Healthcare data security is top-of-mind for hospital and health system CIOs. Aaron Miri, CIO of Walnut Hill Medical Center in Dallas, offers insight into key data security trends for CIOs to watch this year.
Question: What are your biggest data security concerns this year?
Aaron Miri: Healthcare, especially healthcare IT, is in right the middle of unprecedented change. With the landscape shift comes the urgent need for legislation and regulation that aligns with the rapidly shifting field that the hospital and provider community is operating within. As a CIO, my biggest concern is that we have a level operating field that all healthcare entities (manufacturers, providers, long term health, etc.) all operate on that allows for a trust to be built with one another. The community needs a defined ePHI data framework with respective data standards that all must abide by for any ePhi data at rest and for ePhi data in transit. Quite simply – if there aren't any rules to govern how to use the highways that are built, then what is the benefit in driving my car on them?
Q: What do you think are the biggest threats to data security?
AM: First, is general awareness and security-minded education. It's amazing the amount of phishing attacks that are occurring on a very frequent basis. Intuitively you know that it must be occurring because the senders are achieving a level of success with users clicking on the email and downloading the email attachment in order to receive the "prize they have won."
Second, is the monetization of the patient record and how lucrative the black market is for patient data.
Third, is the human factor. It's only human, for example, that computer code is written imperfectly, or a computer is accidentally left unpatched or someone accidentally sends an unencrypted file to a mistyped email address.
Last, but certainly not least, is until there's a federally enforced framework for all ePhi data at rest and data in transit; you will continue to see a varied technical landscape for that data.
Q: How are you addressing these concerns?
AM: Internally it's a matter of constant education with our clinical partners and reinforcement of that security and privacy minded education through classroom lead instruction, rounding floor by floor and building by building, ensuring all of our policies are up to date.
From a perspective of systems and technology, we are partnering with top companies in the industry, and other healthcare communities (such as HIMSS and CHIME) in as much technical and data sharing as we can. Unfortunately there's not a national threat information sharing network that's endorsed or one that's free/affordable for all on any actionable threat intelligence; so the healthcare community is galvanizing in trying to patch something together to help each other out. We are also working closely with the Office of the National Coordinator and other federal organizations in trying to move the standards and requirements forward.
Q: How are you involving your team in data security strategies?
AM: Walnut Hill is an amazing organization in that from our physician, clinical and executive leadership – there's no shortage of buy-in. In whatever decision making meetings that take place, everything we do is decided upon for the patient with quality, safety and security in mind. So my involvement of my team is universal in that it extends beyond IT. Make no mistake about it – data security isn't just an IT "thing." It's absolutely an organization "thing" and it starts at the very top and goes to the very front lines. The beauty of my organization is that we are all in, all the time; on behalf of the patients we serve.
Q: How are the rest of the C-suite leaders involved in your big strategies for this year?
AM: My colleagues and I are constantly collaborating on moving the ball forward. Organizationally, we are in existence because of the vacuum that exists sometimes within the larger healthcare delivery arena. Therefore whether its modification of policies, or development of new training material; I always know that the other leaders in the organization have my back and I have theirs. Healthcare data security is everyone's concern as it should be.
Q: What can CIOs do to boost awareness of data security issues?
AM: I want to stress that we must all tell our stories to our legislators, to our policy makers and to their staffers about what really is happening on the ground. The federal government is definitely listening and is hungry for those real world examples of where boots are on the ground with our patients in need. We must advocate, we must participate and we must be available for them in order to move the ball forward – especially in the realm of data security.