How a Breach Led to Change in CulturePartners Healthcare's CISO Describes Broader Role
In the aftermath of a major breach incident, Partners Healthcare in Boston is taking a series of steps to change the corporate culture to emphasize the importance of privacy and security.
Jennings Aske, who oversees both information security and privacy at Partners, says the time has come to adjust outdated programs.
"We as an organization have come to the conclusion that programs that we built for initial HIPAA compliance really aren't sufficient for the sorts of threats that we deal with now," Aske says in an interview with HealthcareInfoSecurity (transcript below).
As part of the change in corporate culture, Partners has merged its approach to privacy and security and created a new functional unit, Aske says.
The new approach includes solidifying priorities for user training and awareness, identity management and mobile device management. "We have several related initiatives that we're undertaking as well, trying to position ourselves to deal with the changing threat and regulatory environment that we're now operating in," Aske says.
Learning from a Breach
Massachusetts General Hospital, owned by Partners, paid $1 million as part of a federal settlement after a breach involving lost documents containing patient information.
The breach led to an honest conversation about the privacy and security of patients, Aske stresses. "It's led to a cultural change where people are now self-reporting incidents," he says. "What I've seen is a cultural change from the top down, in terms of trying to be compliant and trying to report if there's an incident."
In the interview, Aske also discusses:
- Security and privacy priorities for 2013, including identity management, mobile device management, and asset management;
- Partners' plans for cautiously using cloud computing. "We're evaluating cloud vendors to make sure their security models align with our requirements," he says.
- Tips for how other organizations can change their privacy and security culture.
In addition to his role as Partners' chief information security officer, Aske is Partners' corporate director of information security and privacy. Partners owns Massachusetts General Hospital and Brigham and Women's Hospital, several other community and specialty hospitals and numerous other units. Before joining Partners, Aske, an attorney, was the CISO at UMass Memorial Hospital. He also formerly served as CISO for Massachusetts's Executive Office of Health and Human Services, where he was responsible for coordinating information security across the 16 state agencies. Aske also previously was the information security officer for the state's department of public health.
MARIANNE KOLBASUK MCGEE: Tell us about your organization and your role.
JENNINGS ASKE: Partners Healthcare is an integrated delivery system. It's the largest private-sector employer in the Commonwealth of Massachusetts. We have about 60,000 employees, and then we have an additional 20,000 or so people who use our systems. We manage about 80,000 people in our environment.
Our system was formed in 1994 by Massachusetts General Hospital and Brigham and Women's Hospital, and we've acquired several other entities since that time. I'm actually the chief information security and privacy officer for Partners Healthcare. It's a recent change in terms of my responsibility and that really reflects on some of the priorities we have as an organization that relates to information security.
Security, Privacy Priorities
MCGEE: Tell us about some of those priorities for security and privacy for 2013.
ASKE: We as an organization have come to the conclusion that the privacy and security programs that we built for initial HIPAA compliance really aren't sufficient for the sorts of threats that we deal with now: the change in the regulatory regime, the active enforcement that we're seeing from regulators, and just in terms of our obligation to secure patient and research data.
To that end, we've actually decided to merge our approach to privacy and security and create a functional unit. Building out that privacy and security unit ... is going to be one of our primary responsibilities and goals of this year. In terms of that, we're also trying to think through what are our priorities across a range of problems ... things like identity management, mobile device management, asset management, user training and awareness. We have several related initiatives that we're undertaking as well, trying to position ourselves to deal with the changing threat and regulatory environment that we're now operating in.
Mobile Security Programs
MCGEE: You mentioned mobile. What sort of mobile security and privacy programs do you have under way?
ASKE: We have existing policies that establish requirements for mobile devices, including BYOD. Unfortunately, they're policies and users can choose to comply or not. What we're really trying to do is develop enforcement mechanisms.
So to that end, we're locking down our e-mail platform and basically restricting the ability of people to use it unless they're using secured devices. We're developing real training and awareness to make those policies a little more upfront. [We are also] trying to be more proactive about the consumer devices people are bringing into the environment, evaluating them and trying to get a sense of whether or not they comply with our security policies so that we can very quickly let people know that device "X" just isn't acceptable to the environment. We've been a little slow at that, so we're trying to be a little more agile and upfront about it.
Addressing the Cloud
MCGEE: What are your plans for the cloud?
ASKE: The cloud is a challenge for us, like most HIPAA-covered entities. Cloud providers, if we're to use them, have to sign business associate agreements and meet certain security requirements, and, to date, cloud vendors have been hesitant to do that. We have what I refer to as the Dropbox problem, which is people want to bring these consumer-grade products into the environment, and I don't blame them. They're good products. They sometimes work better than the enterprise products that we offer for sharing files and things. Our real goal is to try and identify corporate equivalents of some of those consumer-grade technologies.
One of our big pushes is to identify our corporate version of Dropbox, and we're negotiating through a vendor right now. I can't name that vendor, but assuming all goes well, that will be one of our first forays into a corporate cloud offering, and it will be purely a cloud offering. We're not doing a private cloud.
As an organization, we've said we can't fear the cloud. We just have to make sure that we evaluate cloud vendors to make sure their security models align with our requirements. Then [we] really leverage true cloud computing as opposed to kind of doing a partial private cloud approach, which, to me, you're not really doing the cloud then. You're just simply hosting more of your infrastructure, and that's not the point of the cloud. You're not achieving the efficiencies from a cost and scalability perspective.
Breach Lessons Learned
MCGEE: Massachusetts General, one of Partners' hospitals, received a hefty federal fine because of some lost documents containing patient information. What changes have taken place ... since that happened?
ASKE: The primary change is that situation started a real, honest conversation about the health of the patient. By that I mean we've had meaningful conversations with management about the need to increase, or amp up, our privacy and security program, and it's led to a cultural change where people are now self-reporting incidents.
The reality is people in healthcare and busy academic medical centers work with lots of data and they work fast and furious trying to treat patients, and mistakes happen. People lose devices; paper gets left places. But what I've seen is a cultural change from the top down, in terms of trying to be compliant and trying to report if there's an incident, and being transparent about our needs to secure the environment.
It's unfortunate that it happened. We all feel sick to our stomachs thinking about it, and we feel terrible for the patients that were affected by it. But the reality is, at some level, it was a good thing because it does force an honest conversation about the health of the patient, and that's clearly something that's a primary principle in healthcare.
MCGEE: You mentioned changing culture. How hard is it to change a culture and to have people aware of what they need to do and what they shouldn't do? Does it take a lot of training? Does it take a lot of persuasion? What do you do?
ASKE: It's all of the above. The reality is there's no single message that resonates with all the actors across an organization, and the reality is a lot of clinicians view privacy and security as an impediment to care. What they forget is that the original Hippocratic Oath actually contained provisions about patient data confidentiality, showing that this kind of importance of confidentiality, integrity and availability is really the critical thing.
In fact, in healthcare I found that talking about data confidentiality is not a very well-received message in the sense that most of the time a patient shows up and you need to make it easy for people to access data. A lot of the controls you have in place actually are impediments to that.
But what you can do is talk about data integrity and availability and it's a really powerful message with the clinician to say, "If these controls aren't in place, the data may be modified by an unauthorized person or may not be available to you and then you can't treat the patient accurately." That's a more powerful message than talking about passwords and who can access things. You really need to focus your messaging on what resonates with the clinician.
And there are times where you have to use the stick too. That's part of it. Everything from sanctions to persuasion to just honest conversations is what you do to try and change the culture.