Interview with a Healthcare Security Expert: William "Buddy" Gillespie, HCISPP

In November we started a wonderful webinar series with industry leader William "Buddy" Gillespie, HCISPP and we introduced that series with a sit down interview. Yesterday, we concluded the series with a webinar titled "Healthcare 2020: Focus on the Future". While the webinar series may be over, our partnership with Buddy will continue and we would like to continue to showcase his knowledge through another sit down interview. Here's what Buddy had to say about the future of Healthcare IT.

What are the changes you have seen in the last six years?
William "Buddy" Gillespie: The last 6 years has been a fast-train for Health Information Technology and has resulted in a huge magnitude of change to the delivery of healthcare. The major force vector behind the high rate of change has been the HITECH Act. There is no doubt that this Act was the major catalyst to get hospitals to invest in the EMR and other related technologies. The number one change has been in the way patient care is delivered. Physicians, for the most part, no longer fight technology but embrace it. The question on the table, is will the changes sustain or will they fall back, we can only hope that Meaningful Use is “too big to fail”.

What about the sustainability of HITECH, Electronic Health Records, Meaningful Use, and the Triple Aim?
BG: In 2009, the HITECH Act was signed into law which established the goal to implement the Electronic Health Record across all healthcare providers and thereby establish a road to have every caregiver to utilize the EHR in a manner which constitutes a “meaningful use” of the patient data. Rules were established to define Meaningful Use and if the provider achieved the goal incentive payments would be paid to the providers. The Act was setup into three phases and each phase have its own criteria/rules to define the objectives for achievement. Ninety percent of providers have achieved the first two phases and over $20 billion dollars have been paid-out in incentives. The criteria for the final phase have been released and providers are gearing up. The ultimate goal of the HITECH Act and Meaningful Use is to meet the three pillars of the Triple Aim: Reduce the cost of healthcare, increase quality and improve the patient experience. The question now becomes how successful have the first two phases been in meeting the goals of the HITECH Act and the Triple Aim. Surveys to that regard have resulted in mixed reactions. While the overall feeling is positive some have responded that the Act has created additional burden on an already excessive patient load for physicians. There is no doubt that the Act has resulted in the expansion of the EHR to a level never before seen in healthcare. Today over 50 percent of physician practices and over 60 percent of hospitals have implemented a robust EHR. Phase Three will be the ultimate test of the success factors for the HITECH Act. That phase will build on the first two phases and take into account the pros and cons of the first two phases. In my opinion the real critical success factor will be sustainability. Once the dollar incentives are gone and the “awe gee” reaction has passed, will the current level of Meaningful Use survive? I think not unless healthsystems and providers continue to monitor, nurture and invest in the resources and technology to sustain Meaningful Use.

How can one be ready for the readiness for Phase 2 of the OCR and the HIPAA Audit Program? BG:The Office for Civil Rights (OCR) has announced that they are ready to start the second phase of the HIPAA/HITECH audit program. The scope of Phase 2 will be to audit 200 plus covered entities. The audit criteria will be benchmarked to the compliance of the HIPAA Privacy and Security Rules plus the requirements for Breach Notification. The Covered Entities Audits will be followed by audits of the Business Associates to include EMR vendors, Cloud Service Providers, and other BAs in the HIPAA Chain of Trust continuum. Although OCR has indicated that the first round of audits will be a review of policies and processes, additional on-site audits will be more comprehensive in nature and focus on a deep-dive of internal technology and other types of mitigating solutions in place to support risk prevention. So what is a good rule of thumb for preparing for the OCR audit? First of all make the assumption that you will be part of the 200 plus and prepare a plan sooner than later. The plan should be kept simple and kept to a few basic components:

• Review OCR’s audit protocol and be well versed on the HIPAA and HITECH regulations
• Review your documentation and insure you have the most recent HIPAA guidelines, policies, and procedures in place and the organization is well-educated relative to those documents
• Have a clear understanding on what OCR’s expectations/process is relative to providing your documentation to the auditors.
• Orchestrate a “mock” audit with all internal parties and simulate a real audit.
• Lastly, establish a communication chain within your organization to communicate events, timelines, tasks, status, etc.

