New rules, new laws and new technologies are a few of the reasons why more health/care organizations are likely to hire CSOs.
If a health care organization has a CIO who has a vast knowledge of security issues along with eight arms and the ability to be in 17 different places at once, that organization might not need a chief security officer. That's the conclusion of many in the data security field and a steadily growing number of health care CIOs and CEOs.
Health care needs more CSOs because the job of the CIO has gotten so broad that CIOs no longer can give adequate attention to data security issues, says Diana J.P. McKenzie, partner-in-charge of the health care technology practice at Gordon & Glickson, a law firm in Chicago.
'Being a CIO today is not what it used to be,' McKenzie says. 'There are so many more systems they are managing and so many more processes and people they are directing compared to just two or three years ago. When you get to a certain threshold, you need to create a new division. And CIOs have reached that point with security.'
Health care CIOs are implementing computer-based patient records systems, enterprisewide intranets, electronic data interchange systems, telemedicine programs, data repositories, decision support systems, financial information systems, and much more. Data security is an integral part of every one of those endeavors.
CIOs also have to contend with upcoming health care data security rules from the Department of Health and Human Services. Comprehensive proposed rules were released in August (see September 1998 issue, page 12). Add to that the massive undertaking required to fix the year 2000 problem--the inability of many systems to distinguish '00' in the date field as denoting 2000 and not 1900)--and some CIOs could be overwhelmed with their responsibilities.
All of this adds up to a tremendous opportunity in health care for data security professionals, as more provider and payer organizations consider adding a CSO to their ranks because of these varied pressures.
The time is now
Now more than ever, many experts contend, health care organizations need one person dedicated to the job of protecting health care information as it is created, stored, manipulated and transmitted by hundreds of people every day.
A CSO provides professional advice to the CEO, the board of directors and others on existing and potential security issues, says Martin Nowak, executive director and CEO of the University of Alabama Health System in Birmingham. Nowak created an information security officer position at the hospital in 1993.
'The CSO conducts ongoing policy development in the best interests of the organization, individuals using information systems, and those people, particularly patients, who may be affected by systems,' Nowak says. 'The CSO performs many critical tasks, like serving as a link to the human resources division during the employment and discharge of employees and guiding the institution through Internet access issues and intranet development and usage.'
The CSO ultimately protects data security and ensures data integrity and availability for the organization, he adds.
But some healthcare provider and payer organizations don't see the value of funding the office of a CSO when money is needed for other programs.
'A problem now is that many health care organizations are financially very short, with new regulations being imposed on them and all the pressures from managed care,' McKenzie says. 'Organizations are in some ways justified in trying to hold back on creating this new office.'
But each bad security breach in health care will lead to a swell of interest in hiring CSOs, McKenzie predicts. 'When a security breach happens, executives will bring a CSO on board,' she says.
CSOs have a variety of job responsibilities designed to help health care organizations avoid such damaging security breaches. But the scope of a CSO's job varies from organization to organization.
The CSO position is evolving; it's not like the CIO position, which has certain very specific tasks and functions, McKenzie says.
'The evolution of the CSO in health care is only at its genesis,' she says. 'Their ultimate responsibility is for the security of patient data. But as the position continues to evolve, it will become much greater than that. It will include the confidentiality and security of the employees of the institution. It will extend to having a total understanding of all federal and state legislation, and much more. The CSO has to be aware of many issues, as they ultimately are responsible for creating an institution's security policy.'
The responsibilities of today's health care CSO fall into two main categories: strategic and tactical, says Gary Gray, information security coordinator at Swedish Health Services, an integrated delivery system in Seattle. Gray has been in health care information security for 10 years.
Swedish previously had a security position that was smaller in scope. When Gray took over the position a year ago, management broadened the security chief's responsibilities and altered the reporting structure so Gray would report directly to the vice president of information services.
'In the strategic area, a CSO must align information security with corporate goals, communicate security concerns to management to influence management decisions, and inform and educate the entire executive team so they can make informed decisions,' Gray says.
