09-24-13 | Blog Post
The historic setting of Boston as the home of the “Independence Brothers” and overlooking Griffins Wharf from the conference room windows (site of the 3 British ships that became home to the Boston Tea Party) – seems fitting for a keynote bearing a “Call to Arms”.
This morning at the HIMSS Privacy and Security Forum, Jennings Aske, Chief Information Security and Privacy Officer of Partners HealthCare shared a privacy and security “Call to Arms”:
I am presenting today as a practitioner. I’m going to talk about some stories from my own healthcare system – I feel a little more nervous now knowing someone from OCR is here :-). Privacy is a problem we need to address, and I’ll share some of our goals at Partners HealthCare.
A few months after starting as the Security Officer at Partners in 2009, I felt a tap on my shoulder from a tall, very serious man who asked:
What are you going to do about my 86 passwords?
As it turned out, this man was Chief of Emergency Medicine – who honesty did have 86 passwords — written down, because he couldn’t possibly remember them all.
When you talk to Epic about security, they talk about passwords, not application security or the rest of the intricate layers of security. We’re not there yet in understanding and embracing security. We have to get past point solutions, tacticals, and compliance and understand the purposes behind it and the protection of the patient.
“We have to stop chasing the law …”
After the 19 findings of OIG, we discovered in conversation that some of our developers had access to production environment, which is not compliant under HIPAA. However, HIPAA is just a framework, and the part of the iceberg most visible above the water. What we really need to do is focus on all that remains below the level of what’s most readily visible. For example, security experts know that separation of responsibilities is essential for we know that ISO or NIST publications, but you won’t find this requirement in the regulations.
Security is intended to prevent harm to the clinical record, the healthcare organization, and patients. Focus on regulations is wrong – we need to focus on securing and protecting patient data with best practices first and foremost. We need to focus on the patient, and standards for developing our security standards.
One clinician was very upset about the passwords for our new PACS system. I already have to authenticate to my Windows system – why do I need another one for these other systems. I could have pointed to the regulation, but I wanted to explain that what’s most important is protecting the patient record and making sure that the values you look at are correct for the patient that you are treating. Isn’t it important that the patient record is safe and accurate? Focus on the benefits of patient care of security.
The majority of my messaging is not focused on patient confidentiality – it doesn’t really matter to a lot of physicians. What’s more critical for them to deliver good patient care is the availability and accuracy of the patient record.
Vendors – help us sell a message around better care for the patient.
Standards are not just about following the rules. Standards take the emotions out of the room. There are emotional conversations about what InfoSec or HIPAA are making physicians do. Standards help ground the conversation. It’s about doing something based on evidence, time, and experience.
What I may see or hear in the course of the treatment or even outside of the treatment in regard to the life of men, which on no account one much spread abroad, I will keep to myself, holding such things shameful to be spoken about. – Hippocratic Oath
FInd meaningful ways of working with the IT teams. For example, don’t just send an article about why encryption is important to meet the HIPAA Final Omnibus Rule, get familiar with the NIST guidelines and engage in a conversation about how they are accomplishing encryption and understand what challenges they are running into.
Look holistically at what the mission is. Security can’t be about “no”, it needs to be about “how”. I’m asking my peers and everyone supporting HealthIT to focus on the “how” and not what can’t be done. Collaboration is important to security. Complexity is messy, and makes us seek people that are like-minded. As a security organization, you need to embrace the mess and complexity. Meet with your board and have conversations with the angry physician.
We recently made some changes which caused all of our Android devices to stop working because they were not encrypting data. I received a number of angry emails, and you have to reach out to them and talk through the mess instead of running away from it.
Security and privacy evolve. In a recent presentation to our board, I shared that “what I’m telling you today will change as we respond to new threats, and we will need to pivot”. Several healthcare systems had their phone systems shut down from Denial of Service attacks, and had to adjust to respond and recover. As a security practitioner, if you prepare your plans and budgets as things that are fixed, you’ll set yourself up for problems. Anticipate and build in the potential for needing to pivot to respond to the evolving security environment. You have to constantly rethink what you are doing.
We all need to be creative for financing our security program. We’re leveraging managing security services and trying to think creatively on our feet to work within budget realities. I don’t talk about technology with I talk about security. I talk about people and the impact of our security policies. Security is about people. Our decisions need to be transparent and involve stakeholders, otherwise it affects the legitimacy of what we do. Explain the risks, policies, and technologies. Document the conversation so you can refer back to the communications.
Partners HealthCare’s Plan includes
Define what you’re trying to achieve with your security program. It doesn’t need to be our principles, but you need your own in place to fall back on and refer back to.