- Being accountable for the privacy and security of patient data at 135 wellness clinics across 36 states may seem daunting, but the right technology in place and proper communication with other areas of the healthcare organization makes the challenge less formidable.
Joseph Johnson, Chief Information Security Officer (CISO) at CHS Health Services, champions all efforts related to information security, data privacy and security compliance, vendor risk management and policy development. CHS is unique in that its primary business model is to deploy on-site health and wellness clinics to large health-insured companies that have the financial capital to be able to take on the liability of insuring their workforce.
Johnson handles items such as the technical aspects of data security, security architecture, policies and procedures, compliance and risk management at CHS. But he obviously doesn’t accomplish these tasks alone and needs to work in harmony with other departments within CHS. Directly reporting to him are the CHS security engineers and application security team.
We obviously work closely with our IT department and I work side-by-side with the CIO. On a quarterly basis, we’ll have a security steering committee meeting that I commission. It brings together different departments’ leaders such as legal, HR, risk management, IT and finance. We let them know of upcoming security projects and how it meshes with where we’re headed operationally as an organization.
Protecting patient data
A CHS customer would have its human resources (HR) department provide CHS with a large directory, with information such as names, addresses and Social Security numbers, with every employee in its organization who are eligible to participate in the business plan. Johnson and CHS then import that personally identifiable information (PII) and when they come to visit one of the clinics, CHS creates large quantities of protected health information (PHI) data and saves it in its EMR application.
We pretty much have to run the gamut [when it comes to safeguards]. I’m a proponent of defense in depth strategies. We’re probably audited once a month and go through third-party HIPAA audits on a regular basis. And our clients frequently put us through some form of risk management or assessments against technical controls. We have BAs in place that spell out clearly the technical and operational policy controls that we have in place. If our security isn’t up to par for these large, mature institutions, we don’t even have a chance to win the business. They look at it as “You have our entire employee database and you better protect it fully.”
Technical and physical safeguards
With respect Johnson does everything from a full data at rest encryption for the EMR databases to source-code auditing to cyber intelligence. CHS recently began working with on an intelligence front with the National Health Information Sharing and Analysis Center (NH-ISAC). Additionally, with more than 100 clinics to manage, using thin clients in read-only virtual desktops is nearly a must for Johnson. Virtualization is becoming the norm in healthcare and CHS, which had been using thick-client devices, uses all virtual desktops now and has had Citrix VDI in place for 18 months.
For a distributed model like we have, it makes my life easier because I don’t have to worry about rogue software on IT devices or patches for all devices. I can patch in-line with a single image. The clinics will pull down from a Citrix gateway so all of the data storage and processing is fully contained in the data center. And while that’s happening, we’re pushing AES encryption over those in-transit channels. And we also do role-based encryption in the backgrounds so, for example, my IT administrator can’t see PHI because they don’t need to see it natively.
CHS obviously isn’t a classic healthcare organization, but it’s interesting to see how they handle PHI that’s spread out over a large volume of clinics that have a great deal of patients.