In The Boardroom With...

Mr. Scott Gaydos
Chief Technologist, Federal Healthcare
HP Enterprise Services, US Public Sector

Cybersecurity for U.S. Public Sector

SecuritySolutionsWatch.com: Healthcare reform remains in the forefront of the American agenda, as both public and private sector healthcare providers face similar issues and challenges.  There is a strong desire to expand healthcare coverage while improving patient experiences and controlling the growing cost of services to active military personnel, military dependents and veterans. The Centers for Medicare & Medicaid Services are often in the news, focused on effectively managing and exchanging information to meet the demands for faster, more efficient citizen services. Can you please provide us with an overview regarding how HP helps its healthcare clients chart a course to address managing exploding data efficiently?  

Scott Gaydos:HP provides technology, services, and turnkey solutions to Federal Healthcare entities including the Centers for Medicare & Medicaid Services (CMS), the Food and Drug Administration (FDA), the Centers for Disease Control and Prevention (CDC), the U.S. Department of Veterans Affairs (VA), and the Military Health System (MHS). Many of these entities, in addition to private health institutions, share an ever-increasing amount of Personally Identifiable Information (PII), which typically includes Personal Health Information (PHI). The secure storage and access of this information is critical in creating a more effective infrastructure designed to enhance patient experiences and outcomes. The efficient management of sensitive information is just one example of improvements being made to better serve citizens and to support overall improvements to the U.S. populations’ health.

Each federal healthcare entity currently maintains its own information repositories which continue to grow both from internally-generated data, as well as the data injected from collaborative information sharing. In some cases, HP technologies and services power the data centers and environments in which this data resides. In this scenario, HP helps to transform the technology infrastructure responsible for storing, managing, and processing data. In other cases, HP technologists provide services and solutions centered on building custom data analytic software to help public sector healthcare clients efficiently organize and utilize mass amounts of data for more informed clinical, administrative, and population healthcare decisions.  However, in all cases, HP brings a wealth of healthcare industry knowledge, specifically to include, the effective use of IT in payer, provider, and public health settings.

Finally, HP also specifically focuses on some of the unique challenges facing the federal healthcare community through analytic research and development. For example, in the HP Advanced Federal Healthcare Innovation Lab (AFHIL), we are exploring technology solutions that enable entities such as the FDA to leverage the sea of data generated from the social media universe in order to better predict and act upon food recalls. Analyzing what people are talking about publically across social media outlets concerning health, the food they consume, and even where they’re located, can potentially lead to more effective communications when recalls are necessary for public safety.

SecuritySolutionsWatch.com: HP recently announced that it received an award from the Department of Veterans Affairs for developing a nationally standardized Real-Time Location System (RTLS) solution to help improve healthcare operations.  This solution will ultimately be rolled out to over 150 medical centers within the 21 Veteran Integrated Service Networks (VISN) and seven consolidated medical outpatient pharmacy facilities. Can you please elaborate on this solution and help us understand what the true value of utilizing such a solution is to both the agency and ultimately, the community as a whole?

Scott Gaydos: The Veterans Health Administration (VHA), the healthcare delivery arm of VA, is the largest direct healthcare system in America supporting the health and wellness of over 9 million Veterans. With over 200,000 employees and more than 3 million assets, the VHA faces continuing challenges including the need to reduce costs, enhance operational efficiencies, and improve patient care and safety simultaneously. The VA recently selected HP to help it deploy a nation-wide Real-Time Location System (RTLS) aimed at improving the clinical and administrative workflows associated with executing VHA’s mission. Specifically, the HP RTLS solution answers the agency’s mission values of:

• Improving operational efficiency and the overall quality of Veteran care.
• Decreasing operational costs by maximizing equipment utilization.
• Increasing staff efficiencies and productivity.
• Reducing costs through minimizing lost and/or replaced equipment and supplies.
• Enhancing patient and staff satisfaction while improving the quality and safety of patient, provider, and institution perspectives.

The RTLS system being implemented impacts these mission values through a best-of-breed, multi-vendor hardware and software solution integrated into a single, passive and active stack, to track and identify the location of objects in real time. Specifically, the solution is designed to:

• Track current and historical location of medical devices and people, visualized through a single, web-based interface
• Alert via automated notifications such as when an infusion pump leaves a protected zone, a medical device is overdue for maintenance, a wheelchair requires delivery, or a refrigeration unit is going out of temperature range.
• Manage the utilization of equipment, control the workflow, and utilize location data for operational analysis
• Integrate location and status information to existing hospital information systems, such as VA’s electronic health record, asset management systems, etc.

Once complete, VA’s RTLS solution effectively becomes a real-time operational intelligence platform, supporting VHA’s mission to provide exceptional healthcare to our nation’s Veterans. This resource of knowledge, never fully available before the deployment of these technologies, creates a treasure trove of information to support outcomes-based analytics.

SecuritySolutionsWatch.com:  Can we drill down for a moment to the topic of fraud, waste and abuse?  The White House Budget for 2014 includes $80.1B of discretionary funding to support the Department of Health and Human Services mission (page 94 of the budget).  While progress is being made to reduce fraud and waste, many feel there’s still a long way to go. What are your thoughts?

