How WellCare Manages Health IT Risks, Security

WellCare CIO Mark Lantzy and Ted Webster, senior director of information security, are at odds sometimes -- but that's by design.

The two from WellCare Health Plans Inc., a major provider of Medicare and Medicaid services, spoke about managing risk and keeping healthcare systems secure in a webcast hosted by eHealth Initiative, a nonprofit industry group, earlier this week.

Lantzy and Webster said one of the important aspects of their relationship is a healthy tension between creating IT capabilities and containing the risks posed by new systems. Webster explained he doesn't report to Lantzy but to another vice president, maintaining an appropriate "design friction" between the security and IT groups about how to handle issues like identity management and data loss prevention.

[ How secure are EHRs? Read Hacking Electronic Health Records.]

For the security group, one of the things that means is "we have to show value to the organization, not just FUD," Webster said, alluding to the "fear, uncertainty, and doubt" often used to sell security efforts.

Meanwhile, the two groups work together to determine "the right balance of the risk that we're managing and the dollars that we can spend against it," Lantzy said. They also ask a lot of questions about the practicality of security measures, he said. "Is what we're doing aligned with the current strategic plan? Is it operationally effective? Are the procedures in place repeatable?"

Consultant Nalneesh Gaur, representing event sponsor PwC, opened the session with a recitation of the scary statistics: 94% of hospitals have had some sort of breach in the past two years, with 2.7 million patients impacted by improper access to their records. At the same time, the healthcare industry is just beginning to respond to government and consumer demands for patient access to their own data. "While information is available to adversaries, the patient who needs it cannot access it, so there's some irony in that," he said.

Lantzy and Webster agreed security cannot be the only imperative. Even as regulations pile on demand for additional controls, "we're looking for the degree of those controls to be rightsized -- so we have both control and flow of information across the organization," said Lantzy.

The three priorities must be confidentiality, integrity, and availability, "where integrity and availability are equally important," Webster said. "We're working very hard to maintain that balance."

In general, as risks are identified, the choices are to implement additional controls, transfer the risk, or accept that the risk is unavoidable or acceptable, said Webster. That's a decision made in collaboration with business unit managers and the chief compliance officer. Another question worth asking, he said: "Is this a process we need to keep executing, or can we get away from it?"

One of the most important elements of managing security risks is being thorough and methodical. In addition to worrying about personal health information covered by HIPAA, they pay attention to other sensitive data such as credit card records covered by the PCI standards.

Proper risk management requires looking at processes as much as systems, Lantzy said. "Information security is about more than just what IT systems do with the information." Training people to do the right thing with the information they have access to is equally important: "You have to be asking, is that culture built into the DNA of every individual?"

WellCare also recognizes the reality that not all of the systems that sensitive data could flow through are directly managed by IT. In addition to software-as-a-service applications procured by business groups, there may be power users with the knowledge to code their own applications -- and make their own mistakes.

"We decided a number of years ago to be an organization that supports business-managed applications," Lantzy said. "Otherwise, we were less likely to find out about them."

In return for having their applications recognized by IT, rather than treated as unsanctioned and prohibited, the business owners of these systems are required to record them in an application registry, providing Webster's team with an opportunity to do a security impact analysis on them. If risks are uncovered, and the departmental owners are unwilling to undertake the risk remediation steps the security team advises, one of their options is to transfer that risk -- and control over the application -- to IT, "the part of the organization that is used to managing those risks," Webster said.

David F. Carr is the Editor of Information Healthcare and a contributor on social business, as well as the author of Social Collaboration For Dummies. Follow him on Twitter @davidfcarr or Google+.

Healthcare providers must look beyond Meaningful Use regulations and start asking: Is my site as useful as Amazon? Also in the Patient Engagement issue of InformationWeek Healthcare: IT executives need to stay well informed about the strengths and limitations of comparative effectiveness research. (Free registration required.)