I wrote recently that if the CIO is the only one worrying about the EHR implementation, it’s a problem. Likewise, if the CIO and the Chief Information Security Officer (CISO) are the only ones thinking about IT security, it’s a problem. You only have to read the news any given week to see the rising number of breaches within health care – the recent Anthem breach being the biggest to date with over 80 million records involved. And there is a new breach we are all hearing about as of this week – Premera Blue Cross potentially involving financial and medical records of up to 11 million customers.
IT security is a common topic amongst health care CIOs these days. We are continually trying to learn from one another and share best practices.
I recently had a third party IT security assessment done for our health system in order to identify key gaps and get recommendations to strengthen our IT security program. One of the best pieces in the final report was about creating a security culture. So what’s a security culture?
Signs an organization has developed a security culture include the following:
- Security is discussed at the senior executive level, with critical decisions about organizational security activities made by the CEO and other senior leaders;
- Senior executives receive regular reports on the security posture of the organization, and incorporate them into overall organizational risk management;
- The organization has a CISO, positioned to influence organizational activities, and who operates independent of conflicts of interest;
- Security staffing levels are adequate to address the existing and future security issues;
- Security is a defined budgetary item, with security spending sufficient to address identified risks;
- Security is incorporated into overall organizational activities, including system acquisition, and data sharing with business partners;
- The organization’s research arm views security as critical to research activities, even if the research involves information considered public; and
- Workforce members are aware of their roles and responsibilities with respect to IT security and are held accountable to meeting them.
In order to ensure that all devices were encrypted, we have rolled out our mobile device management (MDM) solution throughout the health system. As we did, we emphasized its necessity and benefits.
From one of our messages in the final weeks of the rollout:
UMHS has an encryption plan to honor the trust placed in us by our patients and staff to safeguard their sensitive information. As many of us use smartphones and tablets to store and transfer this information, we are obligated to encrypt these devices.
Through encryption, we maintain patient confidentiality, build trust, and ensure the following:
- Integrity of our patient-provider relationships
- Accuracy of the information we receive and thus the quality of care we provide
- Continuity of care with accurate medical information
- Willingness of patients to participate in research studies
Therefore, we must always remain diligent about mobile device encryption.
Some faculty and staff were concerned about losing control of their devices. As our communications evolved, we needed to answer those concerns. Our messages included the following points:
The MDM solution does NOT:
- Collect any data related to phone calls, texts, location, or web browsing.
- Track telephone numbers, texts, or the content of those communications
- View or monitor personal or corporate email usage or content
- Activate a remote camera
In an organization with a strong security culture, the workforce would be more security aware already, and more ready to deploy needed solutions. And resources are able to focus on deploying solutions rather than preventing user efforts to work around needed security.
At UMHS, we will continue to strengthen our IT security program and work to bring everyone along through increased education and awareness efforts as we develop a strong security culture.