No one is exactly sure what Alexander Torrance was after — was he trying to steal sensitive patient data, or was he just headed to the pawnshop? What is clear is that in December, Torrance snagged a $1,200 laptop from a cart at St. Joseph's Hospital in Syracuse, N.Y., in full view of several witnesses, then bolted out the door with the computer shoved conspicuously into his pants.
The Syracuse theft was just one of several stories about stolen laptops and other security breaches that made headlines last year. Data security is becoming an increasingly complex challenge for healthcare IT professionals at all levels. Even as new technologies make care easier to deliver, they open up new vulnerabilities in the IT infrastructure.
"The fact that new technology creates constantly changing threat profiles is a real challenge," says Gerry Bliss, president of Bliss Informatics, a consulting firm based in Victoria, British Columbia. "The hole in the dam you plugged last week will be replaced by one or two more next week."
A recent study by IT research firm Info-Tech Research Group, London, Ontario, found that only 30 percent of hospitals surveyed have already implemented the e-mail encryption and messaging security required by HIPAA. Another 22 percent planned to do so in the next 12 months. "That still leaves 48 percent without it, and with no immediate plans to implement," says Ross Armstrong, senior research analyst at Info-Tech.
These findings echo the winter 2006 HIPAA survey conducted by the Chicago-based Health Information and Management Systems Society (HIMSS) and Phoenix Health Systems, Gaithersburg, Md., which found only 55 percent of healthcare providers are now compliant with HIPAA's security standards. Approximately 24 percent of providers experienced between one and five security breaches between July 2005 and January 2006, and 13 percent reported six to 11 incidents.
Threats from inside, outside
"What healthcare is facing is what everyone else is facing," says Harry Rhodes, director of practice leadership at the Chicago-based American Health Information Management Association (AHIMA). "More employees are working from home, and data is moving beyond the company walls. There is a constant struggle to balance access against security."
There were a number of high-profile security incidents last year, including stolen or lost laptops at Kaiser Permanente Colorado, the Indiana Breast and Cervical Cancer Program, Emory Healthcare in Georgia, and the Department of Veterans Affairs, which reported that records of as many as 26.5 million veterans had been stored on a laptop stolen from the home of an employee.
External attacks on hospital systems are rare (or at least rarely reported), but they do happen, usually in the form of a computer virus or worm. In 2005, Northwest Hospital and Medical Centre in Seattle experienced a worst-case scenario when a "zombie bot" attack (designed to spread adware) took down computers in the hospital's intensive care unit.
Most hospitals, though, have done a good job of protecting their networks through a combination of firewalls, virus protection software, intrusion detection, and robust encryption and authentication systems.
"Most organizations are doing a lot of things well," says Bliss. "But they are doing them well in isolated pockets. They might have good network security or application security, but sometimes these things aren't coordinated or driven by a risk management policy or plan."
User authentication procedures should require at least two components. According to John Parmigiani, president of consulting firm John C. Parmigiani & Associates in Elliot City, Md., these can include something you know (like a password), something you have (like a keycard or token), some sort of biometric (fingerprint scan), and location (data can only be accessed via computers on the hospital premises, for example).
Role-based access can limit employees' access privileges based on their job descriptions, and emerging single sign-on solutions can help keep authentication processes from slowing down clinicians.
Despite the focus on guarding access, most security incidents are generated from within. Many of these problems arise from innocent mistakes by staff members who are either unaware of security policies, or who have not received ongoing training. In some hospitals, existing policies are not consistently enforced.
"There's an impression that healthcare is slow to adopt IT, but I see a proliferation of technology in the hands of people who don't know the implications of what they have," says Lisa Gallagher, director of privacy and security at HIMSS.
One of the biggest problems facing hospitals right now is the proliferation of mobile devices. In addition to laptops, PDAs and BlackBerrys, there are now a host of medical devices that can be attached to the hospital network, as well as tiny portable USB drives that can hold enormous amounts of data.
While most of the publicly known breaches have been due to laptop loss or theft, many organizations have focused the bulk of their security efforts on securing their internal networks. According Info-Tech, 73 percent of organizations rated external threats (like viruses and worms) as a top priority, while only 43 percent were interested in mobile device security.
