Search Guidance for a Chief Medical Security Officer

Posted on March 22, 2011 by Dr. David Edward Marcinko MBA MEd CMP™

A Business Case Model

By Richard J. Mata MD MS CIS

Dr. Mata

Join Our Mailing List

The Mighty-Soft Hospital is a futuristic 1,500 bed fortress-like facility operating with a state-of-the-art dual wired-wireless infrastructure complete with computerized physician order entry  system, radio frequency inventory device (RFID) control tags, and integrated electronic medical records (EMRs) that are the envy of its competitors and vendors, and offer a formidable strategic competitive advantage in the marketplace.

Now, imagine the potential liability, PR disaster and chagrin when its enfant terrible CEO is told of a massive security breach similar to the ChoicePoint and Lexis-Nexis fiascos.  The ID theft involves release of critically protected healthcare financial, employment, clinical, and contact information for all of its patients, employees, physicians, business associates, and affiliated medical personnel.

Suddenly, senior management is charged with the task of establishing the new position of Chief Medical Security Officer (CMSO) for Mighty-Soft, and navigating a crisis management dilemma never previously faced by the formerly HIPAA-compliant electronic giant.

The CMSO is to be a senior level management position responsible for championing institutional security.  Awareness of electronic and HIPAA policy and procedure developments, while working to ensure compliance with internal and external standards related to information security, is vital.  The CMSO is to report directly to the CEO and the CIO.

The Search Committee developed the following list of CMSO duties and responsibilities:

  • Chair the hospital’s Information Security and Privacy Committee in its policy development efforts to maintain the security and integrity of information assets in compliance with state and federal laws, and accreditation standards.
  • Provide project management and operational responsibility for the administration, coordination, and implementation of information security policies and procedures across the enterprise-wide hospital system.
  • Perform periodic information security risk assessments including disaster recovery and contingency planning, and coordinate internal audits to ensure that appropriate access to information assets is maintained.
  • Work with the financial division to coordinate a business recovery plan.
  • Serve as a central repository for information security-related issues and performance indicators.  Research security or database software for implementing the central repository, and note that a server based system could be useful for a Wide Area Network (WAN), so this information can be shared with the enterprise-wide hospital system.  Develop, implement, and administer a coordinated process for response to such issues.
  • Function when necessary as an approval authority for platform and/or application security and coordinate efforts to educate the hospital community in good information security practices.
  • Maintain a broad understanding of federal and state laws relating to information security and privacy, security policies, industry best practices, exposures, and their application to the healthcare information technology environment.
  • Make recommendations for short- and long-range security planning in response to future systems, new technology, and new organizational challenges.
  • Act as an advocate for security and privacy on internal and external committees as necessary.
  • Develop, maintain, and administer the security budget required to fulfill organizational information security expectations.
  • Demonstrate effectiveness with consensus building, policy development, and verbal and written communication skills.
  • Possess the clear ability to explain information technology concepts to audiences outside the field.
  • Become the public face for the Mighty-Soft Hospital’s legacy security system.

Minimum Qualifications:

  • MD, DO, DPM, DDS, DMD, with bachelor’s/master’s degree in computer science or related field or equivalent experience.
  • Three or more years of experience in the healthcare industry.
  • Five or more years of experience in information security.
  • Eight or more years of experience in information technology.
  • In-depth understanding of network and system security technology and practices across all major computing areas (mainframe, client/server, PC/LAN, telephony) with a special emphasis on Internet related technology.

Preferred Qualifications:

  • Experience with electronic medical devices.
  • Specific experiences in the healthcare industry.
  • Familiarity with legislation and standards for PHI and patient privacy.
  • Demonstrated successful project management expertise.
  • Professional certification, e.g., CISSP, CISA, PMP.
  • Experience with student record/higher education laws.

