- The shift from a training message that is solely tied to HIPAA regulations to a substantial patient care and safety focus is easier said than done. Despite the challenge involved with this type of undertaking, Jim Noga, Vice President and CIO of Partners Healthcare, and CISO Jennings Aske have seen success in concentrating on why they’re securing patient data, as opposed to only a strict regulatory approach.
Read Part 1 of the HealthITSecurity.com Partners Healthcare interview.
Noga said that resonates this type of message resonates with staff members because they can identify with moving from a regulatory discussion toward reminding them that the conversation is about providing better patient care and protecting them as members of our staff, not just arbitrary rules meant to complicate clinical processes.
Dr. Gary Gottlieb [President and CEO of Partners HealthCare] talked during Privacy and Security week at Partners about the importance of patient privacy and security and how it needs to become part of our culture. In addition to all the technology, people need to think about it. No matter how you batten down the hatches in healthcare, the unencrypted laptop makes the press. And a lot of that is based on people’s personal behavior.
Aske added that Partners has seen a better response from clinical staff since shifting that conversation. He admitted that he used to be very regulatory-focused, but the proverbial light went on when he was talking with a clinician during a potential incident.
We dodged a bullet, so to speak, but the clinician said “Wow, if this had happened I wouldn’t be able to deliver care.” That’s the message. And I think our clinical leadership really gets that message. Privacy and security are supporting the business goals of the organization and that mission is resonating.
Managing security at Partners
With the new message in mind, there are certain innate concerns that are part of securing patient data across a large network such as Partners that owns a number of organizations of different sizes and with different needs. Noga has expressed worry in the past about the IT security at stand-alone community hospitals, knowing the investment that Partners had made in them. New threats arrive daily and Noga said there are instances where he’s not sure what happens in these other environments, where there’s just not the capacity to address privacy and security the way it needs to be addressed.
Noga explained that Partners made an organizational change where all of the on-site CISOs report to Aske, so that security-wise it’s not differentiating between smaller organizations and larger ones that report to the organizations. With a single network to secure the perimeter and stand-alone applications at the community hospitals, Partners has to review everything. Noga said because Partners understands the “weakest chain of the link” concept, it needs to secure the entire network and not provide a back door for security threats because all organizations in the Partners network are connected.
There are a few different factors to consider when looking at securing the Partners network, Aske said.
The healthcare industry is challenged in finding and keeping security talent. We can’t keep up with the financial vertical [in this area] and I’ve lost candidates that I was trying to recruit because of that fact. It’s a problem area for us and for the community hospitals, for example, it’s going to be an even greater challenge.
Aske also added that there are are lessons that healthcare can learn from the financial vertical, but in many ways the healthcare environment is much more complex than the financial industry. With a 9-5 schedule for most financial CISOs, practically applying a financial CISO’s lessons to a 24-7 operation in which people’s life or death is at issue would not work in healthcare.
Another driver of that was going to a single EHR/revenue system, recognizing that because we have a common network, baseline and common patient chart, we can’t have diversity in your security model and need uniformity. Things are different in the sense that a hospital not as big as Massachusetts General Hospital, which has 25,000 workforce members, so how we approach training or the different types of threats is going to vary based on the size. But the overall framework has to be the same given the direction we’re going as an organization.
Noga is a member of the College of Healthcare Information Management Executives (CHIME).