What is the role of analytics and business intelligence with healthcare? Also, how is it affected by the “Big Data Storm”?
BG: We hear a lot about Big Data, Analytics and Business Intelligence and their role in healthcare. We are in the middle of a “Big Data Storm” which means some amount of turbulence as we sort through the best methods to survive the storm and harvest the best use of the data. I recall being asked twenty years ago by a physician to produce some clinical decision support reports. I had to reply “I am sorry, but we don’t have the data”. Today that response is no longer valid, we do have the data, lots of it, actually petabytes of data. So now it is all about turning that data into meaningful analytics/dashboards so that the C-Suite and physicians can make predictive decisions to forecast the financial status of the hospital or forecast and improve the outcomes of their patients. In order for the benefits of Analytics to be recognized it will take a large investment of resources and tools to extract, categorize, and build the meaningful dashboards. It can be done but it will require a top-down data governance and investment in technology to make it happen.

What is the importance of mobile device management? What are the safeguards to protect their devices?
BG: BYOD is on a sprawl across healthcare and becoming a standard for doing business. A recent survey by HIMSS indicates that 70 percent of clinicians use a mobile device to access patient data. Physicians say that mobile devices increase their efficiency and results in improved quality of care. However, the chance of a data breach increases with the BYOD scenario and can result in a HIPAA violation. So what is the best solution to mitigate the risk of a data breach? The industry is pointing toward the implementation of a Mobile Device Management solution (MDM). MDM can provide the following safeguards:

• The enforcement of device security by creating a standard across all types of devices
• Provide for a “lock-screen” if a device is lost or stolen
• The disablement of apps which may be corrupted and open to breach
• Remote monitoring to see the status of all devices and thus proactively sense an impending breach.

So you might ask, why do only 50 percent of hospitals have a MDM solution in place? Well it all gets back to budgets and the priority of investments. Where surveys indicate that security is a high priority, when the allocation of dollars are decided, the security investments fall toward the bottom. In contrast, the cost to a hospital for the remediation of a HIPAA breach instance can cost millions of dollars. The decision is whether to be proactive or reactive, we will see.

Finally, what keeps you up at night?
BG:Upon retirement as a healthcare CIO/CTO a few years ago, I realized how much better I felt after a good night’s sleep. After so many years of being the executive in charge of a large data center, miles of network connectivity, gigabytes of patient data and 200 IS professionals there was always something on my mind as I retired to a doubtful good night sleep. Although I sleep more soundly these days, I still recall the pain points that kept me tossing at night. The “internet of things” has exploded since my CIO/CTO tenure but the basic issues still exist although somewhat changed in terminology, structure and magnitude. Here are a few of the issues I recall that kept me up at night and still do if I am having a nightmare:

Privacy/Security and HIPAA Compliance

• After the HITECH Act of 2009 and the Omnibus Bill of 2013 the HIPAA bar raised relative to the Privacy and Security regulations. CIOs must now partner with the CISOs to understand what is required to comply with the expanded regulations. HIPAA is not one and done and continues to evolve. In years past if you had a good firewall in place you didn’t worry, but today the onslaught of Cyber Attacks has brought a new dimension of requirements and added layers of technology.

Budget controls

• After the billions were invested in technology after the HITECH Act was passed, healthcare organizations are slowing down on IT investments. At this point the investments are focused more on sustaining what was purchased and implemented in the last 6 years. CIOs are looking at the cloud and consultation to lower ongoing operational costs. What we build, we must sustain.

Talent Recruiting and Retention

• After the HITECH Act passed in 2009, ONC announced that there would be an increased need for 50,000 more healthcare IT professionals. I am not sure that number was reached, but if you look at the job postings for the large healthsystems you will find a large number of IT vacancies. Talented and experienced IT professional are in high demand and that void will continue into the next decade.

Shifting business needs and Innovation

• CIOs are expected to not just be a technology expert but an innovator as well. To be able to understand the changing landscape of healthcare and how to couple the technology and business together for better outcomes. The C-Suite is constantly taking up more of the CIOs time resulting on less focus toward the basics of running a solid IS department.

Disaster recovery/business continuity

• The paperless patient record has brought about the necessity for business continuity planning. At the heart of that is a viable Disaster Recovery plan. A recent survey shows that 50 percent of hospitals with an EMR have no DR plan. Given the bad experience with Katrina and the Sandy Storm you would think that would be a lesson learned. The number one priority for CIOs is to keep the lights on in the data center. DR is more than just backing data up to tapes!