Key Issues:

  • What is your IT hardware infrastructure and how are security-related devices deployed?
  • What security requirements are imposed by federal and state authorities on your institution?
  • What would you consider the most important criteria for choosing a CMSO?
  • What relationship will the CMSO have with the CIO, CMIO and CEO?
  • What level of security education/training do you consider necessary for your hospital community?
  • What are the key security issues your CMSO will have to address?
  • What are the key privacy issues?
  • What are the key risk management issues?
  • What are the pros and cons of EHRs for your institution?
  • What do you see as the EHR priorities for your CMSO?
  • What are the security issues of EHRs for your institution?

Assessment

How would you select a CMSO?

Conclusion

And so, your thoughts and comments on this ME-P are appreciated. Feel free to review our top-left column, and top-right sidebar materials, links, URLs and related websites, too. Then, subscribe to the ME-P. It is fast, free and secure.

Speaker: If you need a moderator or speaker for an upcoming event, Dr. David E. Marcinko; MBA – Publisher-in-Chief of the Medical Executive-Post – is available for seminar or speaking engagements. Contact: MarcinkoAdvisors@msn.com

OUR OTHER PRINT BOOKS AND RELATED INFORMATION SOURCES:

Product DetailsProduct DetailsProduct Details

Product Details  Product Details

   Product Details 

Filed under: "Doctors Only", Career Development, Experts Invited, Information Technology | Tagged: , , , , , , , , , | 2 Comments »

Understanding HIT Security Risks – The Ugly Truth!

Posted on July 15, 2010 by Dr. David Edward Marcinko MBA MEd CMP™

Join Our Mailing List

On the Privacy and Security of Healthcare Records

Dr. Mata

[By Richard J. Mata, MD, CIS]

There is no privacy …  get over it.

Scott McNealy, Former Sun Microsystems CEO

Storing and transmitting health information in electronic form exposes it to risks that do not exist, or exist to a lesser extent, when the information is maintained in paper.  For example, although both paper-based and electronic systems need protection from fire, water, and wear and tear because of aging, electronic data is also vulnerable to hardware or software malfunctions that can make data inaccessible or become corrupt, and to non-secure policies that can make data vulnerable to illegal access.  In addition, cyber-crimes, and unauthorized intrusions originating both internally and externally, are increasing dramatically every year, costing companies millions of dollars.  Nonetheless, electronic medical records (EMRs) are usually considered more secure than paper patient charts because paper records lack an audit trail, papers are easily lost, and their contents can be illegible.

Take Care the Risks

Healthcare organizations must take the new risks seriously, however, because health information is a vital business asset, and protecting it preserves the value of this asset.  In addition, securing patients’ information protects their privacy and enhances the organization’s reputation for professionalism, patient well-being, and trustworthiness.  Hospitals, emerging healthcare organizations (EHOs), physicians, and healthcare entities long ago recognized the value of health information, and implemented security policies and procedures, but as they move more into the electronic arena, it is vital to revise and update policies and procedures to acknowledge the different risks inherent in the digital age.

Three Components of Security

The three classic components of information security are confidentiality, integrity, and availability.  Donn B. Parker, a pioneer in the field of computer information protection,[1] added possession, authenticity, and utility to the original three.  These six attributes of information that need to be protected by information security measures can be defined as follows:  

  • Confidentiality: The protection and ethics of guarding personal information — for example, being cognizant of verbal communication leaks beyond conversation with associated healthcare colleagues.
  • Possession: The ownership or control of information, as distinct from confidentiality — a database of protected health information (PHI) belongs to the patients.
  • Data integrity: The process of retaining the original intention of the definition of the data by an authorized user — this is achieved by preventing accidental or deliberate but unauthorized insertion, modification or destruction of data in a database.  Make frequent backups of data to compare with other versions for changes made.
  • Authenticity: The correct attribution of origin — such as the authorship of an e-mail message or the correct description of information such as a data field that is properly named.  Authenticity may require encryption.
  • Availability: The accessibility of a system resource in a timely manner — for example, the measurement of a system’s uptime.  Is the intranet available?
  • Utility: Usefulness; fitness for a particular use — for example, if data are encrypted and the decryption key is unavailable, the breach of security is in the lack of utility of the data (they are still confidential, possessed, integral, authentic and available).

