John Halamka, CIO of Beth Israel Deaconess Medical Center in Boston, details how his team is analyzing security risks and deciding what to do about them in a recent post on his blog "Life as a Healthcare CIO."
In a previous post, Halamka said that "mounting regulatory and compliance pressures" are keeping him up at night. Unsurprisingly, a full third of the capital requests in his FY2013 budget were for security and compliance-related projects.
Among the projects that BIDMC is kicking off this summer, Halamka noted, are:
- An enhanced encryption program for tablets and laptops
- An enhanced mobile/BOYD security program
- An enhanced learning management infrastructure to train everybody at BIDMC on security requirements
- Enhanced conflict of interest reporting
- A comprehensive audit of BIDMC's security program and policies.
In pursuit of the latter goal, Halamka's team recently held its first security prioritization meeting. The attendees decided to form three five-member workgroups, including people from IS and compliance, and have them review 55 items in the following categories.
- Access management
- Policy and other
- Content management
- Monitoring and containment
- Mobile computing
- Data network
- Facilities (disaster recovery)
Halamka's group created a spreadsheet to score items for their importance. The basis of the scores are the relative work, impact, and risk that each item represents. Among the specific parameters to be rated are:
- Workforce impact or "disruption" factor
- Probability that the vulnerability will occur
- Impact if the vulnerability manifests itself
- Overall compliance effort required
- Information systems effort required
- One time capital cost estimate
- One time labor requirement in FTEs
- Recurring internal labor
- Recurring maintenance and purchased services
- Recurring other support costs
- Overall priority
Of course, all of these risks must be viewed in the context of the rising security threat to healthcare information systems. Last fall, the Ponemon Institute issued a report saying that security breaches were costing the healthcare industry about $6.5 billion a year. The number of reported security incidents jumped 32 percent from 2010 to 2011, and the average cost of these events to healthcare organizations was $2.2 million, up 10 percent from the previous year.