Dr. John Halamka, CIO at the hospital where Boston Marathon bombing patients and suspects have been treated over the past week, has shared in a blog post Tuesday lessons learned from an IT and security management perspective.
"IT in general experiences more demands than supply," Halamka wrote. "Last week, we learned firsthand how technology can support a disaster. As we think about all the work on our plates, our plans going forward must incorporate our recent experiences."
Halamka, who consumed news of the tragedy initially via social media while flying from Los Angeles to Boston, says other members of his IT organization were among first responders at the finish line. Seven Beth Israel Deaconess Medical Center (BIDMC) IT staff members were volunteers at the medical tent and finish line, and their familiarity enabled them to stay strong and calm while tending to those who were harmed in the bombing.
None of the IT staff was harmed, but Halamka wrote that "as we think about risk planning in the future, we'll need to consider the events of last week when told something as innocent as 'the majority of the database administration team is going to volunteer at the marathon.'"
Halamka said the events of last week in Boston will also force his team to rethink its application, network and data centre access strategies. While BIDMC is enhancing security of its apps and network by limiting access to those who really need it, Halamka writes that the situations that prevent most employees from working at home might require allowing more access at certain times. Disaster recovery planning also needs to be rethought to take into consideration circumstances where people can't access or leave a data centre for long periods of time.
In a hospital setting where high profile patients reside, in this case victims and suspects, privacy is ultra-important and BIMDC took communications and analytics measures to ensure privacy. Among other things, BIMDC arranged for a message to show up atop the page of its intranet for all staff members to see that reminded them of data lookup policies and social media rules (such as not tweeting out any information about patient identities or condition).
"Might there be new workflows required in the future such that appropriate individuals are paged/notified within seconds after a lookup occurs? In an emergency/mass casualty disaster, how can we balance the need for increased security/privacy and appropriate access with real-time auditing alerts?" Halamka wrote.
Halamka praised BIDMC and other hospitals in town for their cooperation in securely sharing patient medical records, a longtime hot-button issue for this tech-oriented medical professional.