Journal of Health Care Compliance — September – October 2010

Feisal Nanji

is executive director of Techumen, a consulting ﬁrm focusingon securing health care information.He is a graduate of the University of Notre Dame and Harvard University. Heis also a Certiﬁed Information SystemsSecurity Professional (CISSP). He can bereached at feisal@techumen.com.

The BP Crisis and InformationSecurity Compliance in HealthCare: Parallel Disasters?

Organizations Must Build In Security with theRight Balance of Processes, Behavior Changes, and Technology Controls

Feisal Nanji

“You need to divorce operations monitoring from the integritymonitoring, because operations will always be the one driv-ing behavior. They’re motivated by the need to keep things going, and the ﬁnances rolling.”

— David Doig, chief executive ofﬁcer, Offshore Petro- leum Industry Training Organization, Britain. (Com-menting on the failure of compliance in the BP crisis,New York Times, May 7, 2010)

e have witnessed and are still suffering fromthe largest environmental disaster in our na-tion’s history. The British Petroleum (BP)oil spill has ripped apart our hearts and also our na-tion’s sense of complacency. We no longer can trustmachines to do everything for us by clockwork. Wetrusted the human operators in the Gulf, but that toowas not enough. The devastation has been extraordi-nary and mind numbing. Could better monitoring orcompliance have prevented this?This article is a wake-up call to compliance profes-sionals in health care. Like the persistent shrill ringingof an alarm to someone in a deep slumber, its tone may be harsh. The message may be uncomfortable, but it isvery necessary.This article aims to lay out some of our information se-curity shortcomings in health and how they can be ﬁxedthrough better information governance. This is not aboutmeeting Health Insurance Portability and Accountability Act (HIPAA) standards for security or privacy. It is about

Journal of Health Care Compliance — September – October 2010

The BP Crisis and Information Security Compliance in Health Care: Parallel Disasters?compliance officers doing the right thingfor their employers and their country.With the passage of the Health Informa-tion Technology for Economic and Clini-cal Health (HITECH) Act, the countryhas embarked on a massive transforma-tion of health information technology (IT).HITECH’s intent is to use informationtechnology to make a major dent in con-trolling health care costs and to improvepatient outcomes. HITECH represents apublic investment of more than $19 billiontoward health care IT-related initiatives. Itis a sorely needed transformation.We need better information systems andtheir adoption by health providers to coordi-nate what will amount to 20 percent of the na-tion’s gross domestic product (GDP) by 2015.Health care is the largest industry in the Unit-ed States, yet most technologists (and others)would agree it serves its customers poorly ininformation delivery. The government’s pas-sage of HITECH is a clear recognition thatthis has to change. With the muscle of largeincentives offered to health providers, we arehopeful that it will succeed.The transformation does not come with-out costs. Of note, it forces health provid-ers and other covered entities (CEs) to facenew compliance challenges for informa-tion security and privacy. This article ad-dresses several aspects of these challengesand argues for some fundamental changesfor compliance groups at CEs.Briefly, we cover:why information security is a matter of national urgency and priority;the current state of health informationsecurity in the United States;Congress’ response to improving securi-ty and privacy of protected health infor-mation (PHI);key new provisions for achieving com-pliance;what can go wrong and the possible dam-age from inadequate security; andhow CEs might consider fixing a funda-mental flaw in current compliance ef-forts.

NFORMATION

ECURITY

RISIS

THE

NITED

TATES

As the 2008 ﬁnancial crisis unfolded, ex-perts worldwide were stunned by the rapidcollapse of Bear Stearns and Lehman broth-ers. It took a heroic, nail-biting, coordinat-ed bail-out effort on the part of several gov-ernments to save us from ﬁnancial calam-ity. Likewise, in 2010 we have come to trustthe workings of the Internet without ques-tion. Many of us assume that the Internetis safe, robust, and adequately protected.This is a dangerous complacency.Consider these two excerpts reported ina piece by Steve Kroft’s CBS’ 60 minutesthat aired in November 2009.

“It is now clear this cyber threat is one [of] the most serious economic and national secu-rity challenges we face as a nation

,” PresidentObama said during a speech. Four monthsafter taking ofﬁce, Obama made those con-cerns part of our national defense policy,declaring the country’s digital infrastruc-ture a strategic asset and conﬁrming thatcyber warfare had moved beyond theory.

