The CSO perspective on healthcare security and compliance

Randall Gamby is the CSO of the Medicaid Information Service Center of New York. In this interview he discusses healthcare security and compliance challenges and offers a variety of tips.

Is it more difficult to security healthcare IT systems compared to other infrastructures?
I’ve worked in several industries and by far healthcare is the most difficult industry I’ve had to work in to date. Not all frameworks and regulations are created equal. In the case of healthcare, HIPAA and HITECH requirements require strong controls, clear lines of command and a lot of mandatory tracking and documentation.

In addition, as a healthcare security manager you must constantly remind yourself, and the people you work with, that you are not just protecting bits and bytes but that you have been given the responsibility to be the custodian of many people’s most sensitive and personal information. Exposures of this data are not only subject to heavy fines; persons’ reputations, potentially their ability to secure a job and even their family lives may be in jeopardy.

What healthcare-related compliance challenges do you face as the CSO of the Medicaid Information Service Center of New York?
Information services within the state of New York not only have federally mandated security requirements; the NYS Office of Cyber Security also has stringent policies on the access and use of protected health information (PHI) and personally identifiable information (PII).

It is sometimes quite challenging to determine who has precedence over a particular piece of information and reporting requirements can contain many branches to different organizations depending on the type of potential violation or data involved in an incident. In addition, access requirements must be constantly reevaluated and tracking mandated attestations for access are very time consuming.

Based on your experience, what areas should healthcare CSOs focus on?
Controls should always be a primary focus. First from a compliance perspective, “Have we put in place the necessary controls to maintain compliance?” Secondarily as a risk to the organization, “Is this control effective in reducing or eliminating a security risk to the organization as a whole?”

As a rule of thumb, if a control is left alone it will slowly deteriorate over time increasing risk to the organization. And if not monitored and adjustments made, eventually a control will become ineffective.

How do you deal with BYOD? Are there any positive sides to the trend?
BYOD is a scary proposition regardless of the industry. On the one side you have the productivity benefits that you derive from employees using a device that they are comfortable with and generally have on their person during their waking hours. However, the downside is that sensitive information may be walking out of your organization with little or no controls to protect it. Because of this, my organization does not allow the storage of any PHI or PII on our BYOD devices although company confidential information may be allowed if there is a business need.

We also have implemented a Mobile Device Manager (MDW) tool to monitor and control the limited BYOD devices authorized for use in our organization. We reduce our risk of exposure knowing that, at minimum, a strong password and other controls are in place on the employee’s device and that the employee has voluntarily agreed to allow us to track and remotely wipe the device’s contents should it be lost or stolen.

What advice would you give to CSOs when it comes to requesting a budget increase?
Before a budget request can be made a CSO must know where the monies will be best spent. An honest self-examination of the security controls within the organization and using tools such as a color-coded risk profile as described in the report are a great way of showing the security posture of the organization to an executive in charge of finance.

It’s important to be able to help the CFO, or other executives working with the company budget, to understand the areas that need to be shored up and to translate these security requirements to business needs. By doing so, it helps grease the budget wheels to ensure the CSO gets the funds needed to be effective in securing the organization.

It’s been my experience that it’s the CSO who has the ability to show the benefits of the security program in business terms, rather than the experienced security professional, that tend to get the budgets they need.

What’s your take on increased cloud adoption? Are you moving some of your resources into the cloud?
Clouds, like BYOD, are a blessing and a curse. My organization utilizes a number of professional cloud providers to augment services we are not properly staffed for, or don’t want to operate ourselves. However, while the conversations with these provides mainly center around application performance and capacity, few talk about security or compensation avenues for the loss or exposure of data.

With that said, many cloud providers are improving their service documents to provide better compensation clauses in their contracts but this is still a lingering problem in the cloud provider industry. In our experience with the inconsistent state of security of many cloud vendors, my organization as a practice does not allow PHI, PII, or other confidential information to be sent to a cloud. I expect as cloud providers mature their security practices that this will slowly change over time.