Addressing Health Data Sharing RisksHospital CISO Discusses Security Steps
As healthcare organizations step up their efforts this year to exchange more patient data with others to help improve care, it's urgent that they address the "significant risks" involved, says Erik Devine, chief security officer at 370-bed Riverside Medical Center in Kankakee, Ill.
The Office of the National Coordinator for Health IT, the unit of the Department of Health and Human Services that oversees policy and standards for the HITECH Act electronic health record financial incentive program, later this month expects to release a final draft of a "10-year roadmap" that includes an emphasis on the interoperability of EHR systems, paving the way for nationwide secure health data exchange. This comes as Congress is demanding more scrutiny of EHRs that "block" interoperable health information exchange, impeding efforts to improve access to data to boost care quality.
An important question that healthcare organizations need to ask as health information exchange gains momentum, Devine says in an interview with Information Security Media Group, is "Are we prepared to manage all the information that's flowing in and out of the system?"
To help defend against the increased risk of breaches during health information exchange, Devine says it's vital that healthcare providers use "very strong encryption methods for data in transit and at rest."
Plus, data needs to be inaccessible to anyone who doesn't need to access it "at every level, from the provider, to the healthcare information exchange steward, to the data that's sitting on the servers in the data center at your hospital. That is key for HIE to be successful," Devine stresses.
Healthcare organizations need to step up their defenses as they ramp up information exchange locally, regionally and nationally because "it's not going to be rocket science for [bad actors] to take this data," Devine says. "They're going to find vulnerabilities in these systems, they are going to find vulnerabilities in process or workflow, including a simple social engineering attack."
In the interview, Devine also discusses:
- Advanced persistent threats facing healthcare, as well as the threats posed by employees and business associates;
- The challenges involved with securing applications;
- Riverside's top information security priorities and projects for 2015;
- How his new position teaching computer science at a local university will potentially help him tap new talent and ideas for his organization.
As chief security officer at Riverside, located south of Chicago, Devine is responsible for the security of the medical center's information systems as well as compliance and policy issues. Devine has worked in IT since 1994, and in information security since 1999. He held information security roles in the financial sector during most of his career until he joined Riverside in 2011. Devine also is an adjunct professor of computer science at Olivet Nazarene University in Bourbonnais, Ill.