March 2011

CHI Strengthens Information Security


CHI is developing a formal, structured program to safeguard the security of millions of bytes of information, including the patient, clinical and business information collected and used by employees across CHI every day.

"CHI, and the health care industry in general, has realized the need for greater focus on information security," said Sheryl Rose, vice president and chief information security officer for CHI. "We're well underway with an initial, 12-month CHI strategy for information security."

Most CHI employees are familiar with the process of employee ID and password management, but there is much more to a comprehensive information security program. "We'll address the awareness and identification of security risks, manage compliance with HIPAA privacy standards and meet industry standards for credit card processing, among other initiatives," said Rose.

Rose joined CHI in October 2010 from the financial industry, which has a strong focus on information security. "We all go to automated teller machines to make deposits or withdrawals and don't question the need to provide a password, because we know that banks use information security procedures for our protection," said Rose. "In health care, information security is for the protection of CHI, our employees and our patients. And, it's very important to address security needs in a way that patient information is protected, but patient care is not affected."

CHI's initial plan is to develop three main security programs:a

  • A governance program to set standards for data classification
  • A data protection program to ensure data security and integrity
  • A perimeter protection program that will address security for information sent over networks.

To oversee these programs as they grow, CHI created a Security Steering Committee, which includes senior national and market-based organization leaders. "This committee will set priorities for managing identified risks," said Rose.

Rose and her team already have two important information security initiatives ready for introduction:

  • All portable USB storage ("flash") drives used on CHI computers will soon be encrypted so that a password is needed to save information from a computer to the drive, or to retrieve information from the drive. "Flash drives are notoriously non-secure because they are so easy to misplace or lose," said Rose.

  • A new data loss protection system will be implemented to better control information that goes in and out of CHI's IT systems. "It's not unusual for employees to email work-related information to their home computers simply so they can work on it while away from the office, but that's a non-secure practice," said Rose. "We have a committee dedicated to this project that will make recommendations for better controls."

For more information on CHI's information security initiatives, contact Sheryl Rose.