March 30, 2009
Get With the Times
By Alice Shepherd
For The Record
Vol. 21 No. 7 P. 14
Channeling data through modern technologies could help healthcare organizations more effectively protect sensitive information and prevent internal security breaches.
When it comes to protecting sensitive health information from prying eyes, much attention is given to external threats such as hackers. However, internal security breaches, whether inadvertent or malicious, are actually more likely. Oftentimes, these occur because staff members carelessly exhibit certain behaviors that encourage snooping and enable the theft of private information. These include keeping notes of logins and passwords, leaving a workstation while still logged in to the network, altering computer security settings, using unauthorized software applications, accessing facilities and networks without authorization, sharing hospital-owned devices with coworkers and private parties, using work devices for private tasks and personal devices to access health information networks, leaving paper charts and electronic devices out in the open, and losing portable electronic devices.
Although not a total fix, new technologies can do much to prevent internal security breaches. In addition to databases and networks, mobile and peripheral devices need protection. Without privacy policies, procedures, and training, however, technologies have serious limitations.
Privacy and Convenience Don’t Have to Be Mutually Exclusive
During the course of the day, healthcare professionals frequently log in and out of many systems from various locations, which makes it tempting to jot down logins and passwords and leave computers logged in. This was often the case at Parkview Adventist Medical Center in Brunswick, Me. “We had a collection of best-of-breed systems which ran on different platforms,” says Chief Information Officer and Assistant Vice President Bill McQuaid. “The information was difficult to get at, requiring different logins and passwords, and it was too easy for people to leave screens logged in. There was a great deal of risk.”
Now, Parkview’s security technology locks down systems while providing quick and easy access. “We researched many systems and found that Imprivata’s OneSign Single Sign-On could kill two birds with one stone,” says McQuaid. “We’re a thousand times more secure now, and the satisfaction level is way up because users can click a single icon to launch the system that automatically gets them into all the various applications.”
What if an unauthorized user were to gain access to those applications with a stolen login and password? “Although logins and passwords can be used with Single Sign-On, most healthcare facilities today want stronger authentication,” says Geoff Hogan, senior vice president of business development and product management at Imprivata. “Parkview uses a fingerprint biometric reader to control access.”
An alternative to the biometric reader is a proximity card reader. The badges (or smart cards) used by staff to enter buildings or restricted areas can also be leveraged for secure authentication at computer terminals. “Different authentication systems—fingerprints, smart cards, badges, passwords, etc—can also be mixed and matched,” says Hogan. “For example, you can combine a smart card with a fingerprint as an additional precaution. Single Sign-On technology is also compatible with virtualized infrastructures such as ‘thin clients’ connected to applications and patient record data housed in the IT center.”
Parkview also has safeguards in place to prevent unauthorized access to a deserted logged-in computer. “We use wall-mounted sonar,” says McQuaid. “When someone working at a computer backs away by a foot or more, the sonar senses the absence and logs the user off.” McQuaid plans to replace the sonar with cameras, which he expects to be even more effective. “Unlike sonar, the camera can see when someone backs away from a terminal and someone else steps right in,” he says. “It recognizes a different person and logs out.”
Parkview has a full test environment to make sure security never sleeps. Its systems run on two mirror devices, a primary and a failover, so that the live environment is kept running during testing or upgrading.
Signing on only once to access many different applications also facilitates security audits. “If an unauthorized individual were to use a fingerprint, proximity card, or invalid password to attempt to gain access, that incident would be captured and reported,” says McQuaid.
Increasingly, healthcare professionals need to access patient records remotely from other sites or home offices. For remote access via the Web, Parkview staff members use logins and passwords combined with realms (personalized security questions). However, McQuaid monitors all remote access, as well as on-site access. “I can see who logged in and can track everything that was done,” he says. “I also run periodic reports to look for any indications of foul play, such as two people logging in at the same time.”
“There is also a strong authentication mechanism for gaining access to networks via mobile devices,” says Hogan. “Soft-token software can be installed on the device. It generates a one-time password token that will correlate to back-end infrastructure and validate the user.”
Technology Needs Policy
Parkview recognizes that privacy is not just about technology but also about policies, procedures, and teamwork across the organization. For example, all wireless devices must be hospital owned, and the e-mailing of patient information is prohibited. “We only use secure FTP site-to-site transmission or we burn a CD, encrypt it, and mail it,” says McQuaid, who regularly tests the staff’s knowledge of policies.
“You can spend all you want on technology, but there’s nothing more powerful than education,” he says. “Every year I make up a fake e-mail account and send an e-mail to everyone asking them to forward their logins and passwords, so I can verify they’re HIPAA compliant. The first few times, some people responded and were given training. Everyone got the message, and now they don’t respond anymore.”
Because it is 100% paperless, Parkview has also established policies and procedures for nonemployee access to patient data. McQuaid explains: “Nonemployee surgeons and their staff can access our system remotely but only to view the information pertaining to their own patients. Every 60 days, their account automatically disables unless they call the IS [information systems] department to reactivate their login and password.”
Don’t Leave the Windows Open
Without protecting the information that resides in and travels through peripheral devices (such as printers, scanners, fax machines, and multifunctional devices), network security is like a residential alarm system that arms only the doors but not the windows. “A great risk of which many healthcare organizations are unaware is that multifunctional devices have hard drives,” cautions Dale Johnson, technical marketing manager at Xerox Global Services’ United States Solutions Group—Office Business Operations. “A typical midsize multifunctional device prints, scans, and faxes 15,000 to 40,000 pages a month, each of which is stored on the hard drive. When hospitals get rid of old devices, they give away the sensitive information that has accumulated on the hard drive over the life of the device. Have the vendor remove the hard drive, so you can dispose of it properly.”