'In the tactical area, a CSO must lead a security committee, develop and monitor information protection and awareness programs, present an annual report to senior management on the state of the security program and the future vision for information security, coordinate development of security protections, ensure that access control and audit measures are maintained, and more.'
The umbrella mission of a health care CSO is to take care of an organization's information, says Micki Krause, director of information security at PacifiCare Health Systems Inc., a Santa Ana, Calif.-based managed care company with more than four million members in 14 states. Krause took on the job of CSO at PacifiCare in 1995. Although there was a security manager before her, the organization initiated a comprehensive information security program in 1995 that increased the position's responsibilities.
Individual components of the CSO's job, according to Krause, are: establishing policies, procedures and standards; managing systems users' identifications and passwords; ensuring that the proper level of security and control is inherent in all computer systems, applications, networks and external connections to business partners; making sure the organization complies with legal, regulatory and audit requirements; and conducting security education and awareness programs.
Compelling reasons
The need to create and maintain security policies, technological controls and educational programs is becoming more acute, industry observers say. Security professionals and health care CSOs cite a variety of reasons why more provider and payer organizations should hire CSOs.
Information systems security risks are increasing dramatically, and security problems are complex enough that a specialist is required, says Peter Tippett, M.D., president of the International Computer Security Association, Carlisle, Pa.
'Health care understands the need for specialists more than any other industry. After all, if you have a brain tumor, you don't want a heart surgeon operating on you,' Tippett says. 'The major driver for CSOs in all businesses is the fact that complexity and connectivity are increasing so rapidly that, consequently, risk is rapidly increasing.
'The virus risk, for example, is up to several billion dollars a year for North American companies. The cost of viruses per North American company is nearing $1 million. Helping lower that risk and its costs alone would cost-justify the hiring of a CSO.'
The University of Alabama Health System created a CSO position in 1993 on the recommendation of a committee it created to assess security needs, says William M. Miaoulis, information security officer at the hospital since 1993.
'The information security committee, headed by the hospital's assistant chief of staff, concluded that as more data was becoming electronic, security was an increasing priority and the organization needed to properly ensure the protection of patients' rights, patients' privacy and data security,' Miaoulis says.
At CareGroup Inc., an integrated delivery system based in Boston, audits of information systems and manual processes helped management conclude in 1997 that they needed to hire a CSO to spearhead development of heightened security measures. The delivery system created a formal security department, with five staff members working under the CSO.
Often a newfound awareness of potential liability for security breaches drives health care organizations to hire a CSO, says Kate Borten, chief information security officer at CareGroup. She took the newly created post in 1997.
'It usually is an internal or external audit that gets the ball rolling. Audit departments are getting more and more savvy at pointing out security vulnerabilities' Borten says. 'And once a security problem is identified in an audit report, an organization is put on the spot.'
Required resources
When health care organizations decide to hire a CSO, they will have to earmark appropriate funds for a qualified individual. Because the position of CSO is relatively new to health care, there aren't many benchmarks for CEOs or CIOs to follow when putting together a salary package.
The average salary for a CSO in health care is about $75,000, Miaoulis estimates. 'The biggest problem, though, is finding job candidates with health care-specific information security experience,' he adds. 'So you might have to consider people who are not ideal candidates for health care, but nonetheless have excellent security experience. These people are likely to come out of industries such as insurance, banking and energy, where security has had a higher profile.'
Miaoulis has 16 years of experience as an information security professional in various industries. Previously, he worked for six years as information systems auditor with Sonat Inc., a holding company with subsidiaries that include a natural gas pipeline company, an exploration company, an offshore drilling operation and an oil-field services company.
CSOs should make about $80,000 per year, says Hal Tipton, principal of HFT Associates, a Villa Park, Calif.-based health care information security consulting firm. 'But they also will need a staff, the size of which depends on the size of the organization, how much data processing is involved, and the type of computers and networks involved,' Tipton says.
'A CSO will need individuals under him with knowledge of security issues and general issues surrounding mainframe computing, client/server computing, networking, PCs, security awareness and training, contingency and business recovery planning, and more. The number of people he can have to specialize in such matters depends on the size of the organization.'
