Hospital creates IS analyst position to increase awareness

BOSTON—When Union Hospital was going to implement a new EMR, the organization took advantage of the opportunity to also implement an infrastructure with greater information security. CIO Anne Lara, EdD, RN, CNE, CPHIMS, shared the hospital's experience during a presentation at Medical Informatics World.

“Our philosophy was to give all our community providers access,” she said. The hospital had spent money on security assessments but had no mitigation. They needed monitoring tools, training and reporting and a methodology for breaches and investigations. “It wasn’t on the executives’ or management’s radar,” said Lara.

Lara said it was her responsibility to create an awareness and sense of urgency around information security and, rather than hire another consultant, she decided to create an information security analyst position. She gained support for the role by saying they had to make sure the new EMR was safe and secure and that they were adequately addressing the security requirements of Meaningful Use.

Lara had a very motivated young man who was interested in improving his credentials and proving his experience, she said. She knew that unless she issued him a good challenge, he would move on to a position elsewhere.

This candidate didn’t have in-depth knowledge so she took a risk. However, she thought his enthusiasm would go a long way. “Culture is important when trying to invoke change. You want to make sure interventions don’t negatively impact the culture.”

Meanwhile, the hospital’s insurance company had just come established a cybersecurity rider. So, Lara partnered the new IS analyst with the security auditor. They walked through the organization together for an audit which exposed the new position to the executive team. He also networked on his own and reached to vendors about the various tools. “He made a name for himself just through his interactions.” She also said his training has been important and he has been studying for his IS credential.

By making these ongoing investments in his education and helping make sure he is seen as the go-to person for all thing information security, “we are trying at every opportunity to leverage the position to create a culture of information security awareness.”

To keep the momentum going, the hospital has stepped up its annual training and assessment efforts. Monitoring tools were put in place and the results shared. A study showed how many hours were lost to surfing so they’ve implemented web filtering. “There was an outcry but people started to understand why this was happening.”

 “We can put all these tools in place but it seems that the folks using their brains for evil are always a few steps ahead,” said Lara. “Better education among healthcare workers is probably the best thing we can do.”