Data security issues were brought to the fore last August when the Department of Veterans Affairs "lost" a hard drive containing 26.5 million patient records. This security breach was of potentially disastrous proportions, says Barry Hieb, analyst and research director at Gartner, Stamford, Conn. "The malice that could have been orchestrated with that many names, social security numbers, and insurance IDs is unfathomable," he says.
However, just as the dust of this latest security blunder had begun to settle, the Government Accountability Office (Washington) released a report citing that 17 security breaches had occurred in the 46 hospitals it has surveyed since 2003 — that's a 36 percent breach rate.
Threats from the inside
"Hospitals spend millions of dollars on firewalls, intrusion detection, anti-virus, and vulnerability applications, all trying to keep people out of their system. But often, the biggest threats come from within an organization," explains Hieb.
As hospitals and patients become increasingly eager to embrace the digital age, more and more information is being siphoned across the Internet. "Although you are providing tremendous access and efficiencies to a hospital by providing this plethora of information, you are also increasing the risk that this information can be accessed by the wrong person," says John DeSantis, CEO of TriChipher, Los Gatos, Calif.
Internal threats are as varied as they are creative. A common risk for healthcare providers is the theft of services. This is usually referred to as friendly fraud. For instance, someone uses their cousin's insurance ID to undergo medical procedures, DeSantis says.
There is also the problem of a hospital employee stealing social security or insurance numbers and selling them on the black market, he explains. And, although it sounds particularly morose, he claims that some employees have been known to use patients' private health conditions, such as HIV status, as a blackmailing tool. "If you'd asked me two or three years ago I would have said that these kinds of incidences are pretty rare, but we're starting to hear about them more and more," DeSantis says.
But why are internal threats such a problem? "The insider is someone you've already given a trusted credential to. You never know when you've given the wrong person the 'keys to the kingdom,â€™â€ says DeSantis. Hospitals typically have thousands of employees, and trying to keep track of "who is authorized to access what" is an onerous process, he contends.
However, not all security breaches are malicious, some are purely unintentional. If a breach occurs when an authorized person divulges private information, this is generally referred to as a breach of privacy, explains John Houston, vice president, privacy and information security and assistant counsel, University of Pittsburgh Medical Center (UPMC).
For example, a UPMC physician unwittingly exposed a patient's private information by including it in a posted presentation on the hospital's Web site, he explains. "He should have known better," Houston says, "but the issue still remains — a patient's private records were out in the public domain."
Hospital data can also be unintentionally exposed through peer-to-peer networks.
Napster is a good example of this, Houston says. When you share files with other people, if you inappropriately configure the software, every file on your computer can be potentially accessible to anyone on that network, he explains. So if somebody downloads a song from a network, in theory they could be exposing every file in their computer to anyone using the same network. "UPMC has implemented software to catch and stop peer-to-peer networks, and staff members are reprimanded if they are caught using them," Houston says.
Keeping data secure
Although there are a myriad of security solutions available, Ricky Johnston, vice president of information systems-operation at Tenet Health, Dallas, says. "There is no alternative to having enterprise wide data security policies and procedures that are well understood and strictly enforced." The creation of security policies is not a static process, Johnston says, and needs to be updated as new technologies become available and new vulnerabilities are identified.
To Johnston, maintaining the security of hospital data is a two-pronged approach, comprised of credentialing and authentication. Every hospital should have a credentialing office, where people manually and electronically check employee credentials, such as university degrees and diplomas for physicians. Tenet Health uses a credentialing software application called Echo, provided by HealthLine Systems, San Diego. "We do all our research in-house, but we use the Echo application to record credentials. Ultimately, there's no way of circumventing the manual process of having a staff member check to see if a physician has the appropriate degree," he explains.
According to Hieb, credentialing software is essentially a recording and storage application. However, newer credentialing applications are also being used to track the performance of an individual, such as how many operations a surgeon has performed in a particular area, or what continuing education modules have they completed, he explains.
Recently, hospitals have started to use a set of solutions called identity proofing or identity verification applications. DeSantis says these applications create what's called an identity score, which is a system for gauging and verifying the legitimacy of an individual's public identity.
Identity scores incorporate a broad set of consumer data, including personal identifiers, public records, and Internet data. The score is then constructed by matching the information the user provides against billions of records in public databases, and calculating it against patterns designed to recognize fraud or identity theft, DeSantis says.
For example, the software can decipher whether the identity information given has been used to create false identities in the past. Many larger institutions hire thousands of employees annually, and although it's important to make sure each individual goes through a manual vetting process, facilities can use identity scores to help expedite the process, DeSantis says.
Hospitals such as Tenet Health and UPMC have constructed an identity management strategy to manage employee identities. UPMC's Houston explains how things came to be at his organization. "We built an in-house identity management system that houses information profiles on every employee, and what systems they have access to," he says.
To ensure that the system is kept up to date, managers are required to assess employees' profiles at their annual review. "We take active, ongoing steps to ensure employee access always remains appropriate," Houston says. "If an employee is fired, human resources file the paperwork, which triggers the identity management software to inhibit future access. In cases where access needs to be terminated immediately, human resources also has the capability to log into the management system and deny access instantly."
