Because people provide so much of their personal information at hospitals, universities and university-affiliated medical centers, one of the biggest issues affecting these campuses is identity theft. In hospitals, stolen and misplaced laptops are particularly problematic.
So who is going to prevent such ordeals from happening? For Southwest Washington Medical Center in Vancouver, Wash., Security Compliance Officer Christopher Paidhrin is the man to the rescue.
As a 20-year veteran in director level IT security, Paidhrin’s responsibilities include everything in the IT realm from firewalls, intrusion detection, identity access, and Health Insurance Portability and Accountability Act (HIPAA) and Joint Commission compliance. Additionally, he’s tasked with implementing physical security measures that blend seamlessly with the hospital’s IT solutions. By being able to interface with every department in the hospital, Paidhrin is aware of the potential problems concerning security and takes great strides to fix problems immediately and effectively.
Read on to see how Southwest Washington Medical Center, which is a six-time winner of Solucient’s Top 100 National Hospitals, has been able to successfully converge physical and logical access under Paidhrin’s leadership.
What are the biggest challenges facing your department?
Paidhrin: Identity and access management. I have to know where people are and what they have access to.
In terms of access, do you mean logical or physical access to the hospital, or both?
Paidhrin: Logical and physical access are actually converging. I’ve got a single sign-on solution [from Imprivata OneSign based in Lexington, Mass.] that tells me whether you are one of the 3,000 outside workers, 3,200 inside workers, or the 600 physicians here at our campus. I know where you are and when you’re logging on. I can dictate whether you can gain access via biometrics, via a password or via a proximity card.
Our single sign-on solution interfaces with our campus security’s physical access controls. I have an ID badge that has a passive proximity card in it, an RFID chip. It gives me physical access by swiping proximity readers, which lets physical security know where I am. Then, when I want to login to a system, the network also knows where I am. The system allows me to use biometrics or simple passwords.
If my user is a systems administrator or if he or she is off site, I may want to have greater security, like an RSA SecureID to add two-factor authentication.
We have visual checks and physical access control. Interior doors that have controlled substances or medical equipment are locked. Only certain people have physical keys or access card privileges. Once inside, the individual walks up to a workstation and logs in.
A central auditing and reporting control mechanism tells us the individual is at a workstation at a particular time. We know when he logs-off. We know every application that is accessed, and I can go into each application and determine what the individual looked at. If he brings up a menu or a screen, I can tell to the tenth of the second what he did and when.
How do you determine who has access to what?
Paidhrin: Your role defines what information you have access to. That is managed out of HR, and it integrates with our access control provisioning system. We provide people with accounts to give them appropriate access, and then they can quickly get whatever they need because they only need to sign on one time.
At this hospital, we have more than 200 applications. For a healthcare provider [our doctors, nurses and staff], the average is six-12 applications that they need to have access to. The Role Based Access Control (RBAC) manages what they have access to. Within the application, they are only allowed to see menus and screens appropriate to their role. That role is determined by department and then by job title. You can be an RN in the Emergency Department and an RN in Neonatal, and your access list can be completely different.
Then, if the person walks away from the workstation and he does not log off, which is against policy, within a couple of minutes, the system locks itself.
What other initiatives are you working on that have been successful?
Paidhrin: Compliance with HIPAA and the Joint Commission are big concerns in terms of my area. Secured E-mail is a current initiative I have going, which allows us to fully encrypt communication between physicians and their patients. Clinical laptops have also been a big issue for us.
In addition to access control, there are issues related to emergency communications. When there is a disaster or a severe weather event, we do periodic multi-agency training to prepare. This includes various local law enforcement agencies. Because we are a regional hospital, we have various law enforcement personnel here everyday.
We have just recently revised our communication protocol with law enforcement and produced a chart. When law enforcement shows up, especially in the second or third shifts, we don’t have as many people who might be familiar with who these law enforcement people are.
We have a checklist agency grid for 24-hour identity confirmation of law enforcement. So if someone shows up from Homeland Security, we know who to call at the FBI or Homeland Security office to ask, ‘Can you please validate this individual?’ Because we have so many people coming onto campus we have to be very careful about providing all kinds of support to law enforcement. So ID badging is very important to us.
Why are laptops such a problem, and how do you plan on solving that issue?
Paidhrin: [The laptops are either] lost or stolen. We deploy 60 laptops for home care. This is where CNs, CRNs and RNs go to the home of the patient and they take their laptops. In our case, their computers contain only the information for the people they will visit that day.
And every single one of our laptops has full, hard drive encryption. That means that unless you’re the NSA or Homeland Security, no one will know what’s inside that hard disk. You will not have access to it. And, if our user fails to properly log in three times, it shuts down. They must take it back to the office and have it reimaged.
In light of the fact that identity theft is a major issue, what are some of the ways you prevent badges from being counterfeited?
Paidhrin: The ID badges are all produced on site, and HR maintains physical and logical security for them. Our systems are automated so that all impacted departments receive account status notification, especially at termination. I get daily termination notices, and my operations manager gets the same, so I’m alerted and she does the disconnect.
If there is a termination for cause, our protocol includes phone calls ahead of time. At a predetermined hour for an individual, both physical and IT access control are removed in a heartbeat. We have physical safety officers onsite to escort people off campus; it’s very controlled. We know what kind of sabotage could take place with a disgruntled employee, and no matter what the circumstance is we want to be extremely cautious about locking out, both physically and logically, former employees or workforce members.
It’s all about information control, and the thing that’s at risk is a patient’s information. Of all the things that are happening in healthcare, identity theft is our chief concern. There is very little happening in relation to federal health information protection law, but there have been thousands of identity thefts related to hospitals because we store so much information.
Do you have any best practices when implemen
ting a system that you would recommend to other hospitals?
Paidhrin: I do. In fact, I have a list. First, no missing policies or best practices because every hole that you leave open, a threat will find its way in. The second is everyone should follow procedures. They are there for a purpose and should be adhered to.
The third thing is to have some form of change control because without change control, things happen and people get caught off-guard and systems and processes break down. Fourth, have a disaster recovery and a business continuance plan. You have to know what to do when the lights go out or when there is a problem. Lastly, lock down everything that needs to be locked down. You take away temptation; you let people know that you are watching and monitoring and you really cut into the number of incidents.
__________________________________________________________________________________________
The Paidhrin File
- Name: Christopher Paidhrin
- Age: 50
- Title: Security Compliance Officer
- Healthcare Organization: Southwest Washington Medical Center based in Vancouver, Wash., was founded in 1858 and is comprised of 12 buildings on three major campuses within 10 miles; there are 3,200 internal workforce members, 3,000 external workforce members and 600-plus credentialed physicians; 462 registered beds; partner facilities include 200-plus clinics.
- Department: Paidhrin is independent of all department directors and reports only to a site executive and the CIO.
- Experience: 20 years in director level IT and IT security; worked in IT and business operations for Oregon Graduate Institute in Beaverton, Ore., as well as other universities in the Oregon area; seven years for Southwest Washington Medical Center.
Ashley Willis is the assistant editor of Campus Safety magazine. She can be reached at [email protected].