Electronic Healthcare Records: The Impact on Your Organization
But how does this transition impact privacy and compliance within an organization? What are the ramifications for IT and security departments?
Kim Singletary, Solutions Marketing for McAfee, discusses:
Singletary was Director of Compliance Solutions for Solidcore prior to the McAfee acquisition. She has 15 years of Product Management and Marketing roles with companies specializing in outsourced IT services for critical infrastructure both traditional datacenter services, MSSP and SAAS. Her expertise has been in developing and growing security, compliance and managed services for the Fortune 500 which included roles at SAVVIS Communications, Frontier Communications and Global Crossing.
TOM FIELD: Hi, this is Tom Field, Editorial Director with Information Security Media Group. We're talking today about electronic healthcare records and their impact upon security and technology organizations, and we're talking with Kim Singletary, Solutions Marketing at McAfee. Kim, thanks so much for joining me.
KIM SINGLETARY: Thank you.
FIELD: Just to get us started and give us a little bit of context, why don't you tell us a bit about yourself and your role with McAfee.
SINGLETARY: Okay, my name is Kim Singletary. I'm the Solutions Marketing for McAfee, and my background has actually been in several product management product-marketing roles within managed services, security, data centers and financial services. So, I've kind of come from an IT operations background to the McAfee program now, and I'm very interested in our conversation today.
FIELD: Well Kim, everybody is talking about healthcare now, and it seems that there are some unique market forces coming together to underscore the need for electronic healthcare records. .
SINGLETARY: Absolutely. I think the electronic healthcare records [movement] is quite intriguing, because as, you know, people will have [their] own healthcare record, [their] own medical history out there. The moving of that from the paper framework, where you see these rows and rows of file folders in your doctor's office, to an electronic format, is really going to change the industry quite immensely. I don't think there are market forces, but there's definitely a force happening, and that force is really the government through the American Recovery Act putting money behind it, saying this is a good thing for the United States.
This is a good thing for the healthcare and welfare of the people of the United States ... It's really about being able to get more reliable information, a broader footprint of information that the anonymized versions of these records hold to help collaborate on group healthcare planning and long-term healthcare situations, and I think it's the right thing to do. I think it's one of the industries that's kind of been behind, because the work-flow process has just been around for so long, and it's really kind of hard to change old habits.
FIELD: Intellectually Kim, I think we all understand that there is an impact on privacy and compliance, but give us a sense of how this transition to electronic healthcare records really does impact those areas.
SINGLETARY: Well, I think absolutely, every time you deal with sensitive information -- and in this case, the healthcare records and the personal information of people -- you have a higher and heightened level of privacy and compliance needs that follow with that. But I think we've shown that through several other avenues and several other industries, that moving to electronic format is different, yes, but there are definitely some emerging, newer technologies that can absolutely help in ensuring that the integrity of not only the records themselves, but of the systems that process these records ... So, yes, as the transition and impact of privacy and compliance increases, what you will need to do is actually mature your IT levels, so that you have a very strong framework to support the processes that you now need to have.
It will become mission critical to understand, that you will have more auditing, and the better you prepare behind the scenes to understand that and model your systems to that -- not only your processes, your people, but also the IT infrastructure, looking at the new technologies available today to help improve upon that, have better change control, adopt new ways in defenses against outside basically unintended access to these records too - that is another step to kind of keep looking for and advance the industry.
FIELD: Well, Kim, that's exactly where I wanted to go, to talk about IT departments. What are the ramifications for IT departments in how they're used to operating versus how they need to operate now?
SINGLETARY: Well, I think it's specific to the healthcare. I think the IT departments definitely get the sense of mission criticality. I mean, they're running in hospitals where people expect these systems to be up 24 by 7 for critical-care triage. They get that, and they think the electronic healthcare records just will put an additional burden to probably pretty fragile and small, limited area in the industry. I don't see hospitals adding new staff any time soon, so it's basically another burden of another project, another long-term management of electronic healthcare records. So, I think the key for IT departments is they get the security aspect of it; they deal with it day in and day out.
They get the availability aspect to it, but I think the key here is to try to make things more efficient, to make sure that you have and you adopt kind of a higher level framework, so that you can measure and continue and to improve that, so you can get the efficiencies where this is just so easy to manage and just continue with that process. Because electronic healthcare records, if you look at it, is not just a project; there's an ongoing, long-term scenario here that [IT has] to adopt and manage and maintain.
The more tools they have to help them stay compliant, to stay within track of what they need to do and to stop anything that they don't want to have happen, the better they can be managing this and less fire-fighting, less reactive, less 'Oh my God, I've got a triage.' It's just like the emergency room with triage incoming from a catastrophe that would happen. You don't want that in an IT department. You want very stable, sound, repeatable and supportable processes and technology to help them with that.
FIELD: Boy, there's an operative word that you used there, which was "ongoing." What do you find are the keys to delivering ongoing electronic healthcare systems?
