B

We S a v e B u s i n e s s e s

INFINITY SUCCESS CONFERENCE: HEALTHCARE IT SECURITY

Shane Molinari, MSc, PMP, CISSP, SSMBB Principal, BCM Professionals

( H Q ) 3 7 8 5 C h a n t i c l e e r C t , Ta l l a h a s s e e , F L ( P ) 8 8 8 - 5 8 7 - 4 7 6 9 ( E ) i n f o @ B C M P r o f e s s i o n a l s . c o m w w w. B C M P r o s . c o m

Introduction
Healthcare information data breeches are a cause for concern, given their sensitivity and accessibility through physical access, internal networking systems, the internet, and mobile technology systems. The privacy, integrity, and confidentiality of a patient's data are key factors to be considered in the transmission of medical information for use by authorized healthcare personnel. Mobile communication has enabled medical consultancy, treatment, drug administration and the provision of laboratory results to take place outside the hospital. With the implementation of electronic patient records, the Internet, and intranets, medical information sharing amongst relevant healthcare providers is made possible. The vital issue in this method of information sharing is security. The patient's privacy, as well as the confidentiality and integrity of the healthcare information system, should not be compromised. This paper will illustrate how to use integrated processes to ensure the security and privacy of a patient's electronic medical information to ensure the integrity, availability, and confidentiality of the information.

Goal and Objective

The goal of this paper is to drive awareness to the ongoing security risks, issues, and solutions regarding patients and their sensitive information. Recent news has demonstrated the negative ripple affects realized by the patients and their loved ones when their data falls into the wrong hands. The objective is to demonstrate a viable source of scholarly intelligence for organizations to leverage when contemplating disaster management solutions. What is not intended is to promote a sense of paranoia that can easily slow progress, when the solution is relatively straightforward.

B C M P r o f e s s i o n a l s!

Infinity Success Conference 2012: Healthcare IT Security

Problem and Impact Statement

Surrounding the core of patient data are the three founding elements of information security: Confidentiality, Integrity, and Availability. Confidentiality can be described as making every effort to prevent the disclo-

70%
Consumers concerned about HIE privacy

sure of patient information from those who are not authorized to view the patient data. The confidentiality of patient information is being breached at an alarmingly high rate. An all-encompassing list goes beyond the scope of this paper, but the following are just some of the more recent breaches that caught the publics attention:

St. Francis hospital in Broken Arrow, Oklahoma, reported that someone broke into a secured area and stole a computer containing personal health information on 84,000 patients. The information contained names, addresses, Social Security numbers, and a host of other personal information that could identify the patients.

40-64
Highest age group with concerns over privacy and security

A Maryland banker who was on the board of health for his respective state was able to look at his customers records to see who had cancer and then had those clients loans cancelled.

Integrity ensures the accuracy of the patients data while intransit. However,

82%
Consumers concerned about EHR security

2011 research has demonstrated that impacts by data breeches out stripped drug trafficking with an estimated $56.6B in costs (not including fines) with 80% of data losses due to malware. Availability of a patients Electronic Health Record (EHR) means ensuring that all patient information will be accessible

to the physician when necessary, without any disruptions in service. Yet, we frequently hear of attacks (e.g, Denial of Service) against online service providers. Recent news pointed out that if the government has determined that a web-

75%
Consumers concerned about HIE security

site presents a viable threat, they will shut the site down. Online electronic medical record

B C M P r o f e s s i o n a l s!

Infinity Success Conference 2012: Healthcare IT Security

providers are not exempt from this rule. Any delays caused by identity theft are delays in making patient data available to the physician, which hinders the physicians ability to render the correct diagnoses.

Solution: Integrated Risk Management Approach

Look around and it is easy to see how connected people and technology have become. With advances in wireless technology (e.g., smart phone), we can take our office on the road with relative ease. Delving deeperregarding the relationships between physicians, telemedicine, and their patientsdiagnoses can be accomplished
C o n t r o l ! A c c e s s

Internet!
A c c e s s

Wireless Transfer!

Intranet!

Local Server!

Patient Data!

A c c e s s

C o n t r o l !

Sensitive information Infrastructure that houses the information People that interface and interact with the information

Generally, the approach to organizational sustainability naturally incorporates risk and security management. The term naturally reflects a natural change migration, as opposed to a hard lined shutting down of one practice to engage in a new practice. This often ends on frustration and failure throughout the organizations operational, tactical, and strategic platforms.

