Healthcare // Security & Privacy
News
12/18/2013
03:05 PM
Connect Directly
LinkedIn
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

How WellCare Manages Health IT Risks, Security

WellCare execs describe how a healthy tension between IT and security groups helps them to contain risks.

WellCare CIO Mark Lantzy and Ted Webster, senior director of information security, are at odds sometimes -- but that's by design.

The two from WellCare Health Plans Inc., a major provider of Medicare and Medicaid services, spoke about managing risk and keeping healthcare systems secure in a webcast hosted by eHealth Initiative, a nonprofit industry group, earlier this week.

Lantzy and Webster said one of the important aspects of their relationship is a healthy tension between creating IT capabilities and containing the risks posed by new systems. Webster explained he doesn't report to Lantzy but to another vice president, maintaining an appropriate "design friction" between the security and IT groups about how to handle issues like identity management and data loss prevention.

[ How secure are EHRs? Read Hacking Electronic Health Records.]

For the security group, one of the things that means is "we have to show value to the organization, not just FUD," Webster said, alluding to the "fear, uncertainty, and doubt" often used to sell security efforts.

Meanwhile, the two groups work together to determine "the right balance of the risk that we're managing and the dollars that we can spend against it," Lantzy said. They also ask a lot of questions about the practicality of security measures, he said. "Is what we're doing aligned with the current strategic plan? Is it operationally effective? Are the procedures in place repeatable?"

Consultant Nalneesh Gaur, representing event sponsor PwC, opened the session with a recitation of the scary statistics: 94% of hospitals have had some sort of breach in the past two years, with 2.7 million patients impacted by improper access to their records. At the same time, the healthcare industry is just beginning to respond to government and consumer demands for patient access to their own data. "While information is available to adversaries, the patient who needs it cannot access it, so there's some irony in that," he said.

Lantzy and Webster agreed security cannot be the only imperative. Even as regulations pile on demand for additional controls, "we're looking for the degree of those controls to be rightsized -- so we have both control and flow of information across the organization," said Lantzy.

The three priorities must be confidentiality, integrity, and availability, "where integrity and availability are equally important," Webster said. "We're working very hard to maintain that balance."

In general, as risks are identified, the choices are to implement additional controls, transfer the risk, or accept that the risk is unavoidable or acceptable, said Webster. That's a decision made in collaboration with business unit managers and the chief compliance officer. Another question worth asking, he said: "Is this a process we need to keep executing, or can we get away from it?"

One of the most important elements of managing security risks is being thorough and methodical. In addition to worrying about personal health information covered by HIPAA, they pay attention to other sensitive data such as credit card records covered by the PCI standards.

Proper risk management requires looking at processes as much as systems, Lantzy said. "Information security is about more than just what IT systems do with the information." Training people to do the right thing with the information they have access to is equally important: "You have to be asking, is that culture built into the DNA of every individual?"

WellCare also recognizes the reality that not all of the systems that sensitive data could flow through are directly managed by IT. In addition to software-as-a-service applications procured by business groups, there may be power users with the knowledge to code their own applications -- and make their own mistakes.

"We decided a number of years ago to be an organization that supports business-managed applications," Lantzy said. "Otherwise, we were less likely to find out about them."

In return for having their applications recognized by IT, rather than treated as unsanctioned and prohibited, the business owners of these systems are required to record them in an application registry, providing Webster's team with an opportunity to do a security impact analysis on them. If risks are uncovered, and the departmental owners are unwilling to undertake the risk remediation steps the security team advises, one of their options is to transfer that risk -- and control over the application -- to IT, "the part of the organization that is used to managing those risks," Webster said.

David F. Carr is the Editor of Information Healthcare and a contributor on social business, as well as the author of Social Collaboration For Dummies. Follow him on Twitter @davidfcarr or Google+.

Healthcare providers must look beyond Meaningful Use regulations and start asking: Is my site as useful as Amazon? Also in the Patient Engagement issue of InformationWeek Healthcare: IT executives need to stay well informed about the strengths and limitations of comparative effectiveness research. (Free registration required.)

Comment  | 
Print  | 
More Insights
Healthcare Data Breaches Cost More Than You Think
Healthcare Data Breaches Cost More Than You Think
Healthcare providers just don't get it. They refuse to see the need to fully secure their protected health information from unauthorized users -- and from authorized users who abuse their access privileges. As a result, they don't allocate enough budgetary resources for securing medical data.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Video
Slideshows
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.