At minimum, health care organizations need one person dedicated to information security, says Gray of Swedish Health Services. And this specialist should have a broad range of information security expertise.
'Information security is much more than just managing users' IDs and passwords. As a result, the salary range for a CSO runs from $55,000 to $90,000,' Gray says. Yet a health care executive search firm recently informed Gray of a CSO position in a large hospital in the southwest. The firm said the CSO position's salary could go as high as $125,000.
'Whatever the salary,' Gray says, 'between the incredible complexity of technology and the increased use of Internet technologies, organizations would be wise to spend their money on a person with a Certified Information Systems Security Professional credential.'
Certification
The CISSP credential is a popular emblem of expertise among security professionals in health care and other industries. The Shrewsbury, Mass.-based International Information Systems Security Certification Consortium manages the CISSP certification process, in which many health care CSOs place great faith.
An increasing number of health care organizations are represented in the seminars given for people taking the CISSP tests, says Tipton, the consultant, who holds the CISSP credential and assists in the association's certification process.
All CSOs should hold a CISSP, says PacifiCare Health Systems' Krause, who has the credential. 'It is the only credential for information security professionals,' Krause explains. 'It is important that there be a requirement that a CSO in any industry have a basic understanding of the entire body of common security knowledge. Otherwise they can't be effective in their role.'
Unfortunately, too many health care organizations are hiring CSOs who have very little background in security, Gray contends.
'As the complexity of security systems grows, you need someone who understands a broader range of issues--from ethics to legislation to risk management to law enforcement to technology,' he says. 'And the benefit of having someone who is a CISSP is that they have gone through a program and have been tested in areas of expertise. That adds a lot of value to a CSO and the organization for which he or she winds up working.'
Borten, the CSO at CareGroup, does not hold the CISSP certification. However, she and her staff of five are considering pursuing the credentials. 'It takes time and it takes money,' Borten says. 'But I do feel the value of the CISSP credential will really rise tremendously as people realize more and more that information security is truly a niche and there is very specialized expertise involved.'
Reporting structure
When a provider or payer harnesses the specialized expertise of a CSO, the organization must determine where best to place the new executive on the organizational chart.
When CIOs first made waves in health care, they primarily reported to the CFO. That was because most information systems in health care at the time focused on financial matters. Today, as CIOs' responsibilities have expanded, many now report to the COO or CEO.
A similar pattern could be building for CSOs in health care. A relatively new office, many CSOs report to CIOs. This is because many health care executives link security concerns to the increasing presence of information systems. But some health care CSOs report directly to the CEO. And as time goes on, perhaps more CSOs may attain equal status with CIOs and CFOs.
CSOs should report to either the CEO or the CIO, says Miaoulis of the University of Alabama Health System, who reports directly to his CEO.
'CSOs need a working relationship with both officers' he says. 'You need high visibility. And either one of those officers is at a high enough level for the CSO to get the support, weight and credibility needed to do the job.'
The advantage of having the CSO report to the CEO is that it portrays to all employees that the CSO is not just handling information systems tasks, but also managing administrative support for all health care information security, Miaoulis adds.
At CareGroup, Borten has a unique reporting relationship designed to meet her specific needs.
'For significant security issues that come up, I do go to the CIO. For practical purposes, though, since he has so much on his plate, I am not reporting directly to him for most other matters but to one of his direct reports,' she explains. 'But my staff is well-regarded as a specialty group, and when an issue comes up of real significance or potential political or financial impact, I report directly to the CIO.'
A CSO should at a minimum report to the CIO because any security decisions that need to be made will have an effect on the entire organization, says Krause of PacifiCare. 'A CSO needs to report to someone at a level that offers the kind of leverage needed to make security efforts really happen,' she says.
Having the right supervisor can be key to the success or failure of a CSO. So, too, is the information security policy that a CSO must craft. Writing, maintaining and enforcing a thorough security policy is at the heart of a CSO's job (see story, page 56).