Ethics

When these attributes are considered in the healthcare context, another factor comes into play: ethics.  According to Dr. J. A. Magnuson, professor of public health informatics at Oregon Health Science University’s Medical Informatics Program, privacy,[2] security, and ethics are inextricably intertwined, and all are critical to public health’s role as a trustee of the public’s data.  As public health becomes increasingly involved in Electronic Data Interchange (EDI;[3]), the information aspects of privacy, security, and ethics become ever more critical.  All doctors take an ethical oath to protect the patient, and the obligation to uphold this oath extends to health data management, even for employees who do not take an oath.

The fields of medicine and information technology (IT) each have separate and related ethical considerations.  Ethics may prohibit technology, for example, when using a specific application that would make a security breach likely.  However, ethics may also demand technology.  Suppose that a new surveillance application would improve public health — is it not ethically imperative to utilize it to save countless lives?  But suppose it also almost guarantees a security breach — what does the ethical position on use of the application become then?  That is an extreme example, though not completely unrealistic.

FISA

Varied Uses

Complicating the picture is the fact that IT in the healthcare arena has so many and varied uses.  For instance, office-, clinic-, and hospital-based medical enterprise resource planning (ERP) is based on the same back-end functions that a company requires, including manufacturing, logistics, distribution, inventory, shipping, invoicing, and accounting.  ERP software can also aid in the control of many business activities, like sales, delivery, billing, production, inventory management, quality management, and human resources management.  However, other applications particular to the medical setting include the following:

  • The EMR, which has the potential to replace medical charts in the future, is feasible.[4]
  • Healthcare application service providers (ASPs)[5] are available via Internet portals.
  • Custom software production may produce more solution-specific applications.
  • Medical speech recognition systems and implementation are replacing dictation systems.
  • Healthcare local area networks (LANs), wide area networks (WANs), voice-over Internet protocol (IP) networks, Web and ATM file servers are ubiquitous.
  • The use of barcodes to monitor pharmaceuticals is decreasing the chance of medication errors and warns providers of potential adverse reactions.
  • Telemedicine and real-time video conferencing are already a reality.
  • Biometrics will be used more often for data access.
  • Personal digital assistant (PDA) wireless connectivity, which relies on digital or broadband technology including satellites, and radio-wave communications are increasingly common.
  • The use of wireless technology in medical devices will be increasing.

No Healthcare Standardization

All of these applications offer advantages, but the security of these IT methods and devices is not yet fully standardized or familiar to health professionals; despite the CCHIT, Office of the National Coordinator for Health Information Technology, etc.  They all involve inherent security and privacy risks, and the prudent healthcare organization will want to ensure that these risks are identified and contained.  For instance, a single firewall or intrusion detection system (IDS) may not be enough.

The process must begin by conducting a security risk assessment — that is, doing a thorough assessment of current systems and data, and performing checks such as real-time intrusion testing, validation of data audit trails, firewall testing, and remediation when gaps or failed systems are exposed.  These activities are part of developing a healthcare security plan, including disaster recovery.

Privacy Officers

To ensure that the risk assessment is thorough, hospital network administrators and Privacy Officers should have a working knowledge of federal regulations and of the following security mechanisms:

  • vulnerability assessment;
  • security policy development;
  • risk management;
  • firewall assessment;
  • security application assessment;
  • network security assessment;
  • incident response and recovery assessment;
  • authentication and authorization systems;
  • security products;
  • firewall implementation;
  • public key infrastructure (PKI) design;
  • virtual private network (VPN) design and implementation
  • intrusion detection systems;
  • penetration testing;
  • security program implementation;
  • security policy assessment; and
  • security awareness training.

The federal government has recognized the importance of health information security by establishing regulatory guidance with its Health Insurance Portability and Accountability Act of 1996 (HIPAA).