SINGLETARY: Well, I think, the ongoing process is really the one word. You basically make the decision to take whatever electronic healthcare record system application framework that you're going to use. You have a very high-level ramp-up implementing that, making sure people adopt it, move forward. But the ongoing part is really the maintenance and support, and that's a real costly model out there.
I know that there's a lot of initiatives to move people to use these, and they're really focusing on the initial project right now, which is 'What application should I use? How do I get it implemented?' But they may be falling down and looking at the long-term support and maintenance of it, and the systems themselves -- you're putting additional burden to an IT department that's most likely not growing exponentially, and with that you move along, and the ongoing aspect is 'How many more things do they need to address?'
So, if they can look at the framework and take things off the table and make things more efficient, that's going to make the ongoing process easier. It's also going to make the people who are doing the IT work here focused on better management of this -- better tools instead of the day-to-day IT doldrums ... I mean, you have to have a level of security, but you don't want to be just bogged down with it. So, having again the framework that you're going to do all your IT process in, whether it's COBIT or COSO or whatever you decide in your organization, but then making sure you have the tools to help you manage to that and making sure that you have the ability to go from 'Here's my strict change control system, here's how I'm going to push the change, here's how I'm going to manage the change ...' to proactively alerting that something may be happening versus looking at logs down the road.
So again, very much like kind of diagnostics. If you go to the doctor soon, when you have a symptom, most likely you're going to be able to treat it earlier than if you let it continue to grow and fester -- then it's going to be something serious you're going to have to deal with in the long run.
FIELD: Kim, McAfee has got some experience in this field, what are some lessons learned that we can draw from some of your customers that have gone through this?
SINGLETARY: One of our customers is Northwest Memorial Hospital. They had the standing of being able to say that they've been for the last nine years one of the most wired hospitals in the United States. They are attached to a learning facility. They're constantly looking to improve and make their systems and processes more effective and efficient as they go through from an IT prospective. And again, I think the lesson learned is really to look at this and continue to make sure you have the right data, that you understand what's happening in your environment, and you have the controls in your environment, the change control, the application control, the other control, the access and the network availability, and you have the ability to gather the information of how these tools are interacting your environment, and what things are causing these informations on a proactive basis.
Having, a dashboard that will tell you this, and also open it up, make sure that you know the other departments within the IT organization, but also within the healthcare itself are aware that you have these change windows happening, you have this electronic record SLA, and this is how you're tracking to it. Because again, the more you're transparent to this process and you open it up and show that, 'Yeah, we're doing some really good work here, and there's always room for improvement, and here's where we're going to improve, and here's how we're measuring improvements ...' I think that's exactly what the intent is.
The new mantra of the American Recovery Act -- there's actually a website now that shows the transparency of where this money is being spent as part of this Recovery Act. The $20,000,000 being spent to move the electronic healthcare records into hospitals is part of that act, [and it] is also part of our process. I think as a lot of the IT staff start adopting that idea of being more transparent, but having stricter controls on change within their own organizations, they will actually help better their SLA measures and help better performance and improve the overall value that they bring. [They can] align themselves to the businesses, so that the hospitals out there can actually adopt this and can get to the point where they have measurable healthcare record information ... so we can all move the industry forward where we need to be.
FIELD: Great example. Kim, I've got just one last question for you. If you could boil it all down, what final piece of advice would you offer to an organization that's trying now to get its hands around the challenges of electronic healthcare records?
SINGLETARY: Something that I said before is to look at the ongoing maintenance and support. Once you get something up and in place to do the initial project, it is a phased approach. I don't think anybody out the door is going to be able to get to the end line right away without having a couple of hits and misses and recalculations as they move this and tweak it and improve it. So again, put the framework to look at this as a process. This is a life cycle of the electronic healthcare records. Just as you go from the neo-natal all the way through to your pediatrician to an adult and all the way through geriatric medicine, it is a life cycle, and you have to look at the electronic healthcare as a life cycle.
How do you structure IT to help with that is to really understand that life cycle, be in tuned to all of the changes that need to be happen to the systems and where the changes are most effective, measure how that change was made and how the information to understand and control changes. The key thing here is to make sure you can put a foundation in place to stop unauthorized changes, to block unnecessary access to these records, and there's this suite of tools that McAfee and others offer out there that really give these granules of control that they may not be looking at right now, that they may not be aware of.
I definitely would say go out and look at how this will have to change in terms of your heightened compliance, heightened auditing. Do you have the ability to automate compliance today with some of the things you have to report on, whether it's HIPAA or SOX ... And to really go out and investigate and see what's out there to help you with automating that compliance and getting much stricter change control and making sure that you can block anything unauthorized. That would really help the top level of the electronic healthcare record in both the consumer aspect, that they feel comfortable that you've done the right thing, that their privacy is secure and their data is secure through your organization.
FIELD: Very good, Kim. Thank you so much for your time and your insight today.
SINGLETARY: Thank you.
FIELD: The topic has been electronic healthcare records. We've been talking with Kim Singletary with McAfee. For Information Security Media Group, I'm Tom Field. Thank you very much.