One person should not be creating a provider's or payer's information security policy, Miaoulis says.
'It is the job of a CSO to lead the policy-writing process,' he says. 'You first must form a committee and make sure the CSO is in charge. You then gain the support of management for the effort, research all the security issues, draft policies, and, finally, follow your organization's review and approval processes.
'Once you get your policy formalized and approved, you have to educate all users about the policies,' Miaoulis says. 'And you must enforce them. Policies without education and enforcement don't have a lot of value. The value of security policies is `before the fact,' as an educational tool.'
Krause crafted PacifiCare's information security policy based on generally accepted system security principles and best practices. After researching the issues, she built a fundamental outline of the policy and then began filling it in.
'I built the security policy myself, and then I went around and secured buy-in from top business management and the individual department chiefs, namely human resources, legal, internal audit and information systems,' Krause explains.
Some CSOs, including Gray of Swedish Health Services, find a detailed information security policy already in place when they take the job. This doesn't mean, however, that their responsibilities regarding policy writing are completed.
'While there was a policy in place when I arrived, what I had to start doing was bringing that policy up to date and adding to it,' Gray says. 'I would advise CSOs--all of them, not just those with policies already in place--to look at other organizations' policies in the community. Most organizations will share information with you, and I am a big proponent of not reinventing the wheel. Much of the work done by other people in other hospitals can be used to help you create your policy.'
HIPAA mandates
Security policies have become all the more important with the advent of the Health Insurance Portability and Accountability Act of 1996. As mandated by HIPAA, the federal government proposed far-reaching health data security rules in August. They apply to all health care data, whether it's transmitted over any network or never leaves a desktop computer. They apply to all health care provider organizations--from the largest hospital to the smallest clinic. They apply to all health care payer organizations, including HMOs, PPOs, commercial insurers, third-party administrators and self-insured companies.
The security rules do not require health care organizations to use computers to store or transmit data. For information that is stored on computers, the proposed rules require organizations to implement specific administrative, physical safeguard and technical procedures to ensure the security and confidentiality of the data. In most cases, the security standards will supersede contrary provisions of state law governing electronic health information. The rules also require the use of encryption software when transmitting health information over the Internet or other 'open' networks, such as dial-in lines.
The new security requirements will go into effect 26 months after final rules are published. The U.S. Department of Health and Human Services expects to publish final rules late this year or in early 1999. In its proposal, the department warns the health care industry to take the security standards seriously. 'Several accreditation organizations, such as the Electronic Healthcare Network Accreditation Commission, the Joint Commission on Accreditation of Healthcare Organizations and the National Committee for Quality Assurance, indicate that one of their accreditation requirements will be compliance with the HIPAA security and electronic signature (if applicable) standards,' the rules say.
The proposed security regulations are separate from another HIPAA mandate for a national medical information confidentiality policy by February 2000. The security regulations govern the protection of confidentiality by ensuring the security of electronic health information. The confidentiality policy will govern the disclosure of identifiable health information.
Confidentiality law
In late July, the U.S. House passed a 'patients' rights' bill that included a national medical confidentiality policy. But privacy advocates say the confidentiality provisions in the bill, H.R. 4250, are not as tough as those in previously introduced privacy bills and thus don't provide the level of protection originally envisioned for such legislation. HIPAA requires Congress to pass a confidentiality bill by August 1999. If it doesn't, HHS will set such a policy by issuing regulations.
The HIPAA security and confidentiality rules will be important to the future of health data security and CSOs, says Miaoulis of the University of Alabama Health System.
'One of the proposed security rules says that health care organizations must assign responsibility for security to a specific individual or organization,' Miaoulis explains. 'While it doesn't use the term `CSO,' it is an important recommendation that could drive the creation of more CSOs in health care.'
Health care organizations that don't ensure they comply with HIPAA rules and regulations could be in deep trouble, says Tipton, the consultant. 'If a security breach occurs at a hospital and a victim shows that the health care industry has these rules and guidelines and the provider was not following them, that could be the basis for a lawsuit against that provider,' Tipton says.
