At Courion, we strive to provide the most innovative solutions possible to allow our customers to detect and remediate risks across all organizations in any industry. We read, we research, and we do our best to stay on top of every new threat, breach, rule, and regulation. However, to truly understand what is happening in the industry and on the ground every day, we turn to the experts who have lived through these scenarios and can help us better understand what you need as a customer.
Today, we welcome one of these experts to our blog in the first post of a new series we will call “An Interview with the Expert”. This week’s guest is Mr. William “Buddy” Gillespie, a highly accomplished visionary, driven Senior Healthcare IT Executive. Mr. Gillespie is a leader with extensive experience and achievements within Healthcare Information Technology (HIT) including strategic positioning, budgeting, staff recruitment, customer service, and implementation and consulting, customer support, customer relationship management, privacy and security sales/marketing and collaborative relationship positioning with multiple HIT vendors and business associates.
He has expertise in Health Information Technology, HIPAA Privacy and Security (HCISPP Certified) and most recently with Analytics and Health Information Exchange (HIE) has included extensive work with Electronic Medical Records (EMR), state-wide HIEs, and marketing of Disaster Recovery/Cloud Hosting solutions.
A certified Healthcare Information Security and Privacy Practitioner (HCISPP), Mr. Gillespie served as the VP, CIO, and CTO at WellSpan health, an integrated delivery system based in York, Pennsylvania and serving more than 70,000 people in south central PA. As the CTO, Mr. Gillespie was responsible for the strategic and tactical efforts surrounding the business and clinical systems at WellSpan. Now “retired”, he works as a consultant, presenter, and active member of several prestigious organizations.
Here is what Mr. Gillespie had to say:
Courion Corporation: What are the biggest challenges you have seen in the last 6 years?
Buddy Gillespie: The last 6 years has been a fast-train for Health Information Technology and has resulted in a huge magnitude of change to the delivery of healthcare. The major force vector behind the high rate of change has been the HITECH Act. There is no doubt that this Act was the major catalyst to get hospitals to invest in the EMR and other related technologies. The number one change has been in the way patient care is delivered. Physicians, for the most part, no longer fight technology but embrace it. The question on the table, is will the changes sustain or will they fall back, we can only hope that Meaningful Use is “too big to fail”.
CC: What are the strongest emerging drivers and trends in healthcare?
BG: I would say the sustainability of HITECH, Electronic Health Records, Meaningful Use, and the Triple Aim.
In 2009, the HITECH Act was signed into law which established the goal to implement the Electronic Health Record across all healthcare providers and thereby establish a road to have every caregiver to utilize the EHR in a manner which constitutes a “meaningful use” of the patient data. Rules were established to define Meaningful Use and if the provider achieved the goal incentive payments would be paid to the providers. The Act was setup into three phases and each phase have its own criteria/rules to define the objectives for achievement. Ninety percent of providers have achieved the first two phases and over $20 billion dollars have been paid-out in incentives. The criteria for the final phase have been released and providers are gearing up. The ultimate goal of the HITECH Act and Meaningful Use is to meet the three pillars of the Triple Aim: Reduce the cost of healthcare, increase quality and improve the patient experience. The question now becomes how successful have the first two phases been in meeting the goals of the HITECH Act and the Triple Aim. Surveys to that regard have resulted in mixed reactions. While the overall feeling is positive some have responded that the Act has created additional burden on an already excessive patient load for physicians. There is no doubt that the Act has resulted in the expansion of the EHR to a level never before seen in healthcare. Today over 50 percent of physician practices and over 60 percent of hospitals have implemented a robust EHR. Phase Three will be the ultimate test of the success factors for the HITECH Act. That phase will build on the first two phases and take into account the pros and cons of the first two phases.
In my opinion the real critical success factor will be sustainability. Once the dollar incentives are gone and the “awe gee” reaction has passed, will the current level of Meaningful Use survive? I think not unless health systems and providers continue to monitor, nurture and invest in the resources and technology to sustain Meaningful Use.
CC: We’ve all heard about the new phase 2 for the OCR and the HIPAA Audit program. What do you think will be the biggest impact and how can companies prepare?
BG: The Office for Civil Rights (OCR) has announced that they are ready to start the second phase of the HIPAA/HITECH audit program. The scope of Phase 2 will be to audit 200 plus covered entities. The audit criteria will be benchmarked to the compliance of the HIPAA Privacy and Security Rules plus the requirements for Breach Notification. The Covered Entities Audits will be followed by audits of the Business Associates to include EMR vendors, Cloud Service Providers, and other BAs in the HIPAA Chain of Trust continuum.