“We know that cyber intruders have probed our electrical grid, and that in other countriescyber attacks have plunged entire cities intodarkness,”

the president said.Until February of this year, Mike McCo-nnell was the nation’s top spy. As chief of national intelligence, he oversaw the Cen-tral Intelligence Agency, the Defense Intel- ligence Agency, and the National Security Agency. Few people know as much aboutcyber warfare, and our dependency on thepower grid, and the computer networksthat deliver our oil and gas, pump and puri-fy our water, keep track of our money, andoperate our transportation systems.“

If I were an attacker and I wanted todo strategic damage to the United States, I would either take the cold of winter or theheat of summer, I probably would sack elec-tric power on the U.S. East Cost, maybe theWest Coast, and attempt to cause a cascad-ing effect. All of those things are in the art of the possible from a sophisticated attacker

,”McConnell explained.

lontges

ceont siv

Journal of Health Care Compliance — September – October 2010

The BP Crisis and Information Security Compliance in Health Care: Parallel Disasters?

“Do you believe our adversaries have thecapability of bringing down a power grid?”

Kroft asked.

“I do,”

McConnell replied. Asked if the United States is prepared forsuch an attack, McConnell told Kroft, “

No. TheUnited States is not prepared for such an attack.

”To be sure, there have been vast improve-ments in our cyber-security since our 9/11wake-up call, but much of this has occurredin financial services firms and at the De-partment of Defense. At Techumen, ourprincipals were pioneers in reducing in-formation risk for several of the country’s leading banks and financial institutions.We know that after 9/11 it took dedicat-ed, consistent effort for banks to build ad-equate teams and protections to improveinformation security. In our view, howev-er, this has not hit home for health provid-ers, insurers, or other CEs. We know this because Techumen now focuses exclusive- ly on securing health care information. Wefind that most of our clients have imma-ture information security operations andoffer poor protection of PHI.

URRENT

TATE

EALTH

NFORMATION

ECURITY

Based on our experience with securing bothfinancial and health care information sys-tems, the current state of information secu-rity in health care is shoddy. Perhaps mostdangerously, in most health care organiza-tions the fox is running the henhouse. Howcan this be true? Many health leaders willargue that “we have a good compliance of-fice” and a superb chief information offi-cer (CIO) who “looks over” information se-curity. That is precisely the point. No CIOshould have purview over the informationsecurity realm.The duties of the CIO at any health pro-vider are to deliver economic, efficient,and seamless information technology ser-vices that improve the health of patients.These are

operational

considerations, andthey are indeed vital; however, as the BPcrisis has demonstrated, if

integrity monitor-ing

is also a function for CIOs, we are set-ting ourselves up for failure.Compliance officers may disagree andstate that the compliance office is in charge.The central question then is to whom doesthe security officer report? If your chief in-formation security officer (CISO) also re-ports to the CIO, then his allegiance is tomake operations hum and not to “impede”information flow by introducing securitycheckpoints. The fox is really running thehenhouse. The fox may be well meaningand kind, but he is still a fox.Like all other industries, health care hasturned sophisticated and technically com-plex. Most hospital information systems func-tion with a bevy of routers, switches, emailservers, magnetic resonance imaging (MRI)devices, bedside monitors, electronic medicalrecord (EMR) applications, practice manage-ment systems, and laboratory informationsystems. As such, the role of a CIO has be-come largely operational. The CIO’s primaryresponsibility is to make sure that informa-tion flows freely and that applications work.Without question, all this advanced technol-ogy we have in health care requires a certaindegree of operational heroism.It takes real science blended in with the cor-rect amount of art, negotiation, and persua-sion to deliver good information technologyon time and under budget. We acknowledgethat a successful modern health care CIO is anexpert at making his operations run despitehis many constraints. The CIO, however, alsoshould not be saddled with the responsibilityof making sure that these operations run withintegrity and securely. In an informal surveywe conducted, we found that seven out of 10 leading health care providers had the CISOrole reporting directly to the CIO.So how did integrity monitoring and oper-ations in health care become so comingled? As our health infrastructure matured, it wasonly natural for the most senior “technical”person (

i.e.,

the CIO) to supervise anothertechnically oriented person but one who wassolely responsible for security — the CISO.It seems like a rational and natural enough

cii l onrent

iecaf