The almighty dollar
But while more providers and payers are considering adding CSOs to their company rosters, some health care organizations that already have CSOs are eliminating the position.
'My position was eliminated only because the budget does not allow for it,' says Bob Schmidt, former information security director at an integrated delivery system in St. Paul, Minn. The CSO position, created in January 1997, was eliminated in August. 'A CSO is not a money-making position--it is an overhead position.'
The delivery system created the CSO position because it perceived a heightened need to protect patient confidentiality in a climate of ever-changing federal and state laws, JCAHO requirements, and increased data automation, Schmidt says.
'But it's difficult to realize the benefits of the CSO position in the first two to four years,' Schmidt says. 'For example, a hospital normally has `X' number of lawsuits every year. After hiring a CSO, that number might not begin to decrease for a little while, until after new security policies and technologies are in place and have time to prove themselves.'
Top management must show strong support for the CSO and recognize that it might take a few years to demonstrate the value a CSO brings to a health care organization, he adds.
But more often than not, health care executives are beginning to realize the need to have one person in charge of a health care enterprise's information security.
Health care definitely needs more CSOs, says Krause of PacifiCare. 'The information security field is specific enough and broad enough in the things it requires people to understand--technology, human nature, business, and more--that there has to be an individual who is specifically given that responsibility,' Krause says. 'It really is a very full-time responsibility.'
Resources on the Internet
Computer Security Institute
www.gocsi.com/
Gateway to Information Security
www.securityserver.com/
HIPAA Proposed Security Rules
http.//aspe.os.dhhs.gov/admnsimp/index.htm
Information Systems Security Association Inc.
www.issa-intl.org/
International Computer Security Association
www.ncsa.com/
International Information System Security Certification Consortium
www.isc2.org
RELATED ARTICLE: Security policies must be thorough
The cornerstone of the health care chief security officer's job is to carefully craft a meticulous information security policy. For providers and payers alike, information security policies must delineate in great detail how an organization creates, stores and transfers information, whether it is on paper or electronic.
The most important aspect of a security policy is its scope, says Diana J.P. McKenzie, partner-in-charge of the health care technology practice at Gordon & Glickson, a Chicago-based law firm.
'Most of the policies I review simply do not have enough elements in them,' McKenzie says. 'They might cover how staff should give records to patients, but they don't cover all the ways that medical data is transported or communicated within the institution. Or the policies might cover how e-mail is to be used and how it should be safeguarded, but they don't include rules for voice transmission of medical data.'
In general, health care organizations' security policies are not broad enough to encompass the many ways medical data is shared in today's increasingly electronic environment, she adds.
Once a policy has appropriate scope, it must be clearly communicated to all employees, and it must be properly enforced. Health care organizations can get into deep legal waters if all employees are not given ample opportunities to read and understand information security policies, McKenzie says.
'If a policy only appears in the employee manual people receive when they're hired and nothing further is communicated to staff, and if the policy never is updated, it will be all the more difficult for a hospital or clinic to prove it's not liable when a security breach occurs,' McKenzie says. 'If an organization has a good policy in place and everyone knows about it through printed materials and training sessions--and the policy is updated regularly--a health care organization is much better served.'
Accountability
When communicating policies to information systems users and others, CSOs must make it clear that users, through official security policies, will be held accountable for how they handle health care data, says Micki Krause, director of information security at PacifiCare Health Systems Inc., a Santa Ana, Calif.-based managed care company.
'Every user has to understand their role in security,' Krause says. 'Education and awareness programs are key to getting this point across.'
To back that up, CSOs must vigorously enforce security policies, she adds. 'There has to be a very strong level of enforcement, a statement that says something along the lines of, `Failure to comply with the policy will result in' specific penalties, up to and including termination,' Krause says.
But for many in the health data security field, the most important aspect of crafting a security policy is guaranteeing that an organization's management is fully behind the goals and rules of a policy.
