No one is exactly sure what Alexander Torrance was after — was he trying to steal sensitive patient data, or was he just headed to the pawnshop? What is clear is that in December, Torrance snagged a $1,200 laptop from a cart at St. Joseph's Hospital in Syracuse, N.Y., in full view of several witnesses, then bolted out the door with the computer shoved conspicuously into his pants.
The Syracuse theft was just one of several stories about stolen laptops and other security breaches that made headlines last year. Data security is becoming an increasingly complex challenge for healthcare IT professionals at all levels. Even as new technologies make care easier to deliver, they open up new vulnerabilities in the IT infrastructure.
"The fact that new technology creates constantly changing threat profiles is a real challenge," says Gerry Bliss, president of Bliss Informatics, a consulting firm based in Victoria, British Columbia. "The hole in the dam you plugged last week will be replaced by one or two more next week."
A recent study by IT research firm Info-Tech Research Group, London, Ontario, found that only 30 percent of hospitals surveyed have already implemented the e-mail encryption and messaging security required by HIPAA. Another 22 percent planned to do so in the next 12 months. "That still leaves 48 percent without it, and with no immediate plans to implement," says Ross Armstrong, senior research analyst at Info-Tech.
These findings echo the winter 2006 HIPAA survey conducted by the Chicago-based Health Information and Management Systems Society (HIMSS) and Phoenix Health Systems, Gaithersburg, Md., which found only 55 percent of healthcare providers are now compliant with HIPAA's security standards. Approximately 24 percent of providers experienced between one and five security breaches between July 2005 and January 2006, and 13 percent reported six to 11 incidents.
Threats from inside, outside
"What healthcare is facing is what everyone else is facing," says Harry Rhodes, director of practice leadership at the Chicago-based American Health Information Management Association (AHIMA). "More employees are working from home, and data is moving beyond the company walls. There is a constant struggle to balance access against security."
There were a number of high-profile security incidents last year, including stolen or lost laptops at Kaiser Permanente Colorado, the Indiana Breast and Cervical Cancer Program, Emory Healthcare in Georgia, and the Department of Veterans Affairs, which reported that records of as many as 26.5 million veterans had been stored on a laptop stolen from the home of an employee.
External attacks on hospital systems are rare (or at least rarely reported), but they do happen, usually in the form of a computer virus or worm. In 2005, Northwest Hospital and Medical Centre in Seattle experienced a worst-case scenario when a "zombie bot" attack (designed to spread adware) took down computers in the hospital's intensive care unit.
Most hospitals, though, have done a good job of protecting their networks through a combination of firewalls, virus protection software, intrusion detection, and robust encryption and authentication systems.
"Most organizations are doing a lot of things well," says Bliss. "But they are doing them well in isolated pockets. They might have good network security or application security, but sometimes these things aren't coordinated or driven by a risk management policy or plan."
User authentication procedures should require at least two components. According to John Parmigiani, president of consulting firm John C. Parmigiani & Associates in Elliot City, Md., these can include something you know (like a password), something you have (like a keycard or token), some sort of biometric (fingerprint scan), and location (data can only be accessed via computers on the hospital premises, for example).
Role-based access can limit employees' access privileges based on their job descriptions, and emerging single sign-on solutions can help keep authentication processes from slowing down clinicians.
Despite the focus on guarding access, most security incidents are generated from within. Many of these problems arise from innocent mistakes by staff members who are either unaware of security policies, or who have not received ongoing training. In some hospitals, existing policies are not consistently enforced.
"There's an impression that healthcare is slow to adopt IT, but I see a proliferation of technology in the hands of people who don't know the implications of what they have," says Lisa Gallagher, director of privacy and security at HIMSS.
One of the biggest problems facing hospitals right now is the proliferation of mobile devices. In addition to laptops, PDAs and BlackBerrys, there are now a host of medical devices that can be attached to the hospital network, as well as tiny portable USB drives that can hold enormous amounts of data.
While most of the publicly known breaches have been due to laptop loss or theft, many organizations have focused the bulk of their security efforts on securing their internal networks. According Info-Tech, 73 percent of organizations rated external threats (like viruses and worms) as a top priority, while only 43 percent were interested in mobile device security.