Guest interview post from our media partners, iHT2′S blog: Christopher Paidhrin, SCO at PeaceHealth Southwest Med Center in Vancouver, WA shares some of his thoughts and views on healthcare IT security issues
Christopher Paidhrin, Security Compliance Officer at PeaceHealth Southwest Medical Center in Vancouver, Wash., took part in the panel discussion “Securing Electronic Personal Health Information (ePHI): From the Data Warehouse to the Point of Care,” at IHT2’s Health IT Summit in San Francisco.
Paidhrin has worked for many years in IT and business operations, in higher education, the private sector and entrepreneurial environments, where he has held numerous director-level positions. Christopher has received recognition, nominations and awards for IT service excellence (Information Security magazine’s 2011 “Security 7” Award, NetworkWorld, ISE, SC Magazine), and has presented at numerous events across the U.S. during the past six years. Christopher is an advocate of IT Service Management (ITSM) best practices and process improvement, such as ITIL and COBIT, learning organizations and knowledge management.
In advance of the HIT Summit, Paidhrin shared some of his thoughts and views on healthcare IT security issues with IHT2 Editor Joseph F. Jalkiewicz.
How did you get into Health IT?
About 12 years ago I was transitioning from the entrepreneurial sector as a consultant for hire and when PeaceHealth Southwest needed a new firewall and its IT security posture reviewed, a 90-day contract turned into an 11-year position, and it’s worked out well for both of us.
Can you share a bit more about your role at PeaceHealth?
I don’t think my role is common in the industry, because I’m responsible for IT security, which includes governance, operations monitoring, auditing—the works—but I also have compliance responsibility. It’s more than just HIPAA high-tech, but also PCI, Red Flag rule, hospital accreditation, and a bit of corporate compliance. I also support many project and strategy design technical teams. In my spare time, I support our continuous improvement initiatives, using COBIT, ITIL, maturity model and organizational learning models to help our division move up the service quality and maturity scale.
As SCO, do you find your time dedicated more toward technical challenges or more toward user interaction?
I would say my time is moving toward the user interface side, both internal and external. I have tools that leverage my eyes and ears across the organization and the layers of services, so the risk and vulnerabilities I see are disproportionately on the human element side. It’s the “not trained,” the neglectful, the unmindful, the inattentive individuals doing things they shouldn’t be doing. And this has been shown in lots of surveys that the human factor is costing organizations billions of dollars. One recent survey showed that $6 billion in costs in 2010 could be attributed to poor training and humans not complying with policies and protocol standards. That’s where I can effect the most business value; reduce the most risk and close up those vulnerabilities.
Do the Meaningful Use criteria play a significant role in your responsibilities?
Meaningful Use is huge, but I wouldn’t say it has a significant role in my responsibilities. The risk assessment aspects are a priority for me. We have a program for assessments and remediation and tracking and ownership. For the most part I support the medical records group and the EMR analysts, who have the vast burden of getting our organization to the various milestones and criteria. I support them, but they do the heavy lifting.
In what area of EMR implementation are you expending the most resources, financially and in man hours?
It’s project oversight and technical compliance. I’m the point of contact for validation and confirmation of those efforts and I support the team that ensures we meet those requirements. But at PeaceHealth as a whole, we have several teams—analytical, clinical informaticists, project, informational strategy. There are many teams working on Meaningful Use. Last year we really ratcheted it up. It’s a strategic goal of the organization, up in the Top 3, and it’s a big deal across PeaceHealth Southwest.
Any unexpected obstacles people should look out for?
The biggest ones are with the EMR vendors. Can they bring their applications up to the MU requirements and how quickly? I know there are 1,500-plus certified applications out there, but there are thousands more that are not ready. Internally, we’ve had to craft a supergovernance team to align our technical-level initiatives, and we have an extra layer of unified communications plan to keep it all straight and clear. We’re having to be careful with that communications plan as well because we’re getting pushback from customers saying, “You’re sending us too much information. We can’t parse it all. We don’t know what we’re doing yet.” They’re going through months and months of training to get ready for these new ways to interface with the application. So organizationally, an obstacle could be training; having enough time to do the day-to-day work and also train for the new major upgrades and changes that are coming over the next couple of years.