Obtaining top management's support is a CSO's No. 1 task, Krause says. 'And that doesn't just mean the CEO's support,' she explains. 'The CSO must gain the backing of management from the CEO all the way down to the line managers who will make sure employees adhere to security policy.'
Top management must sign off on an umbrella security policy that says that the information the organization holds is important and crucial and that its confidentiality and integrity must be maintained, says Hal Tipton, principal of HFT Associates, a Villa Park, Calif.-based health care information security consulting firm.
Other significant points a security policy should cover, Tipton says, include:
* Defining who has access to what data.
* Outlining how remote access to information systems, if offered, will be managed.
* Listing what users can and cannot do with an organization's computing resources.
* Pinpointing measures to be taken to fight computer viruses.
* Saying exactly how the privacy of e-mail will be protected.
RELATED ARTICLE: Issues abound for health care CSOs
Ensuring administrative staff can't use a new enterprisewide network to access confidential patient data. Outfitting e-mail programs with the best encryption systems to safeguard sensitive messages transmitted across the Internet. Guaranteeing that storage rooms for paper files are securely locked. Enforcing a policy that requires all employees to change computer passwords on a regular basis.
Health care chief security officers have a seemingly endless supply of issues to tackle. And though some issues might seem to pale in comparison with others, a CSO will be the first to remind people that even the smallest security breach, left unaddressed, can result in serious damage to patients' lives.
Following is a sampling of opinions from health care CSOs and information security consultants on the most pressing data security problems.
William M. Miaoulis, information security officer, University of Alabama Health System in Birmingham.
'Getting better authentication solutions than today's common password systems is crucial. Passwords have inherent weaknesses. The most serious is their inability to offer nonrepudiation, which is where a CSO can show that someone did something and that person cannot deny they did it. We have a pressing need for a nonrepudiation solution we can easily use until something like biometric technology becomes more affordable. Electronic signatures and digital certificates will be helpful authentication technologies.'
Peter Tippett, M.D., president, International Computer Security Association, Carlisle, Pa.
'Privacy should be protected in health care by `tagging' all health data with the names of every single person who viewed it. Some people believe that we should be highly restrictive with health data. I, on the other hand, think we should liberalize access to it through automated protections. Any patient who wants to see their record should be given immediate access to it. They then would be able to see exactly who has been viewing their data, which, many people don't realize, can total hundreds and hundreds of individuals. Tagging names to data would be like shining a bright light on the industry, which, as security precautions go, works quite well in democratic societies.'
Hal Tipton, principal, HFT Associates, a health care information security consulting firm in Villa Park, Calif.
'For health care organizations that already have established a security department that is handily addressing the critical confidentiality and integrity issues of data security, the year 2000 problem becomes the top concern, no doubt. If you're not year 2000-compliant come the end of next year, that could threaten the availability of online health data and thus cause a lot of problems for your organization.'
Diana J.P. McKenzie, partner-in-charge of the health care technology practice, Gordon & Glickson, a law firm in Chicago.
'Successfully communicating an information security policy and ensuring that policy is large enough in scope are the most important CSO concerns. The manner in which a CSO addresses these matters can either save health care organizations or get them into trouble. If an employee is doing something they shouldn't be doing, and you have a policy broad enough to cover that action and well-communicated to all staff members, then you have what I call an `Exhibit A Defense.' You've got a strategy you can use that makes the organization look less culpable.'
Gary Gray, information security coordinator, Swedish Health Services, Seattle.
'User education and awareness training are key. As there is an increasing demand to increase productivity and do more with less, we are constantly asking our employees to work faster. One of the things that typically happens is there is a lack of understanding of how the little things a user does can effect an organization. If you log on your workstation in the morning and someone wants to get some data by using your workstation, do you look it up for them or log off and let them log into that system and get it for themselves? Or do you just let them use your workstation with your identity? If you let them just sit down at your workstation without you logging off first, then all the work they do will be under your name on the audit logs. Once you start doing that, it gives the impression that security is not important. And probably three-quarters of breaches of confidentiality come from within, from an organization's own employees.'
