Healthcare Data Has to Be Both Secure and Right
"Go back to the old tenets of security, with confidentiality, integrity, and availability. We started thinking that, of those three, we really focused on the confidentiality. But as an industry, we haven't focused that much on the integrity -- and the integrity is closely tied to the quality," said Keith Duemling, Information Security Officer at Lake Health, a regional health system in Ohio.
Lake Health, a regional healthcare system in northeast Ohio, has been examining its information-security practices with a maturing approach. It is shifting from deploying security technologies to becoming more of a comprehensive risk-reduction practice provider internally for its own consumers.
This has caused Lake Health to look at the quality of its data. That's an extremely important factor when doctors are using the information to make life-and-death decisions every day.
Keith Duemling, Lake Health's Information Security Officer has been expanding the breadth and depth of risk management there to a more holistic level, deciding which risk and compliance services to seek from outside providers and which to keep on-premises.
Listen to a podcast featuring Duemling exploring these and other security-related enterprise IT issues. The discussion is co-hosted by Paul Muller, chief software evangelist at HP, and Raf Los, chief security evangelist at HP. The discussion is moderated by Dana Gardner.
Download the podcast (39:45 minutes) or use the player:
Here are some excerpts:
Dana Gardner: Many people are practicing IT security and they're employing products and technologies. They're putting in best practices and methods, of course.
But you have a different take. You've almost abstracted this up to information assurance -- even quality assurance -- for knowledge, information, and privacy. Tell me how that higher abstraction works, and why you think it's more important or more successful than just IT security?
Keith Duemling: If you look at the history of information security at Lake Health, we started like most other organizations. We were very technology focused, implementing one or two point solutions to address specific issues. As our program evolved, we started to change how we looked at it and considered it less of a pure privacy issue and more of a privacy and quality issue.
Go back to the old tenets of security, with confidentiality, integrity, and availability. We started thinking that, of those three, we really focused on the confidentiality. But as an industry, we haven't focused that much on the integrity -- and the integrity is closely tied to the quality.
So we wanted to transform our program into an information-assurance program, so that we could allow our clinicians and other caregivers to have the highest level of assurance that the information they're making decisions based on is accurate and is available, when it needs to be, so that they feel comfortable in what they are doing.
As background, Lake Health is a not-for-profit healthcare system. We're about 45 minutes outside of Cleveland, Ohio. We have two freestanding hospitals and approximately 16 satellite sites of different sizes that provide healthcare to the citizens of the county that we're in and three adjacent counties.
We have three freestanding 24-7 emergency rooms, which treat all kinds of injuries, from the simple broken fingers to severe car accidents, heart attacks, things of that nature.
We also have partnerships with a number of very large healthcare systems in the region, and organizations of that size. We send some of our more critically injured patients to those providers, and they will send some of their patients to us for more localized, smaller care closer to their place of residence.
We've grown from a single, small community hospital to the organization that we have now.
I've been with Lake Health for a little under eight years now. I started as a systems administrator, managing a set of Windows servers, and evolved to my current position over time.
Typically, when I started, an individual was assigned a set of projects to work on, and I was assigned a series of security projects. I had a security background that I came to the organization with. Over time, those projects congealed into the security program that we have now, and if I am not mistaken, it's in its third iteration right now. We seem to be on a three-year run for our security program, before it goes through a major retrofit.
So it's not just protecting information from being disclosed, but it's protecting information so that it's the right information, at the right time, for the right patient, for the right plan of care.
From a high level, the program has evolved from simple origins to more of a holistic type of analysis, where we look at the program and how it will impact patient care and the quality of that patient care.
Gardner: It sounds like what I used to hear -- and it shows how long I have been around -- in the manufacturing sector. I covered that 20 years ago. They talked about a move toward quality, and rather than just looking at minute or specific parts of a process, they had to look at it in total. It was a maturity move on behalf of the manufacturers, at that time.
Raf Los, do you see this as sort of a catching up time for IT and for security practices that are maybe 20 years behind where manufacturing was?
Raf Los: What Keith's group is going, and where many organizations are evolving to, is a practice that focuses less on "doing security" and more on enabling the enterprise and keeping quality high. After all, security is simply a function of -- one of the three pillars -- of quality. We look at does it perform, does it function, and is it secure?
So it's a natural expansion of this, sort of a Six Sigma-esque approach to the business, where IT is catching up, as you've aptly put it. So I tend to agree with it.
Gardner: Of course, compliance is really important in the healthcare field. Keith, tell us how your approach may also be benefiting you, not just in the quality of the information, but helping you with your regulatory and compliance requirements too?
Duemling: In the approach that we've taken, we haven't tried to change the dynamics of that significantly. We've just tried to look at the other side of the coin, when it comes to security. We find that a lot of the controls that we put in place for security benefit from an assurance standpoint, and the same controls for assurance also benefit from a security standpoint.
As long as we align what we're doing to industry-accepted frameworks, whether it'd be NIST or ISO, and then add the healthcare-specific elements on top of that, we find that that gives us a good architecture to continue our program, and to be mindful of the assurance aspect as well as the security side.
One of the other benefits of the approach is that we look at the data itself or the business function and try to understand the risks associated with it and the importance of those functions and the availability of the data. When we put the controls and the protective measures around that, we typically find that if we're looking specifically at what the target is when we implement the control, our controls will last better and they will defend from multiple threats.
So we're not putting in a point solution to protect against the buzzword of the day. We're trying to put in technologies and practices that will improve the process and make it more resilient from both what the threats are today and what they are in the future.