Although OCR has indicated that the first round of audits will be a review of policies and processes, additional on-site audits will be more comprehensive in nature and focus on a deep-dive of internal technology and other types of mitigating solutions in place to support risk prevention.
So what is a good rule of thumb for preparing for the OCR audit? First of all make the assumption that you will be part of the 200 plus and prepare a plan sooner than later.
The plan should be kept simple and kept to a few basic components:
- Review OCR’s audit protocol and be well versed on the HIPAA and HITECH regulations
- Review your documentation and insure you have the most recent HIPAA guidelines, policies, and procedures in place and the organization is well-educated relative to those documents
- Have a clear understanding on what OCR’s expectations/process is relative to providing your documentation to the auditors.
- Orchestrate a “mock” audit with all internal parties and simulate a real audit.
- Lastly, establish a communication chain within your organization to communicate events, timelines, tasks, status, etc.
For more on our conversation with Mr. Gillespie,
join us next month for Part 2 of our interview
or register today for our webinar,
Did you see the news this week? Another data breach and another group of patients’ healthcare records are out in the open and being manipulated by hackers. It seems as if these stories happen so often now that we hardly even stop to think what they really mean. Do you know the real cost of a data breach to your organization?
With the rising use of mobile devices, EHR solutions, BYOD policies, and the amount of shared and saved data comes the rising risk of HIPAA compliance. While this can seem like
an insurmountable task, you don't have to try and tackle everything at once! We've broken the process down to 3 easy, repeatable steps to make your organization HIPAA compliant.
1. Perform a Risk Analysis
How do you secure your devices? What are the processes for PHI handoff? What are your password rules? To perform a risk analysis, you not only need the answers to these questions, you need to know your data flow. Knowing where your PHI information enters, resides, and exits your environment will help you to know where your vulnerabilities are. Make sure that you look at all of your devices, servers, and applications to make sure you have an understanding of how each of these work and, more importantly, where they do not.
There are plenty of options from vulnerability scans, to penetration tests to look for vulnerabilities. Here are Courion, we have our very own Quick Scan process to help find your weaknesses and create plans to help fix them.
Once you see all of your vulnerabilities, analyze the HIPAA risk level and potential impact to your organization by asking:
Then assign each vulnerability a high, medium, or low risk value based on your findings so that you have an understanding of which risks to tackle first.
2. Create a Risk Management Plan
Your risk plan can be as simple or as detailed as you want to make it. However, remember that being able to show HIPAA extensive documentation of intent to mitigate risk will go a long way in your quest for compliance.
An easy way to do this is to answer the following four questions:
Remember you need to have a plan in place for the risks to the system and for each of your employee types that use the system.
Employees: Focus on training and education around security practices and HIPAA compliance. Put blockers in place to help stop breaches before they start. Teach the importance of HIPAA compliant passwords
Business Administration: Anyone who touches your data should follow your rules. Whether this is a medical device repairman or a contractor, they should be held accountable for their involvement in your data.
IT Department: IT doesn't always mean security. Make sure that your IT team is constantly updating your software and applications so that you have the most up to date security features.
3. Implement Your Plan
Once you see all of your vulnerabilities laid out with their management plans, you will quickly see which of these are top priorities. Make a plan to take care of the biggest risks first and then start over. Keep identifying the top risks in your organization and working on implementing security fixes.
What's next? Rinse and repeat. While this is only a three step system it will still take you time to dig through your systems, solutions, and data to find where your greatest risks lie and even more time to find and implement the security fix. However, with an IAM solution you could automate much of this process. An IAM solution will continuously monitor your system and alert you to any variables that may lead to a breach.
Tags: cybersecurity, cyber risk, EHR security, emr security, hipaa compliance, healthcare data, healthcare, cyber security, EMR, EHR, electronic medical record, healthcare IT, medical records, cyber attack, compliance, HIPAA, #HIT, healthcare security
In the past few weeks, the U.S. Government has repeatedly been in the news for its recent hack—allegedly by the Chinese—which leaked over four million personnel records. However, this wasn't the only group infiltrated by Chinese hackers in the past few months; According to the popular blog Mashable, over four million medical records were also stolen. This hack exemplifies a growing concern and a new set of challenges for healthcare organizations surrounding the use of digital records. Now that healthcare records are all digitized and shared over networks and multiple devices, these records have become very valuable to criminals while hospitals, clinics and other organizations are still trying to find the best way to protect them.
