Earlier this week the Office of the National Coordinator for Health Information Technology (ONC) released an initial draft of its healthcare IT framework and strategic plan. This is a high level outline of the themes, principles, strategies and objectives that the ONC will address and reflects an update to the Federal Health IT Strategic Plan published in June 2008. One of the four major strategic themes is privacy and security. As one might expect in the strategies and objectives associated with this theme, there is an emphasis developing, promoting and enforcing privacy and security policies consistently at a federal and state level. With this high level plan in mind, I thought it would be interesting to make some associations with what I have been hearing from healthcare IT leaders in meetings and at industry conferences over the last month or so.
One important aspect mentioned throughout the strategy document is the development, dissemination and promotion of specific IT security best practices. From talking with a significant number of healthcare providers, the top of mind IT security issue was the prevention of security breaches. In an even broader perspective, a recent HIMSS survey of 270 healthcare organizations and 700 hospitals throughout the United States showed that nearly one quarter (23 percent) had suffered a security breach in the last year. Now, there are many things that need to be done to prevent security breaches, but most healthcare providers that I’ve talked with seem to be looking for guidance on encrypting data.
Encryption is certainly a worthwhile starting point, but it is critical to keep in mind that without effective key management encryption will create more problems than it is worth. Given that most deployments occur within heterogeneous IT environments, one of the most common stumbling blocks is a lack of standards across encryption products. There are standards efforts underway through the IEEE and OASIS organizations and several vendors such as EMC/RSA and HP support interoperable key management products. Make sure you have carefully thought through the entire scope of your encryption programs and that interoperable key management is addressed properly. Another important best practice to keep in mind is to clearly map out your policies before starting any implementation. This requires a written policy (that will then be carried out through the administrative interfaces of encryption and key management products) that specifies access procedures, key lifetimes and other similar issues.
A further aspect of the strategy document was the emphasis on use of emerging technologies. In talking with healthcare providers I have been surprised by how many have existing cloud services deployments or are considering some form of public or private cloud deployment. But I have also noticed some degree of naiveté when it comes to understanding best practices associated with IT security in cloud deployments. Several organizations said a key reason for adopting cloud services was to gain the leverage associated with the IT security teams in place at the cloud providers. I completely agree with this argument when it comes to physical and infrastructure security. However, the cloud service provider security teams have no understanding of the application or for that matter the business context. In this case, the healthcare provider still needs to own the information security issues associated with application. From a threat perspective the application layer is where adversaries are focusing their resources, so it is worthwhile to concentrate security resources and protection mechanisms in this area.
I would emphasize that this is a rapidly evolving area with technical, business and legal challenges. In such an environment it important to seek cooperation from other organizations and leverage the work of others. In this regard the Cloud Security Alliance as well as NIST has done important work in framing some of the most important issues and driving consensus around IT security topics. While many are asking for a standard for cloud security, given the diverse business requirements, I don’t think that is possible. But I do think that standard practices and procedures will emerge, as well as standard legal definitions. In the meantime I would encourage healthcare IT professionals take advantage of the leverage that cloud services provide, but assess your risks and develop a plan to manage those risks appropriately.