Partners CISO: 'Don't let HIPAA drive efforts'

BOSTON—The healthcare industry needs to stop letting HIPAA drive privacy and security efforts and focus on the patient instead, said Jennings Aske, JD, chief information security and privacy officer at Partners HealthCare in Boston, who spoke during the second annual HIMSS Privacy & Security Forum.

“We need to focus on our obligation to the patient,” he said. “That will help us be more successful in getting our organizations to care about security and make the necessary investments.”

Seasoned healthcare privacy and security professionals know that HIPAA is only the tip of the iceberg and we need to go beyond the regulations, Aske added. “A big part of what I do is try to get clinical and research leadership to understand the end game. It’s about helping patients.” He cited his experience working with a physician who was frustrated that he had to use yet another password. He said he already had to authenticate to numerous other systems. Instead of telling the physician that HIPAA requires unique provider identification, Aske asked him if he was concerned about the integrity of the medical record and if he would be concerned that someone could access the record and delete important information. That physician has become a real privacy and security advocate, Aske said.

Date confidentiality doesn’t matter to a lot of clinicians, Aske said. Sell a message around treatment and care of patients and “the byproduct is going to be compliance.”

Partners leverages standards to define its effort, Aske said. “Standards take the emotion out of the room. I found that if we talk about standards and I can explain about transformation in medicine, that helps ground the conversation. It’s not about the law, it’s about doing something based on evidence, time and experience. That resonates with the clinical audience.”

Aske discussed several principles that guides his work. For example, security and privacy are driven by business objectives. “Principles are hard to live by. We tend to take shortcuts. Sometimes we haven’t agreed upon principles.” He cited the work of a security unit involved in a laptop encryption project. One parameter set was that any laptop not connected to the internet every 15 days was dropped. The problem, however, was that there were researchers who spent three months at a time in Africa with spotty connections. There were some laptops that were only used for conferences. The security unit didn’t understand the use cases and requirements of all the users.  

Another principle is that information security and privacy are risk-based, problem-solving activities. “We see practitioners struggle with this.” For example, an employee doing a risk analysis was very concerned about single sign-on because if that sign-on was compromised it affected all the systems. Aske tried to get him to understand that lots of users wrote down all of their passwords. “There are so many business benefits to implementing single sign-on.”

Information security and privacy are collaborative, Aske said. “Things are messy. The natural tendency is to avoid complexity. An effective program embraces the mess and difficulty of culture change.” To take programs to the next level, you have to have those conversations with angry clinicians, he said.

Another principle is that information security and privacy evolve. “If you develop budgets and work with vendors as though those things are going to get done, you’re setting yourself up for failure. New threats are going to emerge. You have to constantly rethink what you’re doing.”

Another important point, Aske said, is that “security can’t be about no and all too often it is. You end up alienating the people you need to educate and have be a part of your team.”