Information processing in healthcare is rapidly changing in a shift from a paper-based, analog world to a modern, digitized data landscape. As the cloud becomes the status quo for data storage and processing, providers need to increasingly rely on third parties to ensure the safety of their information.
How can we regulate third-party security risks in a technology landscape that is constantly changing? To answer that question, HealthTech magazine convened with prominent CISOs at the intersection of third-party information security and healthcare IT: Omar Khawaja, vice president and CISO of Allegheny Health Network/Highmark Health, and John Houston, CISO of the University of Pittsburgh Medical Center.
Khawaja and Houston shared insights on effective management of information, security-related risks and their efforts to create an industry standard in IT security as members of the Provider Third-Party Risk Management Council, a collaboration with HITRUST, a nonprofit organization with a mission to champion programs that safeguard information throughout the third-party supply chain.
HEALTHTECH: In healthcare, you’re working in an environment with myriad third-party systems. Can you tell me about today’s health IT landscape through the lens of information security?
KHAWAJA: The cloud democratized the ability to deliver IT services. There are a lot of positive things that come with leveraging the cloud, namely reduction of cost, more access to technology, and faster speed. Prior to the proliferation of IT in healthcare, securing data was significantly easier because most of the data was within the four walls of an organization. In fact, it was not even in a digital format.
Security controls should have nothing to do with where the data is, in the cloud or a data center. What should matter is: What is the value of the data and what are the obligations we have on that data from a regulatory, customer-commitment, and reputational standpoint? We should protect the data with the same set of controls regardless of where that data happens to sit, inside or beyond our four walls.
HOUSTON: The thing that we’ve tried to focus on is third-party risk management and the notion that healthcare, like every other industry out there, is moving more and more to the cloud. Ten or 15 years ago, almost all of my data was within my data center. Fast-forward to today, and maybe 25 percent to 30 percent of UPMC’s data processing is being done in the cloud.
We’re moving from an environment today where I can secure my own data in my role in information security to one where I need to rely upon third parties to secure my data. The challenge is making sure that third party is prepared to protect my data and has the technologies in place to do so.
HEALTHTECH: How do you keep up with changing technologies from a risk management perspective?
KHAWAJA: One of the challenges with doing things the old way is that you create a contract, add an amendment with data protection requirements and then, years later, look at that and say, “We should have had some requirements around X or Y, and we never contemplated those.”
The HITRUST common security framework gets updated every year so, controls are added and removed from the program, and all we’re obligating our third-party partners to do is demonstrate compliance with HITRUST. We don’t have to update our contracts because we’re just pointing to HITRUST.
HOUSTON: We’re trying to better protect that data wherever it resides. When a vendor is applying HITRUST, I’m seeing that their processes are in place and that their processes are solid.
When a vendor has used an outside assessor that is trained on HITRUST, that information has been sent to HITRUST, which has done its quality assurance. When I look at that vendor now, I have a high level of comfort that they’re doing what they’re supposed to because I’ve got this whole independent process that is assessing that.
The framework allows you to stay on top of an ever-evolving and ever-changing environment. It’s saying, “I’ve got a process in place that’s going to allow me to continue to make sure that my security is effective.”
HEALTHTECH: So, it sounds like you’re looking to HITRUST as a potential standard for the industry?
KHAWAJA: We got HITRUST certified because we thought that was the right level of due care for our information and our employees’ information, and a client asked why we wouldn’t do the exact same thing for our third parties. That’s when it occurred to me that it should be that simple.
You have relying parties, such as hospitals, going to their third party and assessing them. That same third party may be assessed 50 to 200 times by a variety of their customers. The level of overlap between those efforts is pretty significant.
HITRUST is an exhaustive review of every single control requirement that it has, and those are a few hundred controls that are aligned very closely to the Health Insurance Portability and Accountability Act requirements.
HOUSTON: Through the Provider Third-Party Risk Management Council with HITRUST being an amalgam of a bunch of different security frameworks that are applicable to healthcare, I can be assured that a vendor that is proactive in applying the HITRUST framework has a certain level of maturity, and I can feel comfortable that vendor is going to continue to do the right things as the needs of security evolve and change. That’s where adherence to information security frameworks comes into play. What we’re really trying to do is move the entire industry.
HEALTHTECH: What are the greatest challenges you face when it comes to risk management today?
KHAWAJA: We’ve got confidential information that we’re sharing with our trusted third parties that are, in more cases than not, operating in the cloud. As an organization and as an information security program, there are two things that we end up losing: One is we have significantly less control over the information, and the second is that we have significantly less visibility into that information.
HOUSTON: Year-to-year, the threats are fundamentally the same, but every year the threats get more sophisticated. So, technology has to become more sophisticated to address the risks.
This is part of the challenge: I can’t assess on day one that a vendor has all the right security in place and assume that in 24 months they will continue to have all the right security in place to protect my data, because everything continues to change.
That’s also one of the reasons why HITRUST is important, because we want to make sure that whoever that cloud service provider is that their security is appropriate and adequate. To me, I define the cloud as being anything that I can access through the internet.
HEALTHTECH: How can we ensure the future of healthcare security?
KHAWAJA: We would rather focus on implementing controls that are going to have real value in protecting the information our customers care so dearly about than applying resources and money to responding to those efforts that are all duplicative.
We’d much rather the authority on healthcare security tell those third parties how to secure their environment, and the foremost authority when it comes to healthcare security happens to be HITRUST.
HOUSTON: I spend a lot of time and effort securing my own infrastructure that is in my control, and now, since I can’t necessarily directly do those assessments to make sure that those third parties are secure, I have to rely upon some type of assessment to make sure that they’ve got the frameworks in place and that they are secure.
By making HITRUST the standard and having vendors to comply with it or get certified to it, that will allow providers to verify the vendors they want to contract with and move the industry to have better security in place, and this benefits everyone.
Check out HealthTech’s NHIT Week coverage on our event page, or follow the conversation at @CDW_Healthcare or with the hashtag #NHITWeek.