- Knowing who has access to patient data as well as being aware of the viable security threats out there may sound like tall orders given the complex, evolving nature of health IT security. But for Cris Ewell, Chief Information Security Officer of Seattle Children’s Hospital, having a balance between new projects and heavy threat research can help Ewell and the Seattle Children’s information security (IS) team consistently stay ahead of new risks geared toward healthcare organizations.
Ewell said to HealthITSecurity.com that when looking at mobile security, it’s all about understanding who’s connecting and how internal security experts must deal with that question on almost an instant basis.
As we encrypt all of these devices, you want to be able to also remote wipe it and do what you’re normally able to do, but the issue is that users often trade devices and don’t always notify IS security first. They’re a little bit better [about notification] when they lose the devices, but we implemented monitoring to ensure that we really know which devices are connecting. This has been a new strategy within the past year or so for my department and we’re continuing to look out for other methods that we may need for mobile security and how users are gaining access to data. How do you control the exfiltration of data from your institution?
As Children’s data becomes more and more mobile, and great volumes of applications come up, the nexus between technology and medicine continues to change. Seeing as Children’s is a pediatric hospital, its younger patients would be the most likely to want to use mobile technology in communicating with their healthcare professionals, Ewell said. The question for Ewell at Children’s and healthcare in general is how should strong patient interaction and engagement be reconciled with HIPAA compliance in 2014 and beyond?
This is a real challenge because with pediatrics, besides just HIPAA, there are consent issues from different levels. In Washington State, at age 13, patients have rights to certain types of information, for example reproductive health information. Figuring out where a message is going adds complexity to a well-regulated environment comes down to handling that consent issue in ensuring only the patient or parent sees that information.
Regardless of the degree of difficulty, however, Ewell and Seattle Children’s have to manage adolescent data, so Ewell explained how the organization currently has several active projects going on to determine best approaches to sensitive consent problems. But it’s also important to consider the “how” beyond just strategy. “What technology can we use to still comply with HIPAA and HITECH and be good stewards of the patients’ protected health information (PHI) while allowing them to have good communication with their provider?,” Ewell asked. “We have to run through the different technologies and consent scenarios to determine what will work, as some scenarios may not work enterprise-wide but will work for a select group.”
Ewell added that there are other considerations the must be accounted for, such as blended families with 2-4 guardians and potentially protection orders from courts for a specific minor. Further complicating matters are behavioral health mandates. Ewell said, for example, a user transmitting an appointment reminder that exposes a phone number to a non-privileged person may violate the court order. “Those are all things that you have to consider beyond just PHI,” he said. “It is a very tough issue.”
Risk analysis and research
Having a robust, mature risk management program can cure a great deal of concern. But Ewell relies heavily on consistent research to ensure that he, his staff and the Children’s IS division are all on the same page when it comes to the various threats they may have to eventually face.
We measure [risk] constantly and it’s actually part of my research area of interest, so I do additional things to try to expand this body of knowledge of [risk management] and how to communicate risk issues with decision makers. I look at risk in expanded areas, so I’m measuring things like attack vector, the maturity and target potential of the information security itself and all the assets.
These data sets include more than just PHI and encompass all of Children’s financial data, personally identifiable information (PII) and other confidential information. Ewell is in charge of 13 different areas within the IS program and from there he reports to the enterprise-level risks up to a board-level committee several times per year. Based on what he finds, this material is part of yearly reports that help decide which threats are credible and the organization’s plan of action if it does decide the threat is actionable.
[Research] is where privacy and security need to go – you cannot do this with technical controls and have to understand the risk in the entire area. The problem with most of the frameworks that are out there are only technical in nature and cover maybe 6-7 of the 13 elements that I cover. They may be missing key points such as organizational structure and culture – for example, where is the CISO in the organization and how much funding do you have?