Newsmaker Interview: Mac McMillan

By Healthcare IT News
December 06, 2011
11:43 AM

Mac McMillan

President and CEO of CynergisTek

Chair of the HIMSS Privacy & Security Steering Committee

Former Chair of the HIMSS Information Systems Security Working Group

You've said that if any other industry had this many privacy and security breaches, "heads would be rolling." What is wrong with healthcare? Is the information landscape just too complicated? Or is it a matter of culture?
It definitely is not that it's too complicated. And I think a lot of people try to hide behind that. They say, 'We can't do it, because our industry is so unique.' Well, it's not any more unique than the financial industry or the energy sector, or things that go on in the federal government. It's just a matter of really figuring out how to do it, and settling the problem. Quite frankly, I think the problem is still that it's a cultural issue. Look at the number of breaches. Insider snooping is still rampant in healthcare. And that's a cultural issue. It's a cultural issue that says, ‘It's OK for me to be looking at things that I'm not supposed to be looking at.’ Which goes right to the core of how the industry views security and confidentiality. Providers do not see security as an imperative yet. That's not across the board, obviously. There are some folks out there who are actually getting it and trying to do a good job. And they're making the investment, and I think they're seeing the benefit of doing that now. They're realizing that there is a benefit to doing these things correctly. But that's not the majority.

You just took part in a webinar on HIPAA security risk analyses. What should organizations keep in mind when undertaking one?
One of the things they really need to focus on is really understanding and appreciating where their personal health information is – even more than before. HIPAA has always had a requirement for organizations to map where their personal health information is, and to build their programs around that and understand what the risks are to that data, whether it's at rest or in transit. But with the requirements being levied under the HITECH rules, it's getting more and more specific. And there's more and more emphasis being placed on really knowing where that data is, who's touching it, where it's being sent, the relevance or the appropriateness of where it's going, and where it's residing. And also whether or not they really, truly assessed the risk to that information properly – “reasonably,” is the term the government uses – and then took appropriate measures to protect it. More and more, they're looking at these breaches that are occurring. They're going to conduct 150 audits between now and next October, spread out among providers and payers and business – they now have to be ready to receive either an audit or an investigation, depending on the circumstances, and they can't just sit there and hide behind the face that they've done a cursory risk assessment.

What do you suspect most providers will discover after those analyses? Robust security, or flaws they need to fix?
I suspect almost all of them are going to still have areas that they need to address. That's been our experience all along. When I look back at the risk assessments that our company has conducted over the last year, I'm just absolutely amazed at the amount of remediation that a lot of organizations are still having to do. And part of it is because they just really have not invested in security yet. A classic example is that we still have hospitals out there that don't have a dedicated staff to the security function. They don't have all of their policies and procedures documented. Many of them have not invested in the technologies that are necessary for them to put those controls in place. We still have organizations that are wrestling with whether to encrypt e-mail! You would think that would be a no-brainer. But when you look at the requirements being talked about for MU Stage 2, they're recommending even more security requirements be baked in, because there are incentives and penalties tied to that. And that, quite frankly has gotten people's attention and gotten them to spend money on security.

What threats keep you up at night?
I think probably the top two are, first, insider abuse – individuals who have elevated privileges who can affect things, either inadvertently or deliberately, but who are not monitored. People like database administrators, who can bypass the audit capabilities of the application by going directly into the database itself and making changes. We have very little monitoring of what goes on there. That’s one of those 800-pound gorillas that no one wants to talk about. Now we're beginning to talk about controls around applications, certified EHRs that have the ability to audit, and yet all of the data that's associated with that sits in a database that a database administrator can go directly into, using their privileges and their level of access, and make changes that will never be seen. It's one of those back doors that haven’t gotten a lot of attention yet. The second biggest issue in my mind is an organization just really not knowing or having a good handle on where their data is, and where it's going. There's a lot of emphasis being put on the EHR because of meaningful use. Well, the EHR typically is one of a handful of systems in a hospital environment. There are many more systems that have personal health information in them. Sometimes I think we do a disservice by placing so much emphasis on EHRs and obfuscating the rest of the environment where there's still a lot of information that can be compromised and mishandled.

Ultimately, are you optimistic?
I am, actually. And I base that on a couple things. I lived through what I call the transformational process that occurred in the federal government back in the '80s. In the early '80s we didn't have really good information security programs or controls in the federal space. But we started that process, and began to build those requirements and began to require organizations to certify and accredit their systems. And we kind of went through the same transitional process. People said, ‘This stuff is getting in the way, it's slowing us down, why do we need all this security?’ But we did it anyway. And we worked through that. It took a while, but today it's second nature. Same thing with the banking industry. If you look at the industry in the ‘80s, it was the same thing. The larger banks that were more sophisticated were able to do it much faster. The mid-size and community banks were vey slow to adopt. It was very painful. But those requirements didn't go away and eventually the industry evolved and adopted them and today has very standard ways that they do IT security. It's an evolutionary process. We started this IT security evolution in healthcare in 2005, with the HIPAA security rule. So when you think about it, healthcare has only been doing this in an organized way since 2005. That was only six years ago. Back in 2005, nobody was talking about data leakage in healthcare. Nobody was talking about wireless or Web application security, or encrypting databases. Today they are. There's been a big change in the industry in a short time. But are we done? We're nowhere close to done. We still have a long way to go.

Interview by Mike Miliard

 

More regional news

Clinician in scrubs at a hospital computer

CommonSpirit partners up with U of U for clinical collaboration

By
Andrea Fox
November 22, 2024
Stethoscope on an iPad

HIMSSCast: Care provider or tool? When and why patients like AI

By
Andrea Fox
November 22, 2024

EHR tips on migrating an all-digital hospital to Epic

By
Bill Siwicki
November 22, 2024
Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story
EHR tips on migrating an all-digital hospital to Epic

Research

White Papers

More Whitepapers

Patient Engagement
Patient Engagement
Financial/Revenue Cycle Management

Webinars

More Webinars

Imaging
Interoperability
Artificial Intelligence

Video

David Miles at Oklahoma Heart Hospital_Part 2_Doctor holding health icon Photo by Tippapatt/iStock/Getty Images Plus
Switching from Cerner to Epic? Meet a CIO who made it out alive
David Miles at Oklahoma Heart Hospital_Part 1_Doctor holding health icon Photo by Tippapatt/iStock/Getty Images Plus
The CIO of an all-digital hospital walks readers through its successes
Dr Alice Sutedjo Lisa at SMC Telogorejo Hospital_HIMSS24 APAC
Assisting the elderly in digital care
Dr. Benoit Desjardins of the University of Montreal
Cyberattacks are becoming more widespread, and more disruptive

More Stories

Agency cybersecurity infosec illustrated by many colored streams harnessed by a lock
OIG again deems HHS' infosec program ineffective
Joanna Lucas, RN, of St. Luke's University Health Network
Case and referral management technology gets big results for St. Luke's
Dr. Benoit Desjardins of the University of Montreal
Cyberattacks are becoming more widespread, and more disruptive
Northwestern Medicine
Northwestern Medicine announces international healthcare collaboration
BJ Schaknowski of symplr
Too many IT systems with limited alignment impacts care quality
Doctor in scrubs using computer
Tenet to deploy AI platform across its physician network
Healthcare CIO with other healthcare executives
Health system CIOs' strategic responsibilities continue to evolve
George Pappas at Intraprise Health_Digital shield and lock Photo by da-kuk/Getty Images
Tighter cyber mandates hold New York providers to higher security standards