Response to the mobile problem has been varied. In some cases, hospitals have instituted a policy that data from the hospital's systems can not be downloaded onto portable devices. Others require that personal laptops or PDAs meet hospital security requirements.
"You have to establish rules of engagement," says Parmigiani. "You can use that mobile device on the network, but you have to bring it up to our security standards."
Baptist Memorial Health Care in Memphis, Tenn., restricts data transfer on personal devices like PDAs and laptops. Any laptop that may contain corporate or patient data is encrypted, and the hospital is investigating "phone home" technology that would allow lost or stolen devices to broadcast their location when connected to the Internet.
The hospital also recently deployed a secure solution to help manage USB devices. "There are appropriate business uses for USB devices," says Lenny Goodman, director of desktop management and information systems at Baptist. "We just took it a step further and said those devices must be encrypted, password protected and auditable."
The hospital deployed secure USB drives from Kingston Technology Co., Fountain Valley, Calif., along with software from Philadelphia-based Safend Inc. Baptist now has control of how its data is transferred, as well as an audit trail of what data was copied onto which device.
Wireless LANs also pose a potential problem for hospitals. Although new security protocols for these networks have been developed, many installed systems using older security technology may be vulnerable to unauthorized use.
Hospitals should periodically audit their LANs to identify rogue devices, and find areas where the wireless signal may "leak" outside the building or campus. Administrators should also re-evaluate network security when deploying new technology on an existing infrastructure, such as RFID tracking systems or voice over IP (VoIP) phones.
University of Chicago Hospitals and Health System installed a comprehensive wireless infrastructure that integrates wireless LAN, cellular, and paging technology, and uses an authentication scheme to manage access. The system, from InnerWireless Inc., Richardson, Texas, was initially deployed in Comer Children's Hospital, Chicago.
"We have a couple of guiding principles we follow," says Todd Hollowell, executive director of IT at the University of Chicago Hospitals. "First, the security approach must be comprehensive and integrated, so that it will work within our application framework. Second, it has to be routinely and periodically assessed and modified. Things are always changing."
The best defense
While firewalls and authentication and encryption technology are part of the answer, a successful security program should start with a risk assessment, followed with a written, clearly defined and broadly communicated security policy.
"Someone should set the tone at the top," says Bliss. "You need a policy that states the organization-wide accountability for personal information. If you do this piecemeal, you are going to be surprised one day and end up in the paper."
Staff must be trained and kept up to date, not just on HIPAA compliance, but on common sense measures like how to recognize an e-mail phishing scam. Some hospitals have turned to computer-based training programs that can automatically alert staff of training requirements and policy changes.
"If you want to address 80 percent of your security risk, train your people," says Bliss. "Make them aware of their role in security. Enable them to follow the policy you wrote, and make sure they know who to report breaches and weaknesses to. That gives you a self-healing and self-improving system."
In addition to HIPAA, healthcare organizations also must comply with a variety of state-level privacy and security legislation, which has further complicated the security landscape. There are also a number of standardization efforts underway through several government and industry organizations.
HIMSS has established a Privacy and Security Toolkit, which was updated in February, to help healthcare professionals keep up with the rapidly changing landscape. The toolkit can be found at: http://www.himss.org/ASP/privacySecurityTree.asp?faid=78&tid=4
Organizations with security initiatives underway include:
American Health Informatics Society (AHIMA) http://www.ahima.org
Health Information Security and Privacy Collaboration (HISPC) http://www.rti.org/hispc
American Health Information Community (AHIC) http://www.hhs.gov/healthit/ahic.html
Agency for Healthcare Research and Quality (AHRQ) http://www.healthit.ahrq.gov
Health Information Technology Standards Panel (HITSP) http://www.ansi.org/hitsp/
Connecting for Health http://www.connectingforhealth.org
Certification Commission for Healthcare Information Technology (CCHIT) http://www.cchit.org
Brian Albright is a contributing writer based in Columbus, Ohio.