With cloud and mobile technologies coming online at breakneck speed, how can security teams keep pace and stay in compliance with HIPAA?
That is a huge issue, both from service delivery and customer satisfaction perspective and a security perspective. The technology for access and the expectations for access far exceed the security controls that most health care providers have in place. Cloud security itself is a Top 3 topic at almost every conference. I’m a strong advocate for controls and having them in place before releasing the services, but the demand for remote patient services and remote access and mobile access and bring-your-own device, the whole mobile explosion is catching many of us off guard. And we have to get the controls in place beforehand because the pain for the provider and the customer afterwards is huge.
It’s almost like you have to predict the issues that arise before they happen.
Organizations are moving from the old paradigm of perimeter networks. We didn’t have tools in place [that we have today] but we had a perimeter. Now that perimeter is breaking down, through HIES, through bring-your-own-device, through mobile access. At PeaceHealth Southwest more than half of the providers who access our EMR are not employees. They are partners; community clinics. We have so many diverse needs for access, it really changes the dynamic. It’s really exploded and that’s foreign territory to most health care organizations. That is a huge challenge, and we do have to be proactive. So many people are saying, “How do I get out in front of this?”
Do you have any advice for groups trying to prepare for a HIPAA compliance audit?
Every security officer should have an IT security plan, and by that I mean, a governance plan and a programmatic plan. Have a program for security efforts and initiatives, and it then constitutes the governance plan ——here’s why we’re going to do it—and the operational plan—here’s how we’re going to do it. It’s then definable in terms that executives understand. We have to have security, we have to have protocols, we have to have ownership and assignments of accountability and responsibilities. Otherwise, too many negative outcomes will occur and we’ll react to them one off with point solutions and individual response solutions.
I’ve had a plan I update every year. My CIO gets to see it, our IT oversight committee gets to see it, our directors in IT get to see it. They know if they can’t reach me, everything and anything I’m doing gets clarified in this large, programmatic scope document. It’s necessary for me, because I can’t be everywhere answering all questions at all times. It’s a measure of maturity to have that in place.
As for your other point, about how to prepare for an audit, just like the Boy Scouts: “Be prepared.” HHS and CMS have provided us with their expectations, and very shortly we’re going to hear back from the first batch of audit sites. We should all be prepared to answer that main list of questions. We need to have, and be prepared to give, an answer to each one of those questions when they’re asked, even if the answer is, “We don’t have a solution for that, but here’s our action plan, and who’s responsible for handling it.” If every security officer can do that, that then will address the core concerns of the auditors. [But] if you say, “I don’t know and I’ll have to get back to you,” you can expect a mandated and monitored remediation plan from Price Waterhouse Cooper. If you can’t answer those basic questions, then you’re really going to get caught in a really awful place.
If you could share one final piece of advice with your fellow leaders in health IT, what would it be?
I’ve been speaking and talking and interviewing for 6 years now, and it can all be distilled down to one statement: It’s all about waking up. Awareness is the key. Security teams must know the scope of their risks, what their vulnerabilities are, and what their plan is to address them. But the workforce awareness must also be increased if the security controls are going to amount to anything. You can have all the security controls in the world, but if you have someone who’s not paying attention, not following the rules, or has the authority or the ability to do something different, there’s the possibility they will, and the organizational leadership needs to wake up. They need to have the awareness of those risks—what’s involved, what the costs are for not being ready. We all need to be more mindful day to day and we need to be more aware of our responsibilities, what we’re accountable to, and what is our posture? Are we at 100 percent, or are we at 80 percent and what are we going to do about the remaining 20 percent?