B C M P r o f e s s i o n a l s!

A c c e s s

C o n t r o l !
C o n t r o l !

virtually. This saves time and reduces general risks due to contagious illnesses and travel. Actionable processes are needed now more than ever, given that patient information is routinely distributed across a healthcare systems intranet, mobile / wireless architecture, and the internet. Regarding patient informatics, actionable processes are a proactive means of identifying risks to the:

Infinity Success Conference 2012: Healthcare IT Security

An evolutionary approach ensures

STANDARDS'&'BEST'PRACTICES

clear lines of communication, control, and command necessary to invoke

ENSURE SUSTAINABILITY-&COMPLIANCE

DOCUMENT CURRENT-STATE

RESOLVE WEAK AREAS

DEVELOP MITIGATIONSTRATEGIES

productive change management initiatives. The first steps include determining and documenting what activities are conducted on a daily basis to meet the needs of the organization and the patient. A solidly documented AsIs process flow will help identify gaps,

TRAINING'&'AUDIT

risks, and weak areas, when compared to best practices, standards, and compliance requirements.

Defining Risk Exposure

Once the weak areas have been identified, organizational leadership (or their designee(s)) will be able to 1) avoid, 2) transfer, 3) accept, or 4) mitigate the risk exposure(s). Risk avoidance can be accomplished by resolving the gaps and weak areas, thus avoiding the potential for the risk(s) to become a reality. Examples of avoidance can include putting locks on doors, thereby restricting access to sensitive areas (e.g., server rooms). Other examples would include strong username and password requirements for all network users. Risk transfer involves assigning the responsibility of managing the respective risk to an outside body such as an insurance agency. An example of this risk insurance would include coverage for data breeches, fires, and loss of life (e.g., workplace violence). Determining the level of risk transference would depend on a detailed opportunity costbase analysis. Risk acceptance is understanding and the willingness to bear the impact should the risk be realized. Typically, this is accepted after determining the level of impact is negligible and the probability to be low (never impossible).

B C M P r o f e s s i o n a l s!

Infinity Success Conference 2012: Healthcare IT Security

Risk exposure is determined by the percentage probability that the risk could occur and the level of impact that would be realized if the risk became a reality. The formula generally used to determine (quantify) the level of exposure is RiskExposure (RE)= RiskProbability (RP) * Impact An example of the formula being used could be as follows: Risk: An unauthorized person could get gain access to patient records (not concerned with the why). Environment: The only barrier between the person in question and the records is the counter and administrative staff performing patient checkin (i.e., no wall or secure window as a minimum protective barrier). Probability Qualification: Could someone leap over the counter? Has this happened before (no matter the reason)? If the answers are Yes and No respectively, then the probability may be lower that 50%. If the answer is Yes and Yes, then the probability can go significantly higher. The higher the probability of this situation occurring, the closer the quantifier would be to 100%. This example will be conservative and use 1% (a person can jump over the counter, but it has never happened in 20-years). Impact Qualifier: If the penalty for exposing a patients record is $20,000.00 per incident and per record (regardless of the reason and short of a court order), then the impact would be significant to catastrophic. Given the average small doctors office has approximately 2000 active records, the math is straightforward $20,000 X 2000 = $40,000,000 Risk Exposure: RE = RP * Impact RE = 0.01 * $40M RE = $400,000

B C M P r o f e s s i o n a l s!

Infinity Success Conference 2012: Healthcare IT Security

The question resulting from the above example should be whether it is less painful to avoid, transfer, accept, or mitigate the risk. The analysis process would include determining the opportunity cost for each of the decision points.

Integrated Healthcare IT Process Management

Statistics show that up to 80% of technical projects fail to meet their intended goals and 82% are delivered late. Recovery efforts also fail, causing even greater impacts to the organization. A primary reason for these failures is that organizations are using a single process rather than leveraging multiple processes simultaneously. It is common knowledge that technology resides at the very core of everything done in healthcare, from patient check-in, services, and records, to billing. As such, we can state that a cycle exists whereby the healthcare business cannot adequately function without technology and neither of the two can be sustained without people. Organizations are realizing the criticality of aligning multiple processes, due to the nature of having multiple stakeholders from different sectors (e.g., financial, IT, logistics), with each requiring considerable coordination and collaboration. Consequently, the approach to ensuring the security of the core asset (patient data)including its confidentiality, integrity, and availabilityis through integrated process management, including: Industry best practices Project management (e.g., resources, time, and budget for temporary activities) IT Service management (e.g., governance, change control, security)

B C M P r o f e s s i o n a l s!