To secure peripheral devices, consider the following systems:
• disk image overwrite capability for hard drives to overwrite data automatically, on a schedule, or manually;
• software to associate documents with personal identification numbers that must be entered to print the document (to prevent unauthorized individuals from collecting information from printer output trays);
• encryption of information in transit from computer to printer;
• secure scanning, which uses a secure socket protocol similar to that used in online banking;
• software to lock down fax machines, so they can be used only with logins and passwords or smart cards;
• fax servers with the capability to enter a list of authorized recipient fax numbers; and
• fax forward, which automatically routes incoming documents to an authorized individual’s e-mail address.
Johnson recommends purchasing multifunctional devices only from vendors that are “triple C” (common criteria certification) compliant with the international standard ISO 15408. With lower certification ratings, critical gaps in security can be missed, he says.
The Big Picture
In the rapidly evolving HIT world, getting a handle on data security depends on a thorough understanding of the organization’s risk profile. In that regard, a privacy impact assessment (PIA) can help.
“A PIA assesses health IT systems that exchange information internally and externally,” says Erik Pupo, senior principal of healthcare at Project Performance Corporation. “It rates the specific privacy risks inherent in an organization’s systems and processes, identifies what PHI [protected health information] or PII [personally identifiable information] is shared outside the scope of the system, and helps develop a plan that establishes accountability and a structure for reporting on privacy matters up to the top of the organizational hierarchy.”
Although PIAs are currently only required for federal information systems (eg, intelligence, homeland security, IRS, HIS, Vista, Alta), some commercial healthcare organizations have adopted them as a powerful tool to get their house in order. They are usually managed by the chief privacy officer.
“A PIA creates a picture of the status of privacy within the organization,” says Pupo. “It takes a comprehensive look at all the HIT and performs an analysis of issues that affect privacy so that plans and policies can be developed to address them. The process also helps organizations craft messages to present information on security measures to patients and members of the public who may have concerns about privacy in an organization.”
The components of a PIA include setting the stage by identifying stakeholders and determining the scope of the assessment, collecting information, preparing a report, and creating a review and audit process. “There may be some pushback from staff members who are being asked to provide information and documentation,” Pupo cautions. “Collect as much information as possible, prepare the PIA, present the information to management, and determine next steps. Make sure you don’t just shelve the report. Follow up on the issues you have identified. PIAs that reveal significant privacy risks usually get the attention of upper management very quickly because of the potential financial and public relations consequences. While a PIA helps identify, mitigate, and manage risk, it is not a substitute for privacy policy and guidance at the organizational, regional, and national levels.”
Sharing Is Caring — Within Limits
Sharing information among physicians and clinicians, as well as with outside providers and organizations, is critical to providing comprehensive patient care. Unfortunately, the systems and processes that permit this sharing also create privacy risks. “Patients have to be able to trust that hospitals will keep their records private,” says Johnson. “They are in the hospital to get well, and security is the furthest thing from their mind. They should not have to worry about whether their private information is being handled diligently as it’s being communicated among individuals and departments.”
Technologies are constantly emerging and advancing to improve security, but maximum efficiency depends on people, policies, and processes.
— Alice Shepherd is a southern California-based business-to-business journalist specializing in healthcare topics.
An Emerging Threat: Medical Identify Theft
The financial and public relations consequences of security breaches are well known, but now a new consequence has emerged that adds even more serious implications to the list: harm to patients. In fact, each incident of medical identity theft has the potential to harm two people. “When you treat a patient under another person’s identity, the treatment may be inappropriate,” says Lisa A. Gallagher, BSEE, CISM, CPHIMS, senior director of privacy and security at HIMSS. “To make matters worse, that treatment now becomes part of the record of the patient whose identity was stolen—misinformation which may lead to incorrect treatments for that patient as well.”
While traditional security breaches are usually identified through an organization’s intrusion systems or a security officer’s audit log, medical identity theft is most often detected when patients get claims summaries or bills for services they did not receive. “Of great concern is the time lag that may occur between the theft and its discovery,” says Gallagher. “In the worst-case scenario, a breach may not be detected until harm has been done by administering the wrong treatment to one or both patients. The potentially deadly consequences of medical identity theft make it more important than ever for organizations to stay on top of security, so they can detect breaches immediately and notify patients before it is too late.”
Gallagher shares the following recommendations:
• In parallel and concurrently with the infusion of technology, invest the time and energy in developing appropriate policies and training employees.
• Conduct periodic, comprehensive risk assessments to identify threats, vulnerabilities, and resultant risks. Measure and continually improve the effectiveness of security controls. This is not a one-time task—it has to be an ongoing activity.
• Provide regular, rigorous employee training. Even with the best technical controls, you’ll need to rely on employees to meet security policies and integrate secure practices into their everyday work.
• Secure collaborative and mobile devices with both technical and procedural controls.
• Either don’t use e-mail for transmitting sensitive information or secure it through encryption.
• Coordinate efforts between information systems and HIM, perhaps through weekly joint meetings.
• Take advantage of the many educational resources provided, including those from HIMSS or the Office of the National Coordinator for Health Information Technology. (HIMSS has a privacy and security tool kit on its Web site.)
For further information on medical identify theft, refer to the Office of the National Coordinator’s Medical Identity Theft Final Report at www.hhs.gov/healthit/documents/MedIdTheftReport011509.pdf or HIMSS’ Security Survey report at www.himss.org/content/files/HIMSS2008SecuritySurveyReport.pdf.
— AS