While the issues surrounding digital records and possible breaches are the most often reported, they are not the only challenge unique to healthcare organizations. Aside from keeping your records safe, organizations must concern themselves with personnel issues such as the need for multiple people to have access to records. Not only do doctors and nurses need access to patient records but now the billing department, insurance companies and regulatory committees do as well. Some of these positions can easily be credentialed with role based access; some of them are temporary employees or work across different functional areas and need access to different things at different times. It is hard for the organization to maintain proper access control and security with so many unique needs.
On top of the multiple user access requests are the multiple devices that the information needs to be available on. No longer are records and information kept behind the nurses’ station in folders or on desktops; now healthcare professionals are using multiple laptops, tablets, phones, and other mobile devices in their practices. The need to provision all of these devices for any new employee can take days—if not weeks—to get up and running. There is also the need to be able to remotely wipe access to all information if the device is lost or stolen. According to the most recent Healthcare breach Report from bitglass, 68 percent of all healthcare data breaches since 2010 were due to device theft or loss. It is extremely difficult to roll out a process that would cover all of these needs on so many different devices.
One last issue highlighted in the news recently is the vulnerability of specialized medical equipment to be hacked. In another Mashable article, it is reported that drug pumps may be hackable in fatal ways because they enable a hacker to increase or decrease the dosage of drugs. One of the reasons it's so hard to regulate these devices is because they are on a closed loop and can't be easily scanned for malware. The IT department cannot add software because it is an FDA issue and therefore the hospital has a hard time monitoring. So how is the security team supposed to monitor devices that they do not have full access and transparency to? For that matter, how is one team going to maintain visibility into all of the moving pieces of infrastructure and personnel in their organization?
The best way to mitigate these risks is to implement an Identity and Access Management (IAM) solution. These solutions are known to improve accuracy through their automated provisioning policies and are also instrumental in providing transparency into all access and credentials in an organization. An IAM program helps with personnel risk by giving role-based access and visibility into all roles and credentials of any individual. It will also automatically grant credentials to any new employee across all devices and will take away that access once he or she is terminated. This provisioning or de-provisioning can be done by any verified owner/administrator both on a desktop and on any mobile device, making the speed and scalability of the project fit to any organization's needs.
The risks for healthcare organizations will continue to grow as both the Internet of Things and the sophistication of hackers mature in the next few years. IAM solutions are driven by real-time data that allow you to make the most informed decisions possible. Imagine having information on what accounts were most at risk so that you could monitor the risk of data breaches; what if you could automatically wipe sensitive data from a laptop when your doctor forgot it on the plane? IAM solutions can allow you to mitigate these risks and give you visibility into your systems. While the risks and attacks will never stop coming for your organization, with IAM, you will have the ability to recognize these attacks sooner and fight back.
At last week’s Gartner IAM Summit in Las Vegas, it was fascinating to see how the conference has grown. Over 1,200 attendees made this the largest Gartner IAM event to date, which says there is a huge amount of interest in identity and access management. Many were there to understand the basics, but there was plenty for IAM professionals looking to strategize for the future and who are seeking to maximize their IAM investment.
The highlights for Courion were two presentations that attracted close to 200 attendees. One was a case study featuring our own Kurt Johnson and Mark Teehan, an IAM Program Manager from Harvard Pilgrim Health Care.
In the presentation Mark described how his organization, a health benefits company that serves more than 1.2 million members, expanded its IAM program to reduce access risk across the organization by constantly monitoring and analyzing data generated by its IAM systems. The company has moved beyond provisioning and certification by implementing tools and processes to proactively identify and remediate the access issues that lead to business risk. For example, the organization has reduced orphaned and abandoned accounts and established a management process for system and non-human accounts, and has reduced accounts with privileged capabilities and those with unnecessary access. The session really resonated with attendees, judging by the number of questions and post-session conversations that occurred.
I held a lunch session that described how to assess risk before an IAM implementation. I reviewed how an Identity and Access Intelligence solution can help diagnose access risk in any organization and how an organization can take the findings from that diagnosis to formulate an actionable remediation plan. I spoke with a number of attendees who are working on the basics of IAM but who can clearly see the value of being more proactive. These attendees confirmed their desire to eventually deploy a continuous monitoring solution to address access risk.
For conference attendees who missed either session, or anyone who is interested in the topic, I highly recommend tuning into our upcoming webinar:
Tim Callahan, CISO of Aflac, and Kurt Johnson, VP of Strategy for Courion will present, Keep a Constant Vigil: Risk-Aware IAM on Monday December 15th at 11:00 a.m. Eastern.