Scott Gaydos: Progress is continually being made to reduce fraud, waste, and abuse throughout the federal healthcare system. New sources of data, along with the integration of multiple sources of data managed by tools that HP offers, will continue to largely improve fraud detection.  Data sharing by multiple agencies and other public/private entities must be facilitated through standards and enhanced security protocols to ensure relevant data is available.

HP and its subsidiary SafeGuard Services (SGS), has helped the U.S. Department of Health and Human Services (HHS) to perform data analysis, investigations, and medical reviews designed to detect, prevent, deter, reduce and initiate referrals to recover fraud, waste and abuse.   SGS has prevented approximately $4B in inappropriate payments and identified over $1B in overpayments through its proactive claims processing system edits.  This experience, coupled with robust fraud and abuse analytics, has ultimately resulted in the referral of hundreds of cases to law enforcement and to successful criminal and civil prosecutions.

While SGS represents one tool in the government’s arsenal to help reduce fraud, waste and abuse, HP continues to invest in new technologies, services and solutions to further facilitate the appropriate flow of healthcare dollars to valid recipients. 

SecuritySolutionsWatch.com: Disasters don't make appointments. Whether its ricin and toxins delivered through the mail or recent tragedies such as the Boston Marathon or Hurricanes Sandy and Katrina, these unpredictable events create special security challenges for the healthcare community. During times of crisis the system must securely perform without flaw.  What is your perspective regarding "best-practices" for the healthcare community when faced with these sorts of unique situations? 

Scott Gaydos: Best practices for protecting healthcare data is similar to other industries in which sensitive data exists, such as financial institutions, defense agencies and even commercial enterprises.  Today, common practices include disaster recovery preparations where, at a minimum, backup copies of healthcare data are retained at a reasonable distance from their primary storage site.  More sophisticated business continuity solutions exist within many healthcare setups. For example, nearly, and sometimes fully, redundant compute, network and storage environments are established to drive recovery time and recovery point objectives to mere minutes. Of course it should be noted, the closer to full redundancy one makes the infrastructure, the more costly implementations become. 

However, beyond IT disaster recovery protection, healthcare institutions must also build resiliency to catastrophic situations within application architectures as well.  Examples include the centralized and redundant data stores that can protect the data layer of an otherwise highly distributed system.  Alternatively, some system designs choose to federate and replicate data such that there is no one single point of failure.  The Department of Veteran’s Affair’s (VA’s) electronic health record is one such example. 

In 2005, when hurricane Katrina caused mass evacuations of New Orleans and its surrounding areas, Veterans health records were not lost in the natural catastrophe.  Even though electronic records were stored in on-site systems, these records were also replicated to other VA electronic health record systems.  Therefore, when displaced veterans arrived for critical medical assistance at the VA’s Houston, Texas Medical Center; their records were already in the system waiting for them.   This “best practice” helps to ensure patients receive improved care, regardless of geography, particularly in times when urgency strikes.

SecuritySolutionsWatch.com: Cybersecurity attacks continue to be front page news on a regular basis. It has often been stated that defending attacks daily, is for all practical purposes, impossible in our globally networked world. Please share with us how HP delivers intrusion detection and network security solutions within the healthcare environment to protect both Personal Identifiable Information (PII) and Personal Healthcare Information (PHI) and why this is of such paramount importance.

Scott Gaydos:In today’s globally connected world it is impractical and nearly financially impossible to protect against ever possible IT infrastructure threat. To reduce the risk of being attacked, a comprehensive and proactive approach to security must be taken.  Highly collaborative and adaptive systems supported by actionable security intelligence are needed.  This goes beyond perimeter security to incorporate an integrated set of solutions and services across an organization’s IT and application infrastructure to defend against today’s most advanced threats.

HP’s industry-leading portfolio of security products, including HP Fortify, HP TippingPoint and HP ArcSight, work together to create highly secure environments capable of protecting sensitive data such as PII and PHI.  Application developers use HP Fortify offerings to secure code before an application is deployed, as well as ongoing scanning while the applications are being used in real-time.  If vulnerability is detected while the software is live, HP Fortify products tell the HP TippingPoint Next Generation Intrusion Prevention System (NGIPS) to automatically create a new filter to plug the vulnerability, securing the software at the network layer.  HP ArcSight Logger then captures all events related to any attempted exploit, allowing run-time protection while providing development teams with critical insight needed on how to create additional safeguards to deploy at a later date.
HP believes security intelligence is the backbone of any effective defense strategy and is key to helping healthcare organizations understand their security posture and risk profile. Focused on vulnerability discovery and analysis, the HP Security Research organization drives security intelligence into the HP’s portfolio of solutions and provides insights into the future of security and the most critical threats facing organizations today.  This intelligence is bolstered through work with an ecosystem of external security researchers via HP’s Zero Day Initiative (ZDI), which is focused on the responsible identification of software flaws that could lead to cyber attacks and security breaches.

Security is more than being prepared with a response once an incident occurs; it is being proactive and seeking to eliminate issues throughout the development and implementation phases.  With over 40 years of experience with cybersecurity solutions, HP is a trusted advisor to federal agencies and commercial enterprises around the globe.