As CIO for Boston's Beth Israel Deaconess Medical Center, Harvard Medical School and other CareGroup Health System affiliates, John D. Halamka has seen it all.
There was the lab technician who accessed the medical file of a pregnant movie star and sold the details to the National Enquirer. There was the employee who placed a fictitious biography of himself on the hospital Web site as part of a self-promotion scheme. And there were the two doctors in the midst of a bitter divorce, where one accessed the list of psychiatric medication the other was taking. Faced with being fired under the public glare, the doctor chose to leave. The others got their pink slips and press coverage.
Yesterday, Halamka told attendees at the HealthSec 2004 Conference and Expo in Boston the prospect of "public execution" is the best defense against those who would violate hospital security policies, no matter how illustrious their job titles. He said it's also critical to have a rigorous auditing trail; train medical students on HIPAA and private policy before letting them do ward rotations; and require strict password use and rigorous network patching.
"The audit process is only meaningful if there are consequences for violations," Halamka said. But, he acknowledged, the public execution policy isn't always simple.
"It's very hard to predict which doctor needs access to which patients," Halamka said. "And we've found that with automated auditing, the place between normal and abnormal activity is gray. Our approach is that every doctor has access to every patient, every employee has access to their own audit trail and every patient has access to their own audit trail."
Although doctors have access to all patient records, they have to give a clear reason for wanting to access certain files, Halamka said. Furthermore, 9 million patients have access to a portal where they can view their medical records and see an audit trail that shows how many people have accessed their records. "Patients can see which doctor or technician has accessed their file and for what reason," he said.
The rules also apply to the Web sites employees visit. "We don't purposefully go in and watch every Web site [they're] surfing," Halamka said. "At one point we tried to block dirty sites and got complaints from someone that it was impeding legitimate research. What we have now is, if someone visits 'Nakedgirls.com,' they have to say who they are, note that they're viewing it and explain why. Now no one makes that complaint."
In the end, Halamka believes institutions need much more than the threat of public firings to stay secure and comply with laws like HIPAA. "Security involves everyone in the enterprise," he said. "Security also requires a plan, a budget and a dedicated staff."
When one conference attendee asked how hospitals and other institutions can publicly fire an employee without getting sued, Halamka replied, "HR [human resources] is your friend. Work closely with them and document behavior. You also have [the employee's] signature acknowledging accountability."
Also in the audience was Bob Martin, principal engineer for Bedford, Mass.-based Mitre Corp. He said one problem enterprises have in maintaining security is the wall that often exists between IT managers and most employees. Since Halamka is also a doctor, Martin believes his policies may be more readily accepted in a medical institution.
"As a doctor overseeing information security for a medical institution, he's in a unique position," Martin said. "I wonder if, because he's a doctor, his peers are more receptive to his argument. It's hard to bridge the gap between IT and the people in the trenches. That's where I think he succeeds."