Infinity Success Conference 2012: Healthcare IT Security

 Six sigma (continual improvements) Baseline standards (e.g., International Standards Organization (ISO)) Regulatory laws (e.g., Health Information Technology for Economic and Clinical Health (HITECH) Act) For example, the next illustration will show how the governing body leverages Six Sigmas Define process within the IT Service Managements Change Management process to highlight the need for Project Management processes to carry out a requirement change. The roadmap will also reflect how the Project Management process will feed back into the Six Sigma process which will feed back into the IT Service Management process.

Governance Project Management

IT Service Management

Service Strategy

Initiate

Service Design

Change Management

Plan

Service Transition Six Sigma Service Operation Analyze

Execute

Monitor and Control Define

Close Measure Continual Service Improvement Improve

Control

B C M P r o f e s s i o n a l s!

Infinity Success Conference 2012: Healthcare IT Security

Overall, leveraging an evolutionary integrated approach results in organizational sustainability, which in turn drives continuity, and ensures compliance by design and definition. As a result, information / data security can truly succeed as the cornerstone for healthcare information systems as they contain extremely sensitive information. The aim is to provide healthcare personnel access to the right information at the right time while ensuring high patient privacy.

Meeting Information System (IS) Security Requirements

Based on the background, security issues, and integrated solution approach, this section points out the key security and privacy conventions for healthcare applications using networks (i.e., wired & wireless networks (intranet) and the internet), including strong user authentication (especially in wireless networks) and access control. For example: Because of security complexities in a multi-user environment, control of a database is restricted by the degree of the user's involvement in the patient's treatment through role-based access control. For instance, a physician will not have access to the patient's financial information or billing, whereas the insurer will. Encryption is used to ensure security of the data and help in protecting against eavesdropping and skimming. The encryption solution includes software and hardware to ensure the greatest degree of security. Authentication assurance or mechanisms work by confirming that data is being received from the person or entity as claimed. Authentication algorithms, such as passwords, digital signatures, and challenge response authentication protocols are crucial in this security measure being successful. Since authorized users will know how to query or mine for and use valid patient data, then useless data can be added to the system that will be retrieved through inappropriate or unauthorized queries. Acquiring useless and misleading information will prove too costly for the criminal to continue with their unauthorized data mining efforts.

B C M P r o f e s s i o n a l s!

Infinity Success Conference 2012: Healthcare IT Security

Security audits of the Information System will discourage legitimate users against the indiscriminate misuse of their privilege(s). Although this approach does not necessarily enforce control, it does detect misuse by legitimate users.

Core Change Management Competencies Needed

Change management is defined as the process, tools and techniques to manage the people side of change. From the people-perspective (command, control, communications), this involves: Understanding the change that is being implemented Analyzing the people that will be affected by the change Creating the plans and actions that will help drive the successful implementation of the change

Vision!
Dene Future State! Assess Current State!

Strategy!
Engage Primary Sponsor! Form and Prepare Project Team! Select Deployment Strategy!

Implementation!
Build Project Team! Create Change Management Plan! Create and Present Business Case! Implement Integrated Plan!

Industry data shows qualitative affects of poorly managed change can be realized in many ways, including productivity declines, passive resistance, employee disengagement, attrition, active resistance, arguments, slow adoption, work arounds, and divides between us and them. Effective change management provides a structure to solve many of these issues while achieving project objectives and return on investment. Since the purpose of this article is leveraging integrated processes for security, the core competencies that will be re-

B C M P r o f e s s i o n a l s!