The International Standards Organization

Join Our Mailing List 

IT system managers in healthcare settings are also familiar with the comprehensive security model offered by the International Standards Organization (ISO).  For instance, using ISO’s 17799 Code of Practice for Information Security Management, versions 2000, 2005, or 2010 information security is achieved by implementing a suitable set of controls to govern policies, processes, procedures, organizational structures and software and hardware functions.  The Code requires the IT manager to establish, implement, monitor, review, and where necessary, improve these controls to ensure that the specific security and business objectives of a healthcare organization are met.

Assessment

The work of the National Institute of Science and Technology (NIST) in developing innovative technology for the healthcare sector is also of interest to IT system managers.  For instance, research on a computer note-writing system that captures clinical data automatically and a data repository system that captures patient data and integrates it with clinical decision support and knowledge bases are two of the initiatives that have originated with NIST.  In addition, the organization publishes numerous Special Publications that provide guidance on how to establish and maintain IT security.

CASE MODEL: HIT Security

Conclusion

Your thoughts and comments on this ME-P are appreciated. Feel free to review our top-left column, and top-right sidebar materials, links, URLs and related websites, too. Then, subscribe to the ME-P. It is fast, free and secure.

Speaker: If you need a moderator or speaker for an upcoming event, Dr. David E. Marcinko; MBA – Publisher-in-Chief of the Medical Executive-Post – is available for seminar or speaking engagements. Contact: MarcinkoAdvisors@msn.com

OUR OTHER PRINT BOOKS AND RELATED INFORMATION SOURCES:

References:

[1]   Donn B. Parker developed the so-called Parkerian Hexad Principles, which discuss the attributes of information security.

[2]   Privacy generally refers to a ‘people’ context, a state of being free from unauthorized intrusion or invasion.  This concept is as applicable to medical records as it is to your own house.  Confidentiality is viewed more in the context of information, usually dealing with accessing and sharing information or data.

[3]   EDI involves electronic transmission methods, often utilizing networks or the Internet.[3]  The benefits of EDI include speed, data entry savings, and reduction of manual errors; the risks are legion.

[4]   Terms used in the field include electronic medical record (EMR), electronic patient record (EPR), electronic health record (EHR), computer-based patient record (CPR), etc.  These terms can be used interchangeably or generically, but some specific differences have been identified.  For example, an EPR has been defined as encapsulating a record of care provided by a single site, in contrast to an EHR, which provides a longitudinal record of a patient’s care carried out across different institutions and sectors.  However, such differentiations are not consistently observed.

[5]   An application service provider (ASP) is a business that provides computer-based services to customers over a network.

Buy from Amazon

Filed under: "Doctors Only", Information Technology, Risk Management | Tagged: , , , , , , , , , , , , , , , , , , , , | 10 Comments »

ADSL – DSL Primer for Physicians

Posted on May 8, 2009 by Dr. David Edward Marcinko MBA MEd CMP™

Asynchronous Data Subscriber Line versus Digital Subscriber Loop

By Carol S. Miller; RN, MBAbiz-book20

Asynchronous Data Subscriber Lines

ADSL is a very fast digital line provided by the telephone company. If available in your area, the ADSL provides fast connections, but generally not as fast as cable. There are various choices, beginning around 256 kbps (about five to six times the speed of a fast modem) going up to 7 Mbps.  Prices begin around $60 per month (including Internet service). There is also a set-up charge and a card needs to be inserted in your computer.

Digital Subscriber Lines

DSL is a high-speed direct line that can be 20-100 times faster in communication over the modem, depending on the type selected. Prices for the DSL begin at approximately $30-$40 per month and that includes Internet access. In addition, there is a set-up charge and a network card will need to be installed into the computer. Office workstations can usually share DSL circuits over their existing local area network (LAN).

Internet Connection

To connect with the Internet, as a rule of thumb, the faster the better; therefore, the office should have at least 56 kbps.  DSL normally runs over the same line as a basic telephone voice circuit and provides Internet access from speeds of 384 kbps all the way up to 1.54 mbps (megabits per second). The advantage of this configuration is you not only have high-speed access to the Internet, your telephone is still free to make and receive calls at the same time.

