Perhaps the most critical advantage the health IT industry has is that when it comes to the digitization of patient records, everyone is onboard. But just because it’s a bipartisan issues, it doesn’t mean any of it has come easy, particularly the interoperability piece.
That’s where ONC comes in. As part of the 21st Century Cures Act, ONC is charged with developing a framework to address the issues that are hindering the flow of data, all while ensuring data is secure. As Chief Privacy Officer, Kathryn Marchesini is front and center in that effort. In this interview, she discusses ONC’s key priorities, and how they work to obtain and incorporate feedback from all types of stakeholders. Marchesini also talks about how she has benefited from her experience as a technology consult, and the importance of having dedicated IT security leaders.
- “It’s a pivotal time to be in health privacy.”
- Getting “on-the-job training” as acting chief privacy officer in 2014
- Critical role of CISOs
- “Cybersecurity is a shared responsibility.”
- Selling security to the board: “It’s a constant battle”
- Risk assessments
- A culture of security: “Everyone has a role to play.”
LISTEN NOW USING THE PLAYER BELOW OR CLICK HERE TO SUBSCRIBE TO OUR iTUNES PODCAST FEED
It’s a pivotal time to be in healthcare privacy. We’ve been very actively researching, analyzing, and thinking long and hard about many of these issues and questions for years, and now we’re looking at them through a technology-agnostic lens.
I’m doing what I can to help explain, ‘here’s what we’ve done, and here’s where we’ve been, why we are where we are, and where we’d like to go.’ I’m trying my best to bridge the gap between civil servants and political appointees, and provide some consistency.
It’s only a matter of time when an organization will experience a security or cybersecurity incident. Having someone in place who understands that risk will help organizations become better positioned to take preventative measures.
Make sure you know your audience, and try to articulate the problem, the impact, and the proposed solution through a business lens and overall perspective. In many instances, this means translating technical language and jargon to the practical realities that leaders face with business-oriented metrics.
Gamble: You’ve been in your current role since January, having previously served as Senior Advisor and Deputy Director for Privacy. What were your thoughts on being named to this role, and how did you approach it?
Marchesini: I’m very appreciative of the opportunity to continue serving and contributing to work that is deeply important and inspiring to me, and having the chance to work on things that make people’s lives better. I feel like it’s a pivotal time to be in healthcare privacy. We’ve been very actively researching, analyzing, and thinking long and hard about many of these issues and questions for years, and now we’re looking at them particularly through a technology-agnostic lens.
During the early years at ONC, and through the work of our federal advisory committees, the use cases we looked at were either theoretical, or the technology was in the early stages of development or adoption. Now we’re at a tipping point, and we’re trying our best to tackle some of these issues in tandem with the rapid advances in real time.
Gamble: And this is a role that was going to be eliminated, interestingly. But clearly is a need for this position.
Marchesini: Right. And in a way, I had on-the-job training for the role in 2014 when I served as the acting chief privacy officer. This was during a time of transition between political appointees under the last administration for the chief privacy officer.
But as a career federal civil servant, I’m doing what I can to help explain, ‘here’s what we’ve done, and here’s where we’ve been, why we are where we are, and where we’d like to go.’ I’m trying my best to bridge the traditional gap between civil servants and political appointees. I’m trying to provide some consistency across the privacy and security portfolio in what I hope will be seen as efficient use of taxpayer dollars.
There are challenges every day. It’s been a learning opportunity and while there are many uncertainties in some areas with the change of administration, it’s also fortunate for me, as well as ONC, that health IT is a bipartisan issue. As you may know, the overall push to use electronic health records started under the George W. Bush administration as a result of an executive order in 2004. And so, in some way, you can say that things have been in transition since then. However, with supporting bipartisan federal laws — first with HITECH in 2009, and most recently the 21st Century Cures Act — being passed along the way, it’s helped to provide continuity as well as momentum toward the target outcome.
Gamble: You also have experience as a technology consultant and it seems like you had a diverse education. How has this helped prepare you for your current role?
Marchesini: It’s provided me with a sense of understanding, perspective, and transparency. For me, the intersection of the three disciplines is truly prevalent in healthcare, and has provided me with the tools to contribute to society and the lives of others. I have a distinct perspective and opportunity to view situations through various lenses, and I’m continuously seeking to understand business drivers, legal uncertainties, and practical realities that many health IT stakeholders consider when trying to meet the business needs or requirements through development, implementation, and use of technology. And so, while there are competing interests that need to be balanced, there are ways to address and provide reasonable steps and approaches to protect health information, confidentiality, integrity, and availability. That’s the approach I’m trying to take in my role.
