CISO at 73-Hospital System Sets GoalsCatholic Health Initiatives' New Security Plan
The 73-hospital system, one of the nation's largest, has completed a three-year security plan and revamped its security organizational structure as it prepares to spend $1.3 billion over five years to implement EHRs and related technologies. (See: Hiring of CISO Signals New Era).
In her newly created position, Rose has taken over information security responsibilities, which had been handled by a chief technology officer. She is hiring several regional information security officers that will help groups of hospitals to implement new policies.
The CISO has formed a new department called Enterprise Information Technology, Security, Risk and Compliance.
In an interview (transcript below), Rose:
- Describes the organization's top security projects, which are "focused around enterprisewide security controls -- things such as mobile computing, identity and access management, encryption and business resilience."
- Points out that all 73 hospitals eventually will apply for the HITECH Act electronic health record incentive payments. "We are absolutely developing our security strategies to align with the implementation of EHRs," she stresses.
- Describes a new security steering committee, which comprises executives who will review security issues and make key decisions.
Rose, who has specialized in security, compliance and risk management for about 20 years, joined Englewood, Colo.-based Catholic Health Initiatives in October 2010. She formerly served as vice president of global security operations and disaster recovery for Atlanta-based First Data Corp., where she led a team of about 80 security professionals.
HOWARD ANDERSON: Can you tell us a bit about the size and scope of Catholic Health Initiatives?
SHERYL ROSE: CHI includes 73 hospitals in 19 states. Its annual operating revenue sits at about $9 billion. We are the third largest faith-based hospital system in the country, and we have about 100 facilities, including long-term care, assisted living and residential communities. One of the largest challenges that I saw coming in is implementing an enterprisewide security program across such a broad and diverse organization.
ANDERSON: So why did you decide to take on this newly created position?
ROSE: Well first and foremost -- what a tremendous opportunity. I don't think we get a lot of opportunities in our careers to build something from the ground up. Not to say work wasn't going on in the security space within CHI, but to be able to consolidate it and focus the security strategies at an enterprise level is exciting. There are a lot of initiatives going on within the healthcare industry, as you know, and CHI takes security very seriously. So there is a significant amount of support for the function, and it gave me a great opportunity personally to move into the healthcare space and bring some of my financial services, security and risk experience into healthcare.
... It's challenging working in such a huge system spread out across the country. And along with that, of course, come complications with ensuring patient care and security live together. For example, doctors who bring in iPads or Droids complicate the security landscape. We need to ensure we have the appropriate security processes implemented. All those kinds of issues make it an exciting position to take on.
Revamped Security Approach
ANDERSON: Please describe how the organization is revamping its security operations and how you'll work with executives in the various regions to standardize the approach to security.
ROSE: We've been very, very busy over the past few months. We've focused on finalizing our three-year security plan. We've reorganized and centralized the department; one of the main reasons for that is I wanted folks to focus on functional areas that can go deep into their areas of security expertise.
Another thing we did was we renamed the organization. A lot comes with a name. We've titled ourselves Enterprise Information Technology, Security, Risk and Compliance. Yes that's quite a lengthy name, but each word in there is extremely critical to us and we feel it's very important. So, for example we wanted to make sure the word "enterprise" was in there because we'll be pushing out security policies, standards, technologies, etc., that are adopted across the organization. Then "risk" and "compliance" was important to have in the name. These words show that we are much more than maybe a stereotypical IT security group. I don't want people thinking that we're sitting there generating user IDs all day. Of course that is a critical core function of ours, but there is much more that we are here to do -- focusing on IT risk management and compliance on a regulatory perspective.
We've started socializing the importance of our role and its integration with several other groups within CHI. ... To support enterprise policies and procedures, we are creating what I consider a strong mechanism in our regions via regional information security officers. We're currently hiring several folks into these newly approved roles, and these individuals will be supporting the business needs within the various markets, enforcing enterprise processes and standardizing delivery of security. They'll also have the ability to drive enterprise security initiatives. So we're seeking to hire some pretty strong security individuals with a variety of skill sets.
Then I would mention finally that another thing at more of a high level perspective that we have done is we have developed a security steering committee. We convened a select group of executives across the system to address security issues and make key decisions. Not only does that ensure the right level of awareness of security; it assists in ensuring we have timely decisions around those initiatives and any gaps we may run across.
ANDERSON: Will those regional security officers then each serve a group of hospitals in a market then?
ROSE: Yes. We are placing them regionally where it makes sense based on some other initiatives going on, but they will be supporting all the hospitals and care units within the regions.
ANDERSON: Will all your 73 hospitals eventually have a chief information security officer on site?
ROSE: No. One of the things that we wanted to do is make sure that those regional information security officers were very localized within the region but still reported up to our enterprise security group for overall direction.
Security Project Priorities
ANDERSON: I understand the organization plans to spend about $100 million dollars on security this year. Is that a big increase from previous years, and what are your top priority projects and why?
ROSE: Our security fund is definitely increasing within the coming months. We have several priority projects that we've identified as part of our security strategy that are well under way and receiving funding right now. Many of those large initiatives will be spanning over the next couple of years.
Top priority projects are absolutely focused around enterprisewide security controls, things such as mobile computing, identity and access management, encryption and business resilience. We're focused on working closely with our clinical staff to ensure that we implement our strong security processes, but we are also balancing patient care and the concerns that they have as we implement those initiatives. ... As part of our staff realignment that we went through a couple of months ago, we have now integrated what we're calling a business resilience team into our security organization. It's a great add as there are many cross-functions between business resilience and security. ...
ANDERSON: Can you describe a little more what you mean by business resilience?
ROSE: That's our new terminology for that team, and it encompasses disaster recovery, business continuity, workforce preparedness -- all the functions to make sure that business stays up and running in the event of an issue.
HITECH EHR Incentives
ANDERSON: Do you anticipate that all of the 73 hospitals in your organization will apply for HITECH Act electronic health record incentive payments? What is the status of the EHR roll-out at your hospitals now? And how will the implementation of EHR affect your security strategies?
ROSE: We will be registering for all 73 hospitals to qualify for the stimulus reimbursement. We don't anticipate, however, that we will qualify for the maximum incentive payouts as we'll be in different stages of implementation over the incentive period. The current status of the EHR rollout is that we have selected MEDITECH and Cerner as our two standards. We've begun the clinical standardization work and will start building the systems starting in February. That will run through the next 12 to 14 months.
We'll start bringing our first wave of hospitals live around the second quarter of 2012, and our implementation timeline runs through 2015 for all of our facilities. The nice thing about developing the security program is that we are absolutely developing our security strategies to align with the implementation of EHRs.
Other Security Goals
ANDERSON: Finally, what are some of the other goals you have for the year ahead and beyond in your new role as chief information security officer?
ROSE: I want to partner with the executives within the various regions. Instilling security processes in day-to-day activities can, at times, be challenging. But working with the regions to make them aware of the need and the reasons behind it will help lend support. The more folks have an understanding around our initiatives and why we are doing them, the more successful and seamless the program will be.