Chief information Security Officer Jigar Kadakia showing off an awareness week poster
Partners HealthCare Chief Information Security and Privacy Officer Jigar Kadakia explains the benefits of educating employees during “Information Security & Privacy Awareness Week,” an enterprise-wide program to provide information about securing physical and electronic environments.

The health care industry is one of the highest producers and users of personal data. As in many industries, data is a critical asset in health care and one that must be kept secure to prevent it from getting into the wrong hands and to protect the privacy of millions of patients. Under the leadership of Jigar Kadakia, Chief Information Security and Privacy Officer, Partners HealthCare is leading the way in health care information security by protecting patient data and other information.

Partners is one of the few health care systems in the country to use a combination of best practices on information security that go beyond what is required by law.

“We’re on the leading edge, and we’re doing a lot of things innovatively and differently than traditional security programs do to make sure we are protecting not only patient data, but also Partners data,” Kadakia said.

 

What makes health care data vulnerable

Historically speaking, data security in health care has not always been a top priority as its been in other industries like finance and defense. The very nature of medicine and discovery relies on sharing data, with patients’ permission, so it can be used by their doctors to better treat them and by researchers to find cures. However, in this collaborative environment, data security is essential. 

“The goal is really collaboration and sharing information amongst different groups to better treat the patient. And to limit that access would really limit our innovation so we have to maintain that innovation while balancing information security,” Kadakia said.

Unfortunately, however, threats today are much more targeted toward health care data. It’s likely not one solo hacker stealing a bunch of data all at once; it’s more likely an organized crime group that steals information bit by bit. Like a leaky faucet that no one notices, the information may be pulled out little by little. Those thieves may take snippets of information, combine it with other bits of information gathered from public sources or other breaches elsewhere, and create profiles of people in hopes of selling that data or using it against that person or organization.

Considering that there are 12 member organizations within Partners, including a 200-year old hospital (Massachusetts General Hospital), there are millions of patient records in the system that could be vulnerable, not to mention the information about the 60,000-employee organization. IT manages 2,500 applications across the system, working hard to protect all that data. It takes constant vigilance to plug the holes of potential leaky faucets to ensure the protection of the entire system.

“We know the risks, and we treat this data with the utmost sensitivity. Information security and privacy is a huge priority for Partners,” Kadakia said.

 

Information security at Partners: The Lighthouse Project

Acknowledging the potential threats to this host of information, Partners implemented a system-wide initiative on information and system security called the Lighthouse Project. The goal: to improve processes and technologies to better protect patient and Partners data.

As the project name suggests, “We’re trying to bring a light on security in our organization,” Kadakia said.

From the beginning, the Lighthouse Project was driven by Partners leadership, who saw breaches occurring in other industries and drew correlations of potential risks internally. Leadership understood that a project of this magnitude required funding and human capital and therefore made the investments in resources to really address the key security issues appropriately.

“This was a way to mitigate the risk and put us at the cutting edge of security. Clearly, there’s room to grow, but we’re ahead of the curve,” Kadakia said.

Most people may not be aware of the large-scale, behind-the-scenes efforts that go into protecting the information of patients, employees, and the Partners HealthCare system.

“The Lighthouse Project has impacted every team within Information Technology at Partners," Kadakia said. 

In addition to patient data used by providers, there are other types of sensitive data that Partners is focused on protecting:

  • Research data, such as studies of patients that often use de-identified information to share with other researchers
  • Partners's own data, including plans about finances, business, development, or any other confidential information that is shared internally

Partners has created or improved security activities, including:

  • Reviewing and establishing policies and procedures
  • Automating systems to mediate the risk of human error and adding more technical controls
  • Training users and employees to watch out for scams. For example, for several years, Partners has held its Information Security & Privacy Awareness Week, which occurs twice a year, to continually educate employees about the latest scams and remind employees to stay vigilant.

Although there are some baseline regulations to protect health care information, Partners strives to go beyond the requirements and meet best-practice standards.

Partners uses standards established by:

  • NIST (National Institute of Standards and Technology), one of the oldest federal technology agencies that works with industry to set standards
  • ITIL (Information Technology Infrastructure Library), a set of IS Service Management practices on processes, activities, and checklists to align IT needs with business
  • ISO 27002, an international organization of what is generally considered the highest level of best practices in management standards

“We think about information security as much broader than just HIPAA security,” Kadakia said. “Those standards together go above and beyond the normal [regulations].”

 “When people go to the doctor, they should be thinking about their health, not about whether their data is at risk. Just as our providers work to ensure their health, we work to ensure their privacy and protection.”