Gamble: With our audience, which is largely CIOs, privacy and security are very high priorities, but there are a number of organizations that don’t necessarily have a dedicated chief information security officer. Can you give some perspective about why it’s so critical to have someone at a high level who is focused on security?
Marchesini: Everyone has a role to play in protecting and securing electronic health information. Cybersecurity is a shared responsibility, and it can only be achieved in a culture where privacy and security are valued and everyone plays a role.
From my perspective, it’s only a matter of time when an organization will experience a security or cybersecurity incident. Having someone in place who understands that risk will help organizations become better positioned to take preventative measures against identified risks. For example, by conducting a risk assessment, an organization can uncover technical, physical, and administrative vulnerabilities, and look more closely at their security policies, their processes, and their systems. So when an organization is able to address these issues, a security individual or someone dedicated in that role can potentially prevent data breaches or other adverse security events. It’s also helping to make sure the organization is best positioned to have the process and procedures in place to respond when an actual security incident occurs.
If an organization doesn’t have a CISO or someone that’s focused on security, they still need to have someone dedicated to this area, particularly if an organization is covered by HIPAA. As part of the HIPAA Security Rule’s administrative safeguard requirements, a covered entity must designate a security official who is responsible for developing and implementing security policies and procedures. I know that oftentimes there may be limited resources for smaller organizations, but regardless of the size, organizations must seek to understand their responsibility to integrate cybersecurity practice into their culture.
With smaller healthcare organizations, there may not be as much complexity, and oftentimes they don’t have many resources, the staff, or the bandwidth to dedicate to both security and privacy. And for healthcare providers, this isn’t necessarily their core competency. Over the years, however, ONC, in partnership with our HHS colleagues, has developed a variety of free, publicly available educational materials and resources to help aid healthcare provider organizations that may not have in-house security expertise, particularly those that may be in a small practice setting.
Gamble: I’m sure that what you really don’t want to see are organizations that believe they have a pretty good cybersecurity strategy in place, and then are either are hit with a breach, and it becomes a reactive thing.
Marchesini: Absolutely. Being proactive, preventative, and trying to integrate good privacy and security hygiene is the best approach.
Gamble: Do you have any advice for CIOs or other high level leaders on how to effectively communicate this need to the board? For some it can be a challenge, because resources are limited and every organization is feeling the strain. Any tips on how to drive the point home that this is something that needs resources?
Marchesini: What we sometimes hear at ONC is that it’s a constant battle between profitable business investments and “unprofitable” security investments that can protect the current bottom line of an organization. The challenge seems to be in convincing senior leaders to buy into a particular cybersecurity strategy given the competing interests.
In terms of factors to consider and practical steps to take when trying to communicate additional funding or prioritization, I would suggest to first make sure you know your audience, and try to articulate the problem, the impact, and the proposed solution through a business lens and overall perspective. In many instances, this means translating technical language and jargon to the practical realities that leaders face with business-oriented metrics — for example, the monetary loss that security controls prevented — and explaining how cybersecurity strategy can be a business advantage by potentially helping to engender patient trust and customer loyalty. From an IT perspective, seek to understand the organization’s immediate and long-term business priorities to ensure that the cybersecurity plan aligns with the business goals.
The second thing I would suggest is to involve executives and senior business leaders, as well as other workforce members at all levels, when you’re doing a security risk assessment. A risk assessment can help build an awareness of the practices or the organization’s overall security posture in making sure that electronic health information is safe and secure. When you’re doing this, try to focus on the bottom line when interfacing with leadership — for example, what’s the impact if an identified risk is realized or a vulnerability is not addressed — and explain what they can do about it and what are the likely outcomes with the various options you’re proposing.
Lastly — and I know I mentioned this before — it’s developing an organizational culture of proactive security. Everyone has a role to play in protecting and securing health information, and without support from senior leaders and the board, it can be even more challenging for organizations to have strong cybersecurity practices.
Strive to assist leaders in understanding their responsibility and integrating privacy and security into the culture. And remember, cybersecurity is a shared responsibility. In some situations, this may involve changing an organization’s culture, and helping employees — not just leadership — realize that the duty of keeping patient health information safe requires an effort from the entire organization.
Gamble: This has to be all hands on deck.
Marchesini: Yes, much like a lot of things in healthcare organizations. But this is something that, I think, often gets overlooked.
Gamble: Right. Well, I could talk to you more, but we should probably wrap it up. I really appreciate you taking the time to speak with us. This is a perspective that we believe is important to get out there.
Marchesini: Great. Thank you for reaching out, Kate. I appreciate the opportunity.