Winter 2015CxO Corner
by Sri Bharadwaj, President-Elect, and Dianne Baker, Board Member and Marketing and Communications Chairperson
For this quarter’s CXO Corner, Sri Bharadwaj, our Chapter’s President-Elect, and Dianne Baker, Marketing and Communications Chairperson, had the opportunity to visit with Lee Kim, Director, Privacy and Security, National HIMSS. Lee talks to us about her very interesting and diverse career and the upcoming Keynote address at our 5th Annual Privacy and Security Forum on January 30th, 2015, at Hoag Hospital. She also shares excellent insight and advice on helping to manage security and privacy threats in your organization.
The New Avenue of Patient Care: Taking Care of Patient Data
You have had an exciting and interesting career path – can you share with us some insight into your professional and personal journey from your degree in chemistry, to a legal career in privacy, security and intellectual property, and now to becoming a leading privacy and security expert within our National HIMSS organization?
I have purposefully connected the seemingly disparate, dots together in every move that I have made. Having analytical, creative, legal, and negotiation skills has served me well.
Having a law degree provides a different perspective in looking at our industry’s challenges with preparing for and managing cyber security threats and incidents – how has this helped you in your career and in your leadership role at HIMSS?
I would say that having had ten years of practice in healthcare and intellectual property law has been immensely helpful. Being able to read and interpret laws and regulations, knowing how and what to say, and knowing the various state and federal healthcare-related laws and regulations, have been instrumental. In addition, having in-depth knowledge of laws related to trade secrets, confidential know-how, patents, copyrights, trademarks, and service marks has been helpful as well. After all, we are in a highly regulated industry and healthcare information, financial information, and intellectual property information are targets. Finally, while this was not planned at all, just three days after I had joined HIMSS as a staffer, I was awarded an AV Preeminent® peer review rating by Martindale-Hubbell for healthcare and intellectual property law and so I have pretty decent knowledge and skills in those areas.
Before my legal career, I worked in the information technology and health information technology fields doing network, database, web, system administration, and application support. I also did some consulting work as a programmer as well.
There are continuously evolving cyber security threats facing the healthcare sector and we are now becoming an even greater target for external, and even foreign perpetrators. How does a Healthcare CISO or security leader plan for these external threats?
- Don’t forget about the hacktivists. Please see the linked article, Lessons Learned from Boston Children's. (It is important to..) have a plan for handling them, based upon lessons learned (including from the community).
- Don’t forget about the unsuccessful security incidents. Up your defenses by learning from the unsuccessful ones, in addition to those that are successful.
- Become more resilient as incidents do occur (and they will – that is just the nature of the beast), based upon lessons learned.
- Be wary to whom you outsource work to, whether they are domestic or overseas.
- Don’t forget about training your workforce members on elicitation and phishing.
- Don’t forget about the insider threat – insider threat activity may be even more damaging than external threat actors. Do the due diligence and vet your employees, consultants, and others who are part of your workforce (or an extension of the workforce). Think about: Who has trusted access? (Do not overlook the security guards, janitors, and cleaning people.) Also, do common sense things such as: (i) having a clean desk policy and (ii) terminating local and remote access after a workforce member is terminated or leaves your workforce or is otherwise no longer a member of your workforce.
Can you provide some insight on effective security strategies for smaller healthcare organizations that are struggling with multiple priorities and initiatives?
- Leverage managed security services
- Avoid the phish. If it looks phishy, don’t take the bait. Similarly, do not fall for elicitation techniques.
- Use the tips in our HIMSS National Cyber Security Awareness Month tip sheet (co-developed by HIMSS and the National Cyber Security Alliance).
- Other resources are available on our HIMSS National Cyber Security Awareness Month page.
Can you share with us the focus of your presentation to our members at the forum in January?
- Highlights of HIMSS privacy and security volunteer group initiatives (including education and advocacy)
- NIST Cybersecurity Framework cross-sector update
- FDA medical device security outreach and initiativesInsider threat and intellectual property theft
- Insider threat and intellectual property theft with a discussion of: What is “intellectual property” anyway? Is my organization a target?
- Healthcare fraud
Thank you so much for the opportunity.
Lee Kim, BS, JD, FHIMSS
Director of Privacy and Security
HIMSS North America
Lee Kim is the Director of Privacy and Security at the Healthcare Information and Management Systems Society (HIMSS) and a Fellow of HIMSS. HIMSS is a global, cause-based, not-for-profit organization focused on better health through information technology (IT). HIMSS leads efforts to optimize health engagements and care outcomes using information technology.
Kim serves as a vice-chair of the American Bar Association (ABA) Health Law Section eHealth Privacy and Security Interest Group and Emerging Issues in Healthcare Law, and ABA Health eSource Editorial Board. She is a member of the National Association of State Chief Information Officers (NASCIO) Health Care Working Group and the SANS Securing the Human Healthcare advisory board. Kim is a licensed attorney in the District of Columbia and Pennsylvania and is admitted to practice before the Federal Circuit and the United States Patent and Trademark Office as a registered patent attorney. She is a graduate of the FBI Citizen’s Academy.
She holds an AV Preeminent® peer review rating in health care and intellectual property from Martindale-Hubbell. Kim’s publications have included articles in E-Commerce Law & Policy, E-Finance & Payments Law & Policy, and a chapter in the American Bar Association book, Health Care IT: The Essential Lawyer’s Guide to Health Care Information Technology and the Law. Previously, Kim worked as a technologist in the healthcare and information technology industries and as a healthcare and intellectual property attorney in private practice.