Health care CIO tackles complex security, privacy mandates

By Linda Tucci, Senior News Writer 23 Sep 2008 | SearchCIO.com

IT news and analysis for CIOs Digg This!     StumbleUpon     Del.icio.us

In a wide-ranging conversation with SearchCIO.com's Linda Tucci, Cotter talks about balancing the need to know with protecting patient privacy and the limitations of medical software.

Obviously, patient privacy and security of data are very important in health care. What are the challenges like these days -- enormous or easy?
Cotter: They are not easy, they have never been easy, but they are very important. I think the advantage that we have in health care is that we have a history, going back to our paper charts, of a great deal of consciousness about the importance of confidentiality of the very sensitive data that we handle.

More CIO leadership insights More from Carole Cotter: A CIO by way of Jack Welch Mastercard CIO Rob Reeg on PPM (news podcast) From 15 data centers to one, and a 90% reduction in apps SIM forum coaches CIOs on leadership

In a sense, HIPAA arrived at about the same time that we were really beginning the push in the mainstream of health care toward electronic records, in 1996 or so. … The paper world was not without risk, but it was much easier to control because the paper record could only be in one place at one time. And the isolated systems, like pharmacy and radiology lab, could be somewhat controlled because access was very limited to them.

Right. That is what must make it so interesting today, because you are required to have this porous system but at the same time make it impossible for stuff to leak out that can't leak out, too. How do you balance that?
Cotter: It's very difficult, in part [because] there are different layers to looking at both privacy and security. And it is very difficult now to talk about one without the other.

We, of course, focused first on privacy. Well, first on transactions and code sets, and then privacy. And the way we tackled it as an organization was as an organization. I think what has helped us be successful -- and I knock on wood because no one can say with confidence that everything is as it needs to be, we are not there yet -- is that we have had a lot of focus on this. And part of what has given us very good principles is the recognition that privacy and security are the responsibility of the individuals within the organization. So we do everything we can from a technology perspective, but we also focus heavily on policies and procedures and communications.

How did you develop and communicate these policies?
Cotter: I'll step back a little bit. The way we did HIPPA privacy is we had a corporate group. It had high-level representatives from each of the hospitals and corporate. And that was the level from which the policies were written. Then the policies were communicated, probably as many hospitals did, to all the employees.

The other thing that the organization did was establish a very strong compliance program. We established accountability within each hospital for who was the privacy officer. Then we organized a group, the corporate compliance committee, and established a hotline and secure email address so that employees in confidence could send information about situations they were concerned about to the compliance group. Every contact with the compliance officer is investigated. That was in place for privacy.

As we moved into security we again concentrated very heavily on policy. And I'll tell you frankly, we made a mistake. There are a lot of issues in the security regulations that were addressable rather than required. So of course the temptation is to focus on the ones that are required, and then work on addressable ones. We made a mistake in being too optimistic about what we would be able to accomplish. So we found ourselves in the unenviable position of having policies that we really did not have a way to comply with. So, for example, we had a policy that we proactively audit the logs that came out of our applications. Well we had no software to do that, and the tools were not available within the applications that we had. So though that was a lofty goal, it should not have been in a policy because we couldn't comply with it. So we then went through a massive realignment of our policies to reflect what we could comply with.

Was the office of the CIO involved in the policy writing?
Cotter: I wrote some of them. I didn't write all of them. We divvied them up. Then more recently what we have done is to become more proactive. Once we were satisfied that we had policies we could follow, we really focused on the responsibilities of individuals and how we could communicate to people what they should do. So we in IT took on what we called IS 209, a new policy around security. And we were very specific about how electronic media containing confidential information should be handled. We wrote into policy the need to use secure encrypted flash drives and that only encrypted flash drives be used, and that no other media that could not be encrypted could be used for confidential information.

Our policies are very strict. In particular, IS 209 says that if you violate this policy and if something untoward happens to confidential information under your control then you could be terminated, or if you are a member of the medical staff, your privileges revoked. We made a little training session with a test at the end, and it was a requirement that every member of the staff in any of the hospitals in any capacity must take the test and then certify on their annual performance appraisal that they have done so and that they agreed to abide by the policy. Then of course we did a road show and went to every executive group and also the physicians groups and did a communication about how to safely handle confidential information.

How is the software now for auditing records?
Cotter: We don't have good tools to interrogate the log files that we have, but we have instituted a manual process, painful as it is, where every month we pull at random a number of patients who have had services at our hospitals in the last month, and we go in and use rudimentary tools to pull the names of all of the people who have access to that record. We run those names against our payroll file and identify what position that person is in and where they work and then turn that information over to internal audit.

The other thing we do is that as soon as we choose the patients and pull the records we email all the people who have accessed the record to tell them, 'We just want you to know that your name has come in this random audit, we expect that this is a not a problem but if questions come up they may hear from internal audit.' That has really raised awareness.

Can you talk about what you do as a health care CIO that is different from a CIO in another industry?
Cotter: I think what's the same is the need for a strong infrastructure. We've worked in the past on what's called the medical-grade network. But in my heart I don't believe there is a difference between the medical-grade network and the banking-grade network and the insurance-grade network. I think we all have the same needs for reliable, robust infrastructure that is redundant, that's secure.

We do everything we can from a technology perspective, but we also focus heavily on policies and procedures and communications. Carole Cotter CIO, Lifespan Corp.

I think where we're different is in the software world, in that health care is extremely complex compared to other industries. We are dealing with people delivering care and with our patients. Those are our customers, and no two are alike. People don't come in with just one disease. They have a great variety of combinations of disease in different stages. So every patient is unique in what they need in terms of the services they need from us. From an IT perspective, that means we need to have very flexible configurations on our applications.

Our needs for decision support are great, and the tools that are available right now are good and getting better but not where we'd ultimately want them to be. You'd like to be able to do decision support based on evidence. And there is a lot of evidence in medicine. But there is also quite a bit of what is good practice or best practice that is not yet supported by evidence, so there are a lot of decisions that have to be made about the right thing to do when you are configuring decision support within health care.

Are you happy in the health care industry? Where do you see yourself going?
Cotter: I am very happy in the health care industry. There is so much work to do here and there is so much good we can do. We are just scratching the surface of what our capabilities will be, and with the new advances in genomics and proteomics and the new procedures that physicians are doing with new kinds of tools, like robotics and special kinds of scans, three-dimensional constructions of scans, it is just an exciting place to be.

Tags: Leadership and strategic planning,  Health care industry,  HIPAA compliance management,  Information technology auditing,  Enterprise data security and privacy,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us