How Intermountain Healthcare does privacy & security

Intermountain Healthcare has 71 mobile or telehealth projects in-flight right now. The roster includes a smartwatch, a gyrometer, as well as popular social networking apps, including Facebook, Twitter and Yammer. 

And it's Karl West's job to protect those, and more. As Intermountain's chief information security officer, West is in a state of proactive acceptance, rather than denial, about the proliferation and promise of mobile technologies. 

"If we're going to embrace this mobile world," West said, "the way to do it is to find ways to enable, monitor, audit, control, and put protections around the health data that is so vital."

West is slated to deliver the opening keynote ("Enabling Mobile Healthcare: Privacy & Security in an Era of Accelerating Change")

at the day-long mobile Privacy & Security Symposium on Dec. 7 in Washington D.C within the mHealth Summit. 

He is one of more than 20 privacy and security experts from leading healthcare, academic, and government organizations who speak at the symposium. Speakers will share best practices, case studies, and advice to help providers address BYOD, malware, medical device security, and other prominent mobile privacy and security challenges and threats.

mHealth News Executive Editor Tom Sullivan spoke with West about some of Intermountain's bleeding-edge mobile projects and technologies that he is eyeing for the near future, and the health system's comprehensive architecture for keeping all that information private and secure. 

Q: Are you already or how do you envision taking advantage of the emerging crop of mobile health apps? 
A: We have about 200 medical informaticists, pure researchers that look at and come up with new ways to deliver care and to challenge the medical technology and processes of the past. In addition, we have created the Healthcare Transformation Lab where we bring in technologies and try to fit them into our environment. We give patients a gyrometer similar to the Fitbit. As a patient comes out of the OR, the quicker you can get them up and moving the faster that patient will be able to return to a normal, healthy life. What occurs with most patients, though, is the post-operative recovery cycle can take days and that translates into healthcare costs and we have found that patients have a higher instance of return to acute care if they go home and don't have a proper motion activity. 

Within 30 days of leaving our system we don't see them back, and we also see that they go home 1-2 days sooner than average patients within the system so we're using those devices right now and having good success with them. 

Q: In addition to the gyrometer, are there other devices you've already deployed? 
A: One of the huge things in the industry right now is infection control — specifically surrounding Ebola it's been a huge issue.  Sepsis has been a big issue for years. We put together a study a few years ago and determined that if we could reduce sepsis and increase infection control we could have a more healthy hospital system. One of the most fundamental things you can do to reduce the spread of infection is wash your hands frequently. So we developed a watch for our caregivers, nurses and doctors. The watch detects motion and it knows when a wearer goes from room to room. As soon as I leave a room, I need to be aware that I should be washing my hands. So the watch has a color-based alarm that goes off as I change rooms. Now the watch instead of being green is red, and based on a period of time, we also change that to a yellow to give clinicians the indication that they should be washing their hands for sepsis control. We've tried many things over the years: policies and procedures, putting signs on the walls. This mobile device sends information that managers can see. It has had a great impact in our hospital. We've tracked a reduction in infection. 

Q: And it sounds like you are ahead of the smartwatch curve.
A: We have devices like that but we are also looking at what Apple is doing, what Google is doing, because we think we can use those devices, maybe the health tracker Apple is making. We're not looking to create everything ourselves but, rather, to use technologies that exist and expand them where we see a great health benefit that might become available. An example of that is the glucose monitors. We stream that data from a device to a physician, and then the physician can send back a short text or a Tweet to say "Hey, I didn't see your data for 3 days. How are you doing? We're interested in your life." And so by embracing the mobile environment, we think we can use things like Twitter and Yammer and Facebook and other technologies and devices that can be enabled to help our patients live the healthiest lives possible. 

Q: When you start talking about mobile devices and social networks there are, of course, security risks. Lost or stolen devices, tablets or smartphones is perhaps the most obvious. How do you manage those as well as the lesser-known risks?
A: This is what keeps me awake every night and the thing we have to be aware of as we embrace this technology is that we need to be enablers and not build walls and barriers or say, "We cannot do this because it's not necessary or it will lead to breaches." 

What we have to do is figure out how it will transform care, how it will help us help patients live healthy lives — so how can we do it in the most responsible way? Secondly, then, what we do at Intermountain is prior to the launch of any product or project is to have security architects involved in every procurement, every development to determine how we do it securely. How do I encrypt this device? Right up front, what's the password technology that's appropriate and secure if the heart monitors of today are all set to a password of 0000? We need to put password controls around these devices, then to audit and monitor that they're effectively in place. After we have those fundamental controls in place then we have to look at specific technologies and associated with a device because some have audit, monitoring and PHI lock capabilities, and some don't. 

Q: So when you investigate new technologies, what specifically are you looking at?
A:   Our privacy and security review consists of two parts. The first is we go through the device with an objective scoring based on tools that are readily available to come up with a number — that number gets assigned and people within Intermountain are able to see that number to understand the level of risk. What it really means is I need to put different controls around that device based on that objective scoring. At the same time, we have a paid senior-level consultant who will do a subjective assessment of the technology and it's that person's job to go through and tell us what the architecture looks like and what kinds of controls would help. What are the risks subjectively that we need to mitigate? Now, that also is a very formalized document, a standard template that goes into a database and every one has the same fields that need to be filled out, the same risk identification and mitigation strategy and the controls that need to be put into place based on the assessment. If the scores are high enough that the risk is considered significant, then we come back and there needs to be assessments conducted by a privacy and security coordinator on an annual or a quarterly basis and some attestation that the controls are working. If the score is low enough we might do it once a year or every other year, depending on the risk. 

If we're going to embrace this mobile world the way to do it is to find ways to enable, monitor, audit, control, and put protections around the health data that is so vital. 

Q: Following that, what are some of the controls that constitute your security architecture? 
A: We've developed what we consider the common controls that have to be on every system from a strong password to encryption, at rest and in motion. And then based on risk what are they hybrid controls, the ones that don't fit on every device but are necessary for some. We also have a third level of control that we call system specific because of the potentially high level of risk. We need more than what's in the common or hybrid controls maybe because a vendor doesn't have some of the common controls we think are necessary. So if a vendor doesn't have, say, audit and monitoring, then I'll want to go out and put data loss detection, protection on our side. And then I'm going to want to have meetings with that vendor maybe twice a year to discuss privacy and security so they understand that because of the concerns we have around the privacy of patient information your product doesn't fit well. 

Q: What might other security professionals take away from Intermountian's experience? 
A: CIOs and CISOs need to take the data that comes out of risk assessments and translate that information into an activity report that tells you 'here are the activities we need to be doing for the next year to make sure we have appropriate controls.' In many ways those need to happen at a strategic level and they go up above the glucometer or fitness tracking device and in the security architecture — and you need to have a framework for rating risk on a regular basis.