This webinar will help an IAM professional at any level. I hope you can tune in!
As the leading provider of IAM solutions for healthcare organizations, Courion’s connector framework is designed to interface with a wide variety of IT systems, including popular healthcare applications from vendors such as Epic.
Healthcare institutions continue to move rapidly to adopt a range of technology solutions for improving patient outcomes and reducing costs by automating clinical information and processes.
In order to effectively address the security concerns posed by these applications, healthcare organizations turn to identity and access management solutions to ensure that users, such as physicians or billing clerks, are provided timely and efficient access to information and that their access rights are consistent with their roles and enterprise security policy. These IAM solutions require the use of connectors to various healthcare-specific and general use applications in order to create, manage and terminate user access rights in accordance with policies and regulations.
Courion recently published a technology brief for healthcare organizations interested in implementing and managing user identity profiles for Epic and other systems throughout their organization.
To download a copy of this paper, click here.
CONVERGE is about bringing customers together to learn and grow from their experiences with IAM. That’s why the highlight of day two was our customer case study presented by Mark Teehan of Harvard Pilgrim Healthcare. Mark and his team have been using Courion solutions for nine years and have an award-winning IAM program. With password reset, automated provisioning, access re-certification and all the components of a world class access management system – you would think Mark and Harvard Pilgrim CISO Ken Patterson would be up on their laurels resting.
Well they are not. These two are not satisfied with simply having the best IAM program around. Instead, they are concerned with solving the real problem of IAM – protecting critical data. In their world, that data is pretty sensitive – it’s patient data. But it could just as well be payment card numbers, intellectual property, trade secrets - you name it.
As we learned yesterday, maintaining compliance with applicable regulations does not make your data secure. Mark discussed how he is evolving his IAM program from a reactive to a proactive stance. Reducing his threat surface by scanning for and removing unused or inappropriate access that re-certification reviews simply can not spot. Further, with Access Insight, he’s monitoring his environment for new instances of risky access and resolving risk in near real time.
If you are not lucky enough to be here with us in New Orleans, you can watch Mark and Ken talk about what they are doing with Courion’s Access Insight solution here.
Of course, day two was not just about Harvard Pilgrim – we did have an amazing keynote from Jon Olstik of the Enterprise Strategy Group (ESG). Jon expanded on the “coming together” theme, outlining why IAM and cybersecurity can and should converge. Jon’s take on this topic is right in line with Courion’s. As he sees it, trends like cloud, mobile, BYOD, and virtualization are making IT Security’s job harder by the day. Meanwhile, there are not enough skilled IT security professionals to review all the alerts being produced by security tools in place to “help” understaffed teams’ combat threats.
Jon recommended organizations enable point solutions to “come together” in a centralized way, focusing on the key areas of identity and data. This approach will enable cybersecurity teams to filter out the noise and address incidents that truly represent risk for their organizations. To succeed, these solutions will need to offer continuous monitoring, anomaly detection, and provide real analytics around identity. Perhaps not coincidentally, these are the same kinds of capabilities Access Insight is delivering to customers like Harvard Pilgrim.
Jon Olsik and Mark Teehan would have made for a complete day two, but we didn’t stop there. Ping Identity’s Mark Diodati shared some great information on “modern identity”, including the requirement for adaptive authentication to help make users more secure without offending them. Mark also pointed us to www.markdiodati.com so we could all pick up his latest hit CD.
After lunch and the always interesting “birds of a feather” networking sessions, we had breakout sessions on hardening your deployment, user adoption, adding intelligence to IAM, and many other topics. Tonight, we will come together at a gala event on Bourbon Street, complete with a Mardi Gras style parade. Of course, I snuck off to the rooftop pool to write a blog post – tough job.
Who in their right mind opens a hospital? Providing quality healthcare is too hard. As my brother once told me when he was in medical school: “there is a reason they call it ‘practicing’ medicine.” Recently, I was asked to consider why Courion has had such success helping healthcare providers. During my investigation, I stumbled on one reason (among many) why the business of medicine is so difficult.
Healthcare providers have one mission: providing quality care to patients. Logically, anything that disrupts the ability to deliver quality care must be rejected, correct? Not so fast. Providing quality care is not cheap, but healthcare payers demand lower cost services. Therefore, quality care should be delivered efficiently.
Easy enough, with focus and discipline healthcare providers should be able to provide quality care, efficiently. Hold your horses though, because patients also demand privacy. Increasingly (with HIPAA, HITECH and other regimes) governments are regulating in favor of securing private health information (PHI). So now hospital systems must juggle quality, price and privacy. And as the old joke goes: pick two.
Now let me take you back to 1996 when a young Chris Zannetos and Brian Milas (Courion founders) were consulting in the banking industry and saw a similar situation: corporate help desks constantly made a trade-off between quality of service, efficiency, and security. Back then, and often still today, help desks got bogged down with password resets and managing users’ access. So much so that they just could not keep up with their workload without taking on more staff.
Chris and Brian began thinking about the curve that security and efficiency occupy —and how to move the curve out rather than just moving along it. In their thinking, organizations like banks and hospitals cannot operate like bars and restaurants. To thrive they need secure, efficient operations and extremely high quality of service.
As I imagine it, these two young visionaries ran out of beer money while pondering these questions. Like many in this situation, they went outside to reload their cash at an ATM. Then something hit them.
OK, the ATM didn’t actually hit them but this idea did: The ATM offers superior service, at a lower cost and is FAR more secure than a human teller. Heady stuff yes, but what does this have to do with healthcare? In other words, what does Courion provide a hospital system that is analogous to the ATM for banking?
I’m glad you asked. Providing & auditing access to the systems and resources doctors and nurses need to use in order to care for patients hits on all three concerns (quality care, secure PHI and efficient operations). Traditionally, hospitals that invest in technology to improve patient care, using electronic medical record systems (EMR) for example, must then maintain a large staff to manually create, change, terminate and review access. This creates a number of problems:
It slows down caregivers: Doctors and nurses often wait days or weeks just to get into the system they need to care for patients.
It costs too much: Expensive IT resources should invest their time developing tools to improve patient’s outcomes, not resetting passwords, creating accounts or pulling lists of who has access to what into spreadsheets.
It puts patient data at risk: Account sharing proliferates, tracking who is looking at what becomes impossible, and access audits are rubber-stamped.
Courion turns this whole process into an automated self-service experience, just like the ATM. Importantly, and like the ATM, there is no need to rip out the underlying systems. Courion’s solution simply overlays on top of the existing infrastructure as the IT access ‘automated teller’. By bringing the “ATM” to healthcare IT access — with self-service access request, approval, fulfillment and password reset — Chris, Brian and the Courion team have enabled hospitals to “pick three”; instead of making trade-offs between security, efficiency and quality healthcare.
Do organizations in your industry make similar trade-offs? Tell us about them in the comments.
One of the things I like most about working for a specialized identity management firm like Courion is the direct line communication and relationships we establish with our customers. Any time we partner with a new client, it's always interesting for me to hear how they justified their purchase of Courion's solutions. I recently spoke with the CISO of a large healthcare organization that just signed on with Courion last month. When I asked him "How did you sell this to your CEO and CFO?" what he told me was very interesting.
"It's not about the ROI. Yes, there is tremendous amount of cost savings that we will achieve both in man hours saved from automation and with improved user productivity, but we didn't sell this based on cost savings.” After further discussion, he told me that unless he was willing to commit to reducing headcount, his CFO would throw his ROI analysis out his window. So I asked him, "How did you sell this?" He said, "After several years of failed budget requests by submitting a nebulous line item for Identity Management, we knew we needed to put together a solid business case." He said his business case covered 3 key points:
- Risk Reduction - "We were terrible at turning off access for terminated employees and could not easily demonstrate to our auditors what our people have access to. IAM will eliminate our exposure of terminated employees accessing patient data, while giving us the visibility we need to validate that our people have the right access."
- Speed & Efficiency - "We pride ourselves at being one of the nation's leading healthcare institutions. IT should be an enabler for patient care, not an inhibitor. The fact that it took us several DAYS to fully on-board new users with all their access was downright unacceptable. IAM will give our users what they need, when they need it. And most importantly it will be fast, accurate, and easily auditable."
- An enabler for our Epic EMR Implementation - "The deployment of Epic has been one of the largest projects our organization has undertaken in my career and provisioning caregivers with Epic access is an absolute nightmare. We were faced with the decision of hiring more employees to manually set up Epic accounts or look to automate the Epic provisioning process. Automation was obviously the logical choice."
What I've seen is that when organizations like this take the time to build a solid business case and educate their management team, they significantly improve their odds of getting funding. Those who simply put a line item request in their budget seem to have annual discussions with our sales team year after year : )
So I ask our blog followers:How did you sell Identity Management at your organization? What do you think are the most compelling points to get across when building a business case?