5 Lessons for IT from the Boston Marathon Bombings

John D Halamka April 25, 2013
5 Lessons for IT from the Boston Marathon Bombings
The CIO of Boston's Beth Israel Deaconess Medical Center learned a few things last week

A week after the Boston Marathon bombings, I can take some time to reflect on the lessons learned in my position as CIO of Beth Israel Deaconess Medical Center. I think they apply as well to other IT departments far from Boston.

1. Risk planning is forever altered

To me, risk is calculated by multiplying the likelihood of an event by the impact of that event.

In the BIDMC IT department, risk management is based on the NIST 800 framework. That means areas of risk are formally enumerated, but judgment is still required for mitigation strategies.

At 2:50 p.m. on April 15, when the marathon bombs exploded, seven BIDMC IT staffers were volunteering in the medical tent or working at the finish line, a few feet from the explosions. They were among the first to assist the injured. Their work in a medical facility aided them in staying calm, but nothing could have prepared them for the scene of horror before them.

All my IT staffers at the marathon were unharmed, but given their proximity to the bombs, things could have been devastatingly different. For risk planning, this means that even phrases as innocent sounding as "the majority of the database administration team is going to volunteer at the marathon" will have to be carefully considered.

2. Secure remote access to all systems is critical to operations

As we have continued to enhance the security of our applications and networks, we have been limiting remote access to BIDMC personnel who have a vital need to use systems from off campus. Last week's events demonstrate, though, that we need to plan for situations that might shut down the city for five days or require many people to work from home if travel is restricted or a "shelter in place" order is given.

3. It's possible for data centers to be off-limits for a time

In ways we had never foreseen, travel was restricted for an indefinite period of time in the Boston metropolitan area, and the access to the BIDMC campus was tightly controlled for a while. Our disaster recovery planning needs to include two new scenarios: data center staff is barred from entering the data center, and data center staff is not allowed to leave the data center.

4. We may need to consider novel audit workflows

Currently, we capture every patient data lookup in real time and perform many analytics to ensure that patients' privacy preferences are respected.

This message appears at the top of page of our intranet:

Urgent Reminder for All BIDMC Staff About Patient Privacy

Staff must completely protect patient privacy according to federal HIPAA regulations and BIDMC's own privacy policies. That means:

1. No sharing of ANY patient information through email, TwitterFacebook, Flickr or other photo sites, any other social media, phone calls or conversations - or any other way.

2. Do not look at, or access by computer, medical records or other protected health information (PHI) or personal information (PI) unless you are authorized to access that information AND you need that information to care for the patient.

3. Send all media calls to the Communications Department or page the Media Relations staff on call.

Violation of these regulations and policies will lead to disciplinary action up to and including termination of employment.

Most importantly, thank you to the overwhelming majority of BIDMC staff who are doing an excellent job of keeping all patient information secure.

Source: Computerworld (US)