CISO’s biggest fear: ‘what I don’t know’
April 29, 2014 in Medical Technology
Healthcare data security is a multifaceted, ever-shifting challenge – and all it takes is one missed cue for a costly breach to ensue, says Heather Roszkowski, chief information security officer of Fletcher Allen Healthcare.
[See also: Data breaches continue to climb]
“With technology changing as quick as it does, it’s a constant battle to keep up with it,” says Roszkowski, who joined the Burlington, Vt.-based health system following an 11-year career in the Army, where she specialized in information security.
“New viruses come out every day, and you have to be able to respond to them,” she says. Human factors are another constant challenge, whether its malicious hackers, nosy staff members or even just overworked clinicians who forget the proper protocols.
[See also: OCR: 'Pay attention to details']
No one can be truly omniscient. So these are the things that keep her up at night: “The things I don’t know.”?
After all, says Roszkowski, “The the things I know about are on my list and I have a plan to address them. The things that scare me are the things I don’t know. There’s a constant threat out there, from all different angles — whether it’s viruses or it’s hackers or it’s information theft, internally and externally.”
Since one mistake or missed signal could have the hospital’s name splashed all over the newspapers, with HHS Office for Civil Rights pursuing potential millions in settlement money soon thereafter, its critical to be in “pursuit of 100 percent,” says Roszkowski, who notes a level of urgency and criticality that’s comparable to data security in the military.
“I did information security in the Army: you don’t want people to know where the soldiers are on the battlefield,” she says. “It translates over to healthcare: We don’t want people to know about a patient unless they’re caring for that patient.”
But with so many threats, of so many different types, “You don’t know what you don’t know,” says Roszkowski.
That’s a fact made all the more salient by Fletcher Allen Health Care’s significant growth — in size and complexity — in just the past few years.
Fletcher Allen Partners was launched in 2011 to be the new parent organization of Fletcher Allen Health Care, together with Central Vermont Medical Center. Champlain Valley Physicians Hospital and Elizabethtown Community Hospital, just over the border in New York, are other new partners in this nascent ACO.
Moreover, Fletcher Allen has been instrumental in Vermont Information Technology Leaders, the Green Mountain State’s health information exchange.
“Five years ago, they were one hospital,” says Mac McMcMillan, CEO of information security firm CynergisTek, which works with Fletcher Allen to improve its technology and compliance. “Today they are part of an academic medical center. They have other hospitals they are supporting or working with. They are the ACO for the region, half of the HIE for the state.”
“It’s constant growth,” says Roszkowski. “CynergisTek has helped us know what we don’t know. That’s the first step in knowing where we want to go, what our priorities are, how we protect our network: Find out where are we falling short, where can we improve?”
One particularly valuable piece of technology that’s offered at least a measure of reassurance is Fletcher Allen’s use of data loss prevention software, which can monitor for potential breaches, detecting and, if need be, blocking sensitive data when it’s misused.
“Security is not an afterthought for Fletcher Allen,” says McMillan. “When they have started every major initiative, they have thought about security from the get-go. That, in and of itself, has probably saved them millions and made those projects go better. Because they’re not retrofitting anything.”
“It’s easier to implement security before you have a problem, than after,” says Roszkowski.