RE-IMAGINING HEALTH CARE SECURITY: LESSONS FROM THE FIELD

At Techumen we recognize that health care providers have highly complex clinical and business processes. In turn, these core functions rely on a large, distributed, computing and communications environment. We also recognize that the demands on computing for health care will be heightened as burgeoning new care areas like population health with its attendant large data sets, precision and genomic medicine, patient-driven care protocols, networked medical instrumentation, and telehealth become firmly entrenched in care-giving.

 Add to this, the wide ranging and necessary data interactions between, providers, payers, patients, vendors, and other health care facilitators, and it becomes obvious that securing and keeping private ePHI is a massive challenge.  Layering on any required adherence to  regulatory regimes, such as HITECH, HIPAA, GDPR, HITRUST and state privacy laws, only compounds this complexity.

Navigating such an environment , therefore, requires a deep, fundamental understanding of how caregiving works. At Techumen, we consider ourselves to be the “Tiffany” of advisors to complex health care environments.

Since 2008, security and privacy advisory services for health care is all we have done. Our principals have served as Chief Information Security Officers at several large health care providers including Adventist Health West (21 Hospital system), St Joseph Health ( 14 Hospital system), Trivergent Health Systems and Franciscan Health.  We have also assessed the security of several academic medical Centers including Boston University and George Washington University schools of Medicine.

Our decade-long focus on health care has yielded two philosophical constructs that we believe are a requisite for any health care provider . These are:

a)     Patient safety is paramount. In developing security controls, or even a complete program, we will never recommend or institute anything that could potentially harm patients.

b)     Wherever possible, do not impede clinical processes. As security and privacy experts, nurses and doctors must view security and privacy requirements as almost invisible to their day-day work. Adding security obstacles to clinical workflows takes away from the mission of any health care organization.

Working from prior year assessments, and conducting our own gap analysis, we develop a three-year work plan to address the most serious concerns.

We summarize below, the key initiatives we would conduct for any renewal of a health care provider's security and privacy program

  1.  Develop a risk-based plan correlated to solution costs and timelines with IT leaders. Such comprehensive planning allows for clear prioritization and subsequently enhances acceptance by senior leadership (CEO and the Board).

  2. Develop a security vendor strategy. In concert with item a) , develop a security vendor rationalization strategy. For a hospital system ( 5 - 10 hospitals) we believe this can yield several million dollars’ worth of annual savings.

  3. Understand the computing, security, and privacy requirements for the next three years.  Preparing for security and privacy in advance of new technology implementation will reduce the need for rework or remediation.

  4. Immediately shore up some of the largest concerns that regulators typically frown upon. This including items such as ensuring regular patching, and Business Associate Agreement (BAA) compliance from all vendors handling hospital information.

  5. Create a response program that allows senior leadership to immediately manage a breach with assistance from IT and security leaders. Unprepared management and direction could lead to a spiraling, out-of-control news event.

  6. Ensure that security becomes an enabler, not a hindrance, for all IT efforts going forward. This requires foresight and critical analysis to explain the benefits of using security adoption as a cornerstone for all IT efforts, and not as an after-thought bolt on.

  7. Ensure that employee training around security and privacy is adequate and constructive.

  8. Fully understand the implications of biomedical devices on the IT infrastructure. With thousands of medical devices now connected to the main network, they pose a substantial new threat.

  9. Compare the cybersecurity insurance policy requirements with the current state of the program and gaps. Exclusions written into the cyber-policy can often limit payouts from breaches if provider security negligence has led to a breach.

  10. Develop a process to integrate new hospital and clinic acquisitions with minimum friction from IT and IT security.

  11. To alleviate third party risk, identify the key vendors/partners with whom health providers share information, rank them in terms of importance, and subsequently use a light-weight tool and process that allows for proper due diligence.

  12. Address data security through a data security governance framework that provides a data-centric blueprint  and first identifies and classifies data assets and only subsequently defines data security policies, standards, procedures and guidelines

In summary, health care now needs security professionals who:

  • Have been steeped in and are deeply experienced in the day-day clinical and business processes of health care entities.

  • Understand the technical and business complexities of delivering agreeable security and privacy to all participants in the health care ecosystem

  • Have conducted work that is highly strategic in nature and at reasonable cost


Feisal Nanji

A seasoned C-Level Technology Risk expert with over 25 years of experience in developing and executing large information security and product development programs. Feisal brings deep knowledge of regulatory frameworks, technology capabilities and process constraints to consistently deliver quality information risk management programs for large health care institutions. He has served as Interim Chief Security Officer for a 14 Hospital system with over $5 Billion in revenue and conducted multiple security risk assessments for providers of all sizes. At EY he lead a team to review and improve the security of an integrated managed care organization’s electronic medical records (EMR) system with over 8 million members and 3 million health records.