April 16, 2014
Security is an important topic in the world of healthcare and one that we’ve been actively discussing recently. Thomas Grove, one of Phoenix’ resident security experts has been covering the topic of security risk analysis over the past few weeks and it brought up a larger question — how will healthcare improve its security in the long term? I asked Thomas to provide his opinion on the requirements for improved healthcare security, here’s what he had to say:
There are three components that are vital to healthcare security:
First, Work on People and Processes
We love to tout the technology solutions to problems like encryption, single sign-on, biometric IDs and so forth, and indeed sometimes technology is exactly what’s needed. Fundamentally though, often the most cost effective security item is investing in training people. Simply put, the best deterrent to violations of security – and by extension privacy – is a well-trained workforce doing well thought out things. The Department of Health and Human Services (HHS) publishes information on breaches that involve at least 500 patients. Not all of the incidents have full descriptions, but there are a few that do. Here are some examples:
All three breaches could have been prevented with technology. Encryption would have made the first two events relative non-issues. But the bottom line is, all three issues were caused by a person doing something they should not have done. The employee should not have left their laptop on the subway, the cleaning crew shouldn’t have propped the door open, and the benefits staff member shouldn’t have sent that email.
Second, Focus More on Data Security Than Device Security
We’ve created an expectation in the modern world that things are available to us online all the time, and indeed, connectivity is just about everywhere. The expectation of healthcare providers is that they be able to access patient information from their phones, laptops, and tablets, from the hospital, in the office, or at home. We’ve even legislated it. According to a 2012 HIMSS survey, some 80 percent of physicians use mobile technology to deliver patient care, and over 90 percent use mobile devices in their daily operations.
The Meaningful Use / MIPS rules that govern electronic medical records (EMR) require patient portals to be implemented now. In a few years, clinical portals will be in place so that doctor’s office personnel can see what happened in the hospital.
We must begin to leverage that ever-present connectivity differently. Instead of encrypting devices, just limit the use of critical data so that it remains inside the encrypted system. That way, it doesn’t matter what phone your doctor has, or who in the office is doing what with their laptop on break — the data simply isn’t there unless someone is actively logged in and using it. This can be done, system by system, but also by using technology that gives the user secured access in a web browser and also restricts them from copying data to the local machine.
Third, We Simply Must Communicate Better
The reality is, it’s very difficult to be a security officer in healthcare, because it’s hard to get hospitals to give time and attention to security. The perception is that healthcare organizations don’t exist to be secure – they exist to treat patients. That makes it very easy for hospitals to make decisions to spend scarce resources on projects that provide direct clinical and revenue benefits.
As professionals in the industry, we have to change this perception. The truth is, if we can’t protect patient data, we can’t provide patient care. Security issues cause more than just disclosure of information, they risk integrity and availability as well, and we have to do a better job with the argument that protecting the systems that hold patient data is a critical part of that mission.
How is your hospital working to secure healthcare data?