Healthcare CIO gets tough on net policy violators

Network World - CareGroup Healthcare System is serious about its security and privacy policies, and those employees and business partners not adhering to them pay a huge price, according to the Boston health care organization's CIO.
Dr. John Halamka kicked off the HealthSec 2004 Conference & Expo in Boston this week with a keynote address titled "You're Fired! Security Breaches, Pink Slips and Public 'Executions.' " Halamka has made a name for himself in IT circles partly because of his decision to go public following a network outage at one CareGroup hospital back in November 2002 in an effort to help others avoid similar fates (see story).
Halamka shared examples, with names changed to protect the guilty, of CareGroup employees or associates who have been canned for violating security or privacy policies, which they had to agree to upon joining CareGroup or starting to do business with it. One doctor was found to be getting abusive in online chat sessions, a violation confirmed by packet sniff tracing. Another doctor, who wound up leaving before having the chance to get fired, violated policy by peeking into a spouse's psychiatric drug records.
"It's important to have sanctions to have a policy that has teeth," said Halamka, who emphasized that CareGroup's termination policies apply equally to everyone, from clerks up to head surgeons.
One way that CareGroup stresses its policy compliance message is by making public, within the organization, when and why someone is axed for violating policy. If a policy is broken by a business partner employee, that organization needs to discipline its employee, or CareGroup will cut off access privileges for the entire organization, said Halamka, who is an emergency doctor in addition to being an IT professional.
But in order to fire anyone based on security or privacy policy violations, he said those policies need to be carefully crafted and supported throughout the organization, such as by the human resources department.
The need for airtight security and privacy at health care organizations, especially one the size of CareGroup, is obvious. CareGroup boasts 12,000 employees who serve some 9 million patients. The privately held organization moves some 70TB of data a day over a network infrastructure that includes 15,000 Cisco Systems Inc. equipment ports and 200 servers, mostly Unix. The organization also provides secure Web access to patients, employees and business partners.

One huge security and privacy challenge for Halamka is that there are a lot of good medical reasons for doctors and others in a health care organization to have access to a