Infinity Success Conference 2012: Healthcare IT Security

quired to ensure the necessary change expectations of command, control, and communications will be met. This includes: Security Continuity Project Management Disaster Management IT Service Management Continuous Improvement

Conclusion
This paper illustrates examples of concerns raised by consumers and industries alike regarding ongoing healthcare information data breeches, the sensitivity and accessibility through physical access, internal networking systems, the internet, and mobile technology systems. The goals and objectives of information conveyance were met with the level of research and intelligence presented as a source of scholarly intelligence for organizations to leverage, without promoting a sense of paranoia. The use of integrated processes were demonstrated in such a way as to support change management and patient data privacy, integrity and confidentiality, especially during the transmission of medical information by authorized healthcare personnel. It is vital to leverage evolutionary changes to ensure organizational sustainability, continuity, and compliance for the benefit of all consumers and professionals involved.

B C M P r o f e s s i o n a l s!

Infinity Success Conference 2012: Healthcare IT Security

10

References
Ademla 0. Adesina, A., Agbele, K., Februarie, R., Abidoye, A., & Nyongesa, H. (2011). Ensuring The Security And Privacy Of Information In Mobile Health-care Communication Systems. South African Journal Of Science, Vol. 107, Doi;10.4102/sajs. Retrieved April 9, 2012 Bambauer, D. & Day, O. (2011). The Hackers Aegis. Emory Law Journal, Vol. 60. Retrieved April 14, 2012. Dimitropoulos, L., Patel, V., Scheffler, S., & Posnack, S. (2011). Public Attitudes Toward Health Information Exchange: Perceived Benefits and Concerns. Special Issue: The American Journal Of Managed Care, Vol. 17. Retrieved April 12, 2012 Hewlett-Packard Development Company, L.P. (2009). Four Starting Points For Effective IT Project And Portfolio Management. Retrieved January 31, 2010 from http://www.hp.com/hpinfo/newsroom/press_kits/2009/lasvegasevents2009/WP_4s tartingpoints.pdf IT Governance Institute (ITGI). (2007). COBiT 4.1: Framework, Control Objectives, Management Guidelines, And Maturity Models. Rolling Meadows: ITGI. IT Governance Institute (ITGI). (2009). Retrieved on January 31, 2010 from http://www.itgi.org/template_ITGI.cfm?Section=About_IT_Governance1&Template= /ContentManagement/HTMLDisplay.cfm&ContentID=19657 Kovalchuk, Y., McDonald-Maier, K., and Howells, G. (2011). Overview of ICmetrics Technology Security Infrastructure for Autonomous and Intelligent Healthcare System. International Journal of u- and e- Service, Science and Technology, Vol. 4, No. 3. Retrieved April 14, 2012. Kumar, P. & Lee, H. (2012). Security Issues in Healthcare Applications Using Wireless Medical Sensor Networks: A Survey. Sensors, 12, 55-91, doi:10.3390/s120100055. Retrieved April 15, 2012

B C M P r o f e s s i o n a l s!

Infinity Success Conference 2012: Healthcare IT Security

11

Lenert, L. & Sundwall,D. (2012). Opportunity Forged by Crisis: Public Health Surveillance and Meaningful Use RegulationsA Crisis of Opportunity. American Journal of Public Health Government, Politics, and Law, Vol 102, No. 3. Retrieved April 15, 2012. Mohanty, P. (2009). Using E-Tools For Good Governance & Administrative Reforms. Retrieved January 16, 2010 from http://www.cgg.gov.in/workingpapers/eGovPaperARC.pdf Project Management Institute (PMI). (2004). A Guide To The Project Management Body Of Knowledge: PMBOK Guide, 3rd Edition. Newtown Square: Project Management Institute. Sarrico. C. & Hauenstein, J. (2011). Can EHRs and HIEs Get Along With HIPAA security Requirements? Journal of Healthcare Financial Management. Retrieved April 15, 2012. Prosci. (2009). What, Why And How Of Enterprise Change Management (ECM). Prosci Change Management Learning Center. Retrieved April 22, 2012 from http://www.change-management.com/Prosci-ECM-What-Why-How.pdf TIBCO. (2009). The Role Of Governance In Ensuring SOA Success. Retrieved January 31, 2010 from http://www.tibco.com/multimedia/wp-role-of-governance-ensuring-soa-success_tcm 8-8998.pdf Warkentin, M., Moore, R., Bekkering, E., & Johnston, A. (2009). Analysis Of Systems Development Project Risks: An Integrative Framework. ACM SIGMIS Database, 40(2), 8-27

B C M P r o f e s s i o n a l s!

Infinity Success Conference 2012: Healthcare IT Security

12