Where Health Data Security is Concerned, Don’t Go It Alone

Last week, Healthcare IT News interviewed Pamela Arora, CIO of Children’s Medical Center Dallas. Arora is also on the board of HITRUST, a group of healthcare and tech providers that defined the Common Security Framework (CSF). The CSF seeks to unify various standards for exchanging personal health information.

The interview centered on Ms. Arora’s experiences in leading IT for the major healthcare provider, especially around data security. In the end, she summed it up this way: You can’t do it alone.

What did she mean, a CIO shouldn’t “go it alone?” Here are a few of her observations and how they can guide your own data security strategies.

Data security is bigger than just “IT”

As a CIO, you have to be conscious about all aspects of data security, across the entire infrastructure, and at all times. To prevent data leaks and breaches, every layer has to be secure. This includes:

• fixed assets like servers, desktops and POS devices
• mobile assets like laptops, tablets and smartphones
• the network, the intranet, the VPNs and the Internet
• software applications, both internal and third-party
• SAN and NAS storage
• AND the virtual counterparts to all of these — think “the cloud”

This is more than just an “IT problem.” Health data security is so critical that large providers hire separate information security officers. The CISO works with leaders across the company to address data security concerns. These include employee policies, access control, physical premises, and — yes — IT infrastructure. Including all departments, not just IT, cultivates a company-wide culture of data security.

Go beyond the bare requirements

Are compliance with the HITECH Act and HIPAA really enough? According to this CIO, no. These laws can be stringent at times, but they’re only the minimum standards we should shoot for.

The main goal of HITECH was to advance the use of information technology in healthcare. It did that. But “digitizing” the processing led to concerns about privacy and data security. HIPPA then defined private health information (PHI) — to ensure its privacy and security.

Compliance with these laws is reactive. We put in protections because we’re ordered to do so. But healthcare providers can go further by working together and with groups like HITRUST. HITRUST, for example, is partnering with agencies to share “threat intelligence” with cybersecurity providers. This in turn strengthens security measures already in place. And by scoring “security risk” levels, providers with more stringent protections get better rates on cybersecurity insurance.

Who’s to say you’re certifiably safe?

So, you’ve got a designated CISO. And you’re sharing data on known threats. You’ve even got a low risk profile. But no company today is an island. Regardless of your size, there are always third parties to consider. Ms. Arora notes it’s almost impossible to know everything about a third party’s environment, as far as security goes.

One way is to go with vendors that meet the CSF standards for security. Vendors can go through a HITRUST certification program to ensure compliance with standards. Using certified vendors can reduce the risks associated with third parties.

While certification is still evolving, lack of a certificate doesn’t mean a vendor isn’t trustworthy. Still, as more vendors adhere to the CFS standards, we can rest easier in our partner selection.

Don’t go it alone

Pamela Arora shared far more insights than what we’ve covered here. But a theme throughout her answers was this: Healthcare CIOs and CISOs can’t do it alone.

• Yes, data security requires we protect our physical and virtual assets. But it also requires we include employees from across all departments, not just IT.
• Yes, we have to comply with HIPAA mandates to keep PHI private. But we should also share threat and risk information, so we all end up better protected.
• And yes, we can secure our own environments. But we also need to certify how well our third parties handle our data.