Integrated Services Digital Network   

A digital telephone line that allows voice and data to be transmitted on the same line in a digital format – instead of analog – and at a relatively high speed, usually around 64 to 128 kbps.  When reviewing this service, make sure the ISP has an ISDN connection. If not, you will be charge more by both the telephone company and the ISP. Prices for the ISDN average around $300 plus, with an extra fee to install the telephone line and a monthly service charge of $25 to $100 plus to maintain.

Wireless Network (WiFi – 802.11b)

The biggest change to happen to computers in the last ten years has undoubtedly been the Internet. Close on its heels in importance may just be the adoption of the wireless network access.  Wireless Fidelity, or Wi-Fi, is now cost effective and available at the computer store.  It is no longer necessary to re-wire buildings with Category 5 wire to provide LAN connectivity and resource sharing to multiple computers. Wi-Fi, or IEE standard 802.11b, enables small offices to connect up to four computers to a single network for less than the cost of a single computer.  This means the days of multiple analog lines to offer Internet access to every computer, or a printer on every desktop, are going away. Now a single cable modem or DSL line and a centralized printer can service four users. This can save a small business hundreds of dollars a year.

www.HealthDictionarySeries.comdhimc-book28

Limited Connectivity

For limited connectivity, computer stores are stocked with wireless vendor products that are cost effective, easy to install, and very robust that will push even the most cautious computer user to take the leap to wireless computing.  Not only does it make the initial cost to install a network cheaper than it has ever been before, it eliminates the cost to remodel or move computers within a building since instead of requiring data wiring at each proposed desktop all you need now is an electrical outlet to power the PC itself. 

Satellite

This is a more modern device. In the past, satellite connections were at 400K bps or fourteen times faster than the average modem.  As an example, a 2MB file would be downloaded in 30-40 seconds.  Benefits of the satellite connection are:  The connection is always on; it is reliable; there is a secure connection; office can have multiple e-mail addresses; the web space is free; and there is tech support coverage nationwide.  Costs include around $300 for the equipment, $150 plus to install the equipment, and around $30 to $50 per month for service.  Web site reference is satcast.com (DirecWay Satellite Dish).

Conclusion

And so, your thoughts and comments on this Medical Executive-Post are appreciated? Who can update the above post for modernity?

Link: https://healthcarefinancials.wordpress.com/2009/03/13/rip-retail-financial-services-industry/

Feel free to review our top-left column, and top-right sidebar materials, links, URLs and related websites, too. Then, be sure to subscribe to the ME-P. It is fast, free and secure.

Link: http://feeds.feedburner.com/HealthcareFinancialsthePostForcxos

Speaker: If you need a moderator or speaker for an upcoming event, Dr. David E. Marcinko; MBA – Publisher-in-Chief of the Executive-Post – is available for seminar or speaking engagements. Contact: MarcinkoAdvisors@msn.com  or Bio: www.stpub.com/pubs/authors/MARCINKO.htm

Get our Widget: Get this widget!

Our Other Print Books and Related Information Sources:

Practice Management: http://www.springerpub.com/prod.aspx?prod_id=23759

Physician Financial Planning: http://www.jbpub.com/catalog/0763745790

Medical Risk Management: http://www.jbpub.com/catalog/9780763733421

Healthcare Organizations: www.HealthcareFinancials.com

Health Administration Terms: www.HealthDictionarySeries.com

Physician Advisors: www.CertifiedMedicalPlanner.com

Subscribe Now: Did you like this Medical Executive-Post, or find it helpful, interesting and informative? Want to get the latest ME-Ps delivered to your email box each morning? Just subscribe using the link below. You can unsubscribe at any time. Security is assured.

Link: http://feeds.feedburner.com/HealthcareFinancialsthePostForcxos

Filed under: Book Reviews, Glossary Terms, Health Law & Policy, iMBA, Inc., Information Technology, Practice Management, Recommended Books, Sponsors | Tagged: , , , , , , , , , , , , , , , , , , , , , | Leave a comment »