Barbara Bartley, Executive Director IT Operations and Information Security Officer of Baptist Health in Montgomery, Alabama, likes to say that she concentrates not on securing devices but protecting the patient data. This approach is not only important because some security personnel may get lost in tracking devices while trying to protect the data, but can also help a CIO or CISO focus on the most important part of managing a large healthcare network’s security framework.
The Health Care Authority for Baptist Health, an Affiliate of UAB Health System, is a HIMSS Stage 6 hospital. It has three acute care facilities, one in Prattville that’s licensed for 85 beds, one on the East side of Montgomery that’s 150 beds and one on the south side (Baptist South) with 450 beds. Also part of Bartley’s data security responsibilities are a behavioral Health facility licensed for 60 beds, a cancer center and five imaging centers. HealthITSecurity.com talked to Bartley about Baptist’s technical safeguards as well, some of the security policies that she’s implemented and how she avoids health data breaches.
What are some of your technical safeguards?
The first thing we do is look for solutions that can electronically protect our data. I don’t try to manage devices; I try to manage and control the data. The biggest security impact, in my mind as a security officer, is our end users having knowledge of the privacy and security expectations and how breaches happen. Education, monitoring and auditing are our life from a security standpoint. We use auditing tools that we look at from an end user standpoint – what they’re allowed to access – and we can see all the red flags from the front end with monitoring and tracking access controls. And we also have triggers built in with email encryption. Our biggest security asset is the end user and our biggest security challenge is the end user. We do all the back-ends as well, with firewalls, penetration testing and data loss prevention.
Furthermore, any mobile device that we issue to end users, such as an iPads, iPhones or Android devices, is physically encrypted. We also have multi-factor authentication for access so anyone that uses our systems has to get into the device and then they can’t get into any of our solutions that have protected health information (PHI) without a unique identifier, logon or password. In addition, if they’re accessing remotely, they have to have another access point in authentication. We have firewalls that segregate outside data coming in and out based on security triggers. And then we have a separate virtual private network (VPN) and if they’re on premise, they’ll have to go into a guest network that doesn’t take them in unless they have authorized remote access with their unique password. There are several layers and tiers that we apply with that authentication.
Can you go into more depth about your mobile security strategy? Do you allow BYOD?
We issue the devices as an organization and encrypt them, but the reality is that [user personal devices] are out there in our environment, such as physicians and clinicians that can gain access. We have not put out a BYOD strategy yet, but we have policies and technologies that can look at front-end access and reports that can show us mobile device activity. We will be moving toward BYOD this upcoming fiscal year, but again, I won’t spend energy on devices but will on content management.
Like we do with yearly assessments, we’re looking at all the BYOD security risks. As we move our BYOD program, anyone that wants to access with their own devices will have to follow our ground rules. We will implement a mobile device solution that allows us to wipe it [remotely] as well as the core BYOD security measures, such as being able to detect that a rogue user is on our system and their access will be restricted based on data controls with unique identifiers. If a team member wants to bring their own device in, we’ll have it encrypted, password protected and have remote wipe capabilities.
Have the new HIPAA omnibus rules affected your day-to-day work?
We had many of the HIPAA policies in place, but we had to fine-tune them to make sure we meet the letter of the element or interpretation of what the standards should have. Baptist Health has privacy notices and we’re a HIMSS Level 6 system so we met all the [security] elements with that. And we have successfully attested to Stage 1 Meaningful Use, and with that came all the privacy and security components. We have updated the documentation that requires notifications.
What about business associate agreements (BAAs)?
Yes, BAAs are significantly different now. We had to redo our BAAs with our associates. When the HITECH and HIPAA omnibus changes came about, our BAAs were redone. We’re working with compliance and working with the state on one as well as our local IT infrastructure vendor (Cerner). We have our due diligence before we roll out those requirements.
How do you handle penetration tests?
We have about 3-4 penetration test solutions, including one solution that allows me to do a real-time summary at any time, and we do our annual security that’s more comprehensive but we also have quarterly reports. Some of our vendors include McAfee, Symantec, ProofPoint, Cisco, and Citrix. I’d like to have 2-3 vendors and be more robust instead of having multiple ones, but right now we have reports running behind the scenes. I get daily and monthly reports on databases that tell me what’s going on so we can address a potential problem in a timely manner.
What are you focusing on for 2013?
We’re staying focused on Stage 2 Meaningful use requirements and moving toward HIMSS Level 7. Baptist Health will also be moving forward with cloud and patient portals in 2013. Challenges present when working with third parties, state and regional teams on portals and clouds.As an organization we don’t really have the comfort of understanding what their infrastructure is. And from a BAA and breach standpoint, that we have everything covered there.