this will be a new responsibility, but obviously the burden now is it is being very closely scrutinized and I think we will be as attentive as ever to disclosure tracking.
ANDERSON: To follow up on that last point, the federal agencies will begin enforcing in late February the new data breach notification rules, which now apply to your business associates as well as your organization itself. What have you been doing to prepare for that?
REEL: Our general counsel is a partner with us every step of the way with all matters associated with information security. I mentioned that my chief information security officer reports both to me and to her. And because of that, I think we have been very proactive in contracts that we have negotiated over the past several years in ensuring that we are, in fact, partners with our vendors and do hold them accountable to work with us through these data breach notifications. In fact, the experiences we have had have been good ones.
Going forward, we are certainly ensuring that the language (in business associate contracts) is as strong as it needs to be to hold both of us accountable for what we need to do. But...we have tried to ensure that our relationships with our vendors are such that even if the letter of the law isn't dictated within the contract, we comply together with the spirit of the law. But we will obviously have to kick it up a notch as these new requirements become better understood.
ANDERSON: Getting back to encryption just briefly, under the breach notification rules, if you encrypt the patient data you don't have to report breaches because the data is assumed to be secure and unreadable. How extensively you are using encryption for your various clinical databases?
REEL: As I mentioned, we have had a couple of stolen laptops and things of that nature over the past three or four years, and in some cases they were not encrypted. That did draw attention to the importance of encryption because you don't have to notify, as you said, if all the data is encrypted. But interestingly enough, I suspect our approach here at Hopkins, depending upon the nature of the breach, will be to do some form of notification, even if we feel comfortably that the devices have been successfully and comprehensively encrypted.
Because of the issues that we have had in the past, we have taken this topic very, very seriously and we began a major initiative to fully encrypt all devices and all data in motion, any portable data, about three years ago.
As far as our databases, some of it depends on where they reside. If the databases are resident within our secure data center, we have invested less in encrypting them, although we have still begun the work of encrypting all of our critical databases. If, however, the data might exist on any portable devices, we are ensuring at the device level that we have full disc encryption in any portable devices and they have been held to that standard. So we still have work to do, but I think we have been a little bit ahead of the game in this particular area because we had to respond to a few issues several years ago.
ANDERSON: Finally, since you have been there about 20 years now, how has your own focus as CIO on data security issues evolved in recent years and how do you expect it to continue to evolve in the years to come?
REEL: It sounds trite to say that security has always been a high priority for us, but in fact, it really has. I think places like Johns Hopkins recognize that we have reputational risk, and we have been attentive to the fact that information security and patient privacy really do matter a great deal. It doesn't mean that we are flawless; we certainly are not, but we have worked very hard to protect the brand, protect the reputation and protect our patients along the way.
Patient safety has been...our highest priority. In fact, I have a staff meeting every Wednesday and we go through our list of our seven top strategic priorities and patient safety is always at the top of that list. Information security is second on that last and has been for a very long time. And we use that agenda and all of the items on it to talk through where we are at risk, where we believe the next patient might be harmed and where we believe the next piece of information might be at risk.
Some of our other priorities include satisfaction and service and science. We talk about each of our priorities, but I don't believe there has been a major shift, because we have been attentive to the fact that security is important.
I will say that over the last two or three years we probably have invested more in information security than we had in the previous years for obvious reasons. There has been a great deal of attention paid to it, and some of the tools and technology are really now available. I am not so sure that a decade ago it would have been trivial to go out and find the tools that you need to do intrusion detection or secure firewall protection for web applications, at least not as robust as they are today. So we are investing more and that is, in part, because the market has stepped up and there are more tools into which we can make investments.
ANDERSON: Stephanie thank you so very much. We have been talking today with Stephanie Reel of Johns Hopkins Medicine. This is Howard Anderson of Information Security Media Group.