National Committee on Vital and Health Statistics
Subcommittee on Health Data Needs, Standards and Security
Hearings on
Security
August 5-7, 1997
Washington, D.C.
Testimony of
Laura Brown
Senior Manager
Ernst &
Young LLP
Thank you for the opportunity to participate in these hearings. It is an exciting day for healthcare information security to reach this level of attention. My name is Laura Brown and I am a Senior Manager with Ernst & Young. In this role, I have the opportunity to work with and advise healthcare organizations on information security issues.
Healthcare information security has been, for the most part, a neglected business requirement over the past few years. The passage of the Health Insurance Portability and Accountability Act with security standards included in the provisions, is a vital step in bringing information security to a baseline level in the healthcare industry and to a minimum level that is present in many other industries. Developing this baseline, however, will be a challenging effort. To achieve this goal, it is critical to understand the evolution of information security in healthcare and the barriers which obstruct greater levels of security in the industry.
As an information security practitioner for the past nine years, including the last five in the healthcare industry, I hope I can provide to you an overview of the evolution of healthcare of information security, a discussion of the challenges facing implementation, and recommendations for successful integration of security practices.
As all of you know, healthcare was a very different industry just a few years ago. For the most part, any existing information security requirements were limited to the protection of financial information. A number of things occurred however, which changed the industry and brought forth a mandate for far stronger information security practices. Those included:
And all the while these changes took place, information security vulnerabilities emerged, increased, and evolved, and insufficient effort was made to understand and mitigate these emerging risks. As a result, and as confirmed by the National Research Council's report, For the Record: Protecting Electronic Health Information, today's healthcare information security practices in the U.S. are extremely poor and organizations are operating at below due care levels.
Addressing the issues is not, however, an easy task. There are wide reaching effects stemming from these industry changes and these effects plague the industry, creating a challenging and difficult environment in which to implement security policies, procedures, standards, and technologies.
A few of the barriers which face healthcare information security include:
A lack of legislation. Currently, there is no federal health privacy legislation. In the absence of such, organizations are unclear as to the "rules" or guidelines around which to define information security practices. State requirements provide only narrow guidance and differ by state.
The result is that organizations are faced with electing whether or not to implement information security practices. For those organizations which do choose to implement security practices, they must many times rely on ethical tenets of what seems to be "the right thing to do." On the other hand, some organizations have opted to pay the costs of a lack of an information security program. One organization in particular, after paying a settlement of $3.5 million dollars for an information security breach, still elected not to implement a security program. Despite well publicized healthcare information security breaches, organizations still opt to implement little or no information security practices. More often than not, security is relegated to a low priority issue and is not deemed a key performance indicator.
Further effects resulting from this lack of legislation can be seen with respect to healthcare systems and vendors. Healthcare vendors have been unclear as to security requirements. Often, these vendors request security requirements definitions from customers. Customers who desire security options, on the other hand, have demanded that the vendor know the requirements and build those requirements into their systems.
A second issue hindering implementation of security, is the lack of policy or precedent from which to borrow.
Generally accepted information security practices in the healthcare industry do not exist and healthcare information security standards have not until recently been in existence. Further, existing standards do not yet define a complete information security infrastructure, but rather address pieces of a program. Standards from other industries, such as the banking industry, cannot necessarily be utilized due to differing business objectives under which the standards were created. The result is that security policies, guidelines, and standards must be, for the most part, defined from scratch.
The execution of this task, however, is hindered by another security issue which is that the discipline of information security itself is not a well understood field within the healthcare industry.
For one thing, the role of the Healthcare Chief Security Officer or Information Security Manager is a unique discipline charged with addressing organizational information protection issues. As such, the position or responsibilities should not be assigned as an additional duty but rather as a key player in the organization.
Further, a realistic concept of an information security infrastructure is unusual in the industry. A week ago, I was told that a particular healthcare organization considered itself to have an information security program because it utilized audit trails. (This was the organization's only security practice.) Audit trails are, of course, one small component in a well structured program.
Finally, the issue of culture should be mentioned. The integration of security measures or technologies in healthcare is often met with resistance due to the level of transparency of the security practice demanded by healthcare practitioners. The technology must be transparent enough such that it in no way encumbers job function.
Further complicating integration is the perception that information security practices and technologies will hinder providers. All agree accessing information quickly in emergency circumstances is critical. The industry clearly has a delicate balance to maintain in order that such a dire scenario not occur.
It is this highly complex composite of issues facing organizations which often pressures them to elect not to address information security concerns today.
In order to implement information security practices within the industry, I would like to provide the following recommendations to assist in avoiding pitfalls.
First and most obviously, organizations must implement a comprehensive information security program or infrastructure.
While specific practices and measures are mentioned in the NRC report, the practices must be integrated into a larger, comprehensive information security framework. Numerous companies have learned the perils of a piecemeal approach to security. Implementing security practices in a piecemeal fashion will most likely result in money spent with no positive result. The healthcare industry must seize the opportunity to effectively address information security appropriately - at the program level. And that framework must include policies, standards, and guidelines which govern a technical security architecture supported by security principles.*
This framework must also include important disciplines such as Local Area Network and Wide Area Network security. Many organizations focus on remote dial in and firewall security but neglect standard LAN and WAN security practices. Misconfigured routers, and outdated and unpatched operating systems, are severe risks facing organizations, especially those connected to the Internet.
Despite the challenges, I do see reasons to be optimistic.
There are organizations today which recognize the criticality of security when utilizing the Internet for health information related transactions. This type of understanding and commitment to implementing secure processes despite a lack of guidance or precedent is a solid step in the right direction.
Secondly, Chief Security Officer and Information Security Management talent from other industries is migrating into healthcare because of the exciting challenges and needs of the industry. These individuals bring highly skilled management and technical backgrounds, and expertise that will bring us to the level at which we need to be. Three years ago, I was able to identify only 4 healthcare information security practitioners. Today I am aware of more than 30 in the industry.
Appropriately addressing information security in the healthcare industry is critical to its acceptance and trust by consumers. The near future state of the healthcare industry has been envisioned and security is an enabler to realizing that vision.
I can assure the committee that we recognize the criticality of the information we protect. If you are willing to give us the support to build the framework we need, there will be no shortage of Information Security practitioners who are willing to stand up to the challenge and bring order to healthcare information security.
The views expressed in these comments are not necessarily the views of Ernst & Young LLP.
* The Gartner Group, a Stamford, Conn.-based information technology advisory firm, categorizes security principles into six areas: