Integrating privacy, security for better compliance

Moving the privacy and security of healthcare function from the IT department to the compliance team may be a good move for healthcare organizations, according to Phil Curran, chief information security and privacy officer for Cooper University Health Care in Camden, N.J. Curran spoke during a Dec. 17 webinar on integrating privacy and security presented by the Institute for Health Technology Transformation.

The two functions work together by first considering access, he said. The organization’s access policy calls for the minimum necessary for a person to perform his or her job. Then the security controls come into place. They include how the IT department adds, modifies and deletes users and how that is monitored. “On a monthly basis, we get a report from our mission critical applications of users and their last logon date.” Anyone who has never logged on or hasn’t within the past 90 days has their account disabled. “Our feeling is that if they haven’t used the system in the past 90 days, they don’t really need access. We got minimum pushback but it’s very easy to reactivate an account.”

On an annual basis, Curran and his team go through a tedious process of looking at each user and comparing their role as described by human resources to their role as described through their application access. Cooper’s policy dictates that when an employee moves from one department to another, his or her access except for network access is cut off and then his or her manager makes the decision on what access is required for the job. Monitoring that activity is another task for Curran’s team.

As everyone in the healthcare industry even slightly responsible for privacy and security has heard, conducting a risk assessment is critical. Cooper has a very detailed process, said Curran. The two primary documents he uses are the NIST 800-53 and the Common Security Framework. After going through each privacy and security control, senior managers receive the risk assessment to use for decision-making. “I’m a firm believer that as privacy and security professionals, we don’t make business decisions but we can make recommendations based on the risk assessment. The business leaders have to make the decision and accept the risk. Sometimes they listen to us and sometimes they don’t.”

Moving his role out of IT allowed “us to provide a better risk assessment on the controls we needed in place from an overall business perspective.” His role is to ensure an organization’s controls and standards are integrated into the business which is difficult to do through the IT department, he said, because “you’re now monitoring your own organization so there’s a separation of duties there.”

Privacy and security efforts have been integrated into the organization’s culture, Curran said. “We’re continually modifying our policies based on technologies, processes and people that are changing. “Policies shouldn’t be stagnant. You need to educate staff and have policies that say what they can’t do and push that out so they understand their roles and responsibilities.”

Part of the education program is annual privacy and security training as well as three top issues each quarter. By emphasizing three topics each quarter, they can be more flexible when it comes to new technologies and processes. Through emails, posters and fun training sessions, they let employees know “they have a role to play within the organization within the privacy and security world.”

Despite all their efforts, Cooper has areas that are still struggles. For example, the IT governance committee does not include someone who understands the risks involved in privacy and security, Curran said. However, a new medical officer is working to get someone with that experience on the committee.

New leaders pose an issue as well, Curran said, because some just don’t have the same emphasis on privacy and security that existing leaders have. “We need to educate them on the value of privacy and security and getting us involved at the beginning of projects so we can provide the advice and assessment they need to make key decisions.”

Going forward, Curran said there is a lot of ambiguity in the regulations, especially HIPAA. “I’m finding that the ambiguity is letting people implement the regulations in different ways.” Even within his organization, people are interpreting the regulations differently. He and his team have to educate business leaders and often explain that they need to do things in a different way. “That causes some heartache for us. Privacy and security are not at opposite ends of the seesaw—they need to be balanced. You don’t have to accept less of one to get that balance.”

HITECH, however, pushes the integration of privacy and security more than most people believe, Curran said, especially when it comes to breaches. “The privacy regulations for HIPAA already had a security component and vice versa. HITECH puts more teeth into that. HITECH was a good thing.”