Health providers have pressing reasons to now embrace security, says INTEGRIS Health's John Delano. Karen Epper Hoffman reports.
There's a real dichotomy at work when it comes to managing IT assets in health care. So says John Delano, the vice president and chief information officer at INTEGRIS Health, Oklahoma's largest health system – with nine hospitals and several doctors' clinics and home health agencies throughout the state. Delano sees directives flying in two different directions: on the one hand to make information systems more accessible and on the other, to make them more secure.
“Over the next couple of years, there will be a shift in priorities [where health care organizations] will be more focused on patient safety,” predicts McLaughlin. And, this will apply not only to making certain the proper drug is being dispensed, but that patient records are kept safe and properly maintained. He says this will come as the result of increased enforcement, as well as increased patient demand.
In many ways, INTEGRIS is ahead of the corporate health care curve to manage IT assets, as it has policies and procedures in place in case of an incident. The system is set up to routinely assess risk and use encryption products. However, for many health care bodies, the conflicting demands of digitizing patient records and supporting mobile and cloud technologies – while complying with intensifying regulations that require more regular risk assessment – broadens the scope of the circles they need to keep secure. Plus, all this must be attended to while staying focused on the primary objective: caring for patients.
“Health care organizations have so many challenges,” says John Kindervag, principal analyst for Forrester Research, “including some significant cultural challenges.” As Kindervag sees it, many health care organizations have done the bare minimum, or less, for the past decade in complying with the Health Insurance Portability and Accountability Act (HIPAA) and the subsequent Health Information Technology for Economic and Clinical Health Act (HITECH), even as the U.S. Department of Health and Human Services (HHS) steps up enforcement of violators with fines of up to $1.5 million per offense.
“The thinking has been, ‘We're not going to do anything till someone gets fined,'” says Kindervag. “Health care, overall, has been a laggard in [IT] security.”
Now faced with what Kindervag calls a “triple whammy of compliance,” brought on by the HIPAA Omnibus Final Rule, which takes effect on Sept. 23, industry observers say that hospitals and other health care organizations must find some way to better balance the use of new technologies with protecting their information. This includes so-called business associates, those contractors and subcontractors, such as billing companies that perform services on behalf of a health care provider.
“They have to think of themselves as part of a more global environment than just health care,” Kindervag says. Others also see the hurdles.
“If you have a CISO at all, you're pretty far ahead of the curve in health care,” says Deven McGraw, director of the Health Privacy Project for the Center for Democracy and Technology (CDT), a Washington D.C.-based advocacy organization. She points out that the level of security sophistication of health care organizations can range widely, especially since they can vary in size from a solo practitioner to a large multistate system.
Darren Lacey, chief information security officer for The Johns Hopkins University and The Johns Hopkins Health System, says that because his is an academic medical center, the structure is different. “We benefit from more sophisticated security professionals and have much larger and more diverse networks.”