Apart from having the correct credentials, a staff member's role is extremely important. "It's a challenge to create and maintain a system that consistently provides the appropriate level of access for each employee," Johnston says. UPMC has implemented a process based around a sponsorship model, which ensures that every user has to be sponsored by a manager or department head.
Tenet Health has also employed a similar system. In addition to requiring sponsorship to get a username and password to access Tenet's system, it has implemented an audited workflow that helps ensure someone can't bypass set policies, Johnston says. To initiate the process, an employee needs to electronically request a username and password to access a particular application, the request is automatically routed to the sponsor for approval, and the sponsor either accepts or denies the request, he explains.
Additionally, UPMC has implemented an automated system that tracks exactly what applications an employee has accessed, and from which terminal. So, if an employee is caught accessing inappropriate information, they are disciplined accordingly, says Houston. "If users know that they are being watched, it provides a greater incentive to do the right thing," suggests Hieb.
Large healthcare facilities typically employ a copious number of contractors and, in most cases, the physicians that access patient records are not employed by the hospital. For this reason, Tenet has a separate process for contractors, which stipulates that sponsors need to renew their access on a monthly basis, explains Johnston. It's the same process for physicians, however, they also need to be checked against the hospital's credentialing system, he says.
The process of authentication can be easy or complex, says Hieb. Authentication is comprised of three factors — who you are, what you know, and what you have, he explains. The typical approach to accessing a hospital system is providing a username and password, which is called one factor authentication. Two factor authentication consists of providing a username and password (one factor) and another item such as a smartcard or fingerprint, says Hieb. He claims that most authentication systems used in hospitals are "not as strong as they should be."
According to Houston, most applications implemented by UPMC come with their own sign-on capabilities. However, some solutions use an alternative security product such as Active Directory, provided by Microsoft, Redmond, Wash. Tenet also utilizes Active Directories for accessing most of its systems and e-mail exchange. "However, we have proprietary sign-on for our clinical applications, patient billing or higher third-party vendors that don't integrate well with Active Directory," he explains. Active Directory is considered to be an industry standard that third-party applications link to for authentication purposes, says Johnston.
To access clinical applications, UPMC uses a single sign-on solution called Vergence, provided by Sentillion, Andover, Mass. It uses a technology called CCOW that enables multiple clinical applications to be synchronized around a specific context, such as a patient or user, explains Houston. For example, when a user selects a patient in one application, all of the applications opened by that user will automatically tune their data displays to the selected patient's data. The applications appear to the user as if they were part of the same product suite. He maintains that granting access to multiple applications at once is not a security risk, as users still undergo a strict credentialing and authentication process to be granted access to the clinical suite.
UPMC has also implemented a key fob device — a key ring that digitally displays computer-generated numbers — made by RSA Securities Inc., Bedford, Mass. This is used by employees to access hospital information remotely. Every 60 seconds it displays a new code generated by an RSA algorithm. "That number is synchronized with a computer server in our data center, so when you log into one of our applications, it asks you not only for a username and password, but it also asks you for the number on your digital display," he says.
UPMC recently released a new patient portal that uses TriCipher's Armored Credential System to provide additional authentication for the portal. According to DeSantis, the solution protects online identities by issuing and managing a variety of credentials. "One part of the credential is generated on the user's computer and the other portion is stored on TriCipher's ID Vault appliance. To successfully authenticate, both parts of the credential must be combined," explains DeSantis. In addition, the TriCipher authentication ladder, which goes from low level to high level authentication, integrates a range of authentication factors including passwords, browser cookies, tokens, smart cards and biometrics to provide a complete authentication system, says DeSantis. "This allows us to allocate differing levels of authentication according to risk level," says Johnston.
Houston says that UPMC has looked into smart cards (they carry a computer chip that stores and processes authentication data) in the past, but wasn't convinced that the technology was up to par. And although he feels the technology has improved, the logistical challenges still remain. "We'd have to install every keyboard with a smart card reader and re-issue all our employees with badges that contained a smart card chip. This would be extremely expensive and potentially very disruptive," says Houston.
A select number of hospitals have begun implementing biometric technologies such as fingerprinting and retina-scanning to further augment security programs. Hieb contends that although biometric technology is well-built, changing procedure in large institutions is difficult to initiate.
"We're also not hearing the right messages from Washington, D.C. If you're a hospital that goes out and implements an RFID security system, and the next week Congress says they advocate the use of fingerprints, then you're stuck," he says. When a hospital selects a new solution, it's at financial risk — the system it chooses could later be decreed as redundant, says Hieb.
Although internal security threats are of paramount concern, Houston warns that the risk of external threats still abounds. Jim Stickley, CTO of TraceSecurity, Baton Rouge, La., makes a living out of proving just how unsecure hospital server rooms can be.
"To steal backup tapes, it's often as easy as dressing up like a pest inspector, walking straight into a server room, and lifting the tapes in one fell swoop," Stickley explains. In most cases these tapes aren't encrypted, so accessing patient information is all too easy, he says.
Houston contends that UPMC is "three quarters of the way through a process to encrypt every desktop computer and every laptop in the hospital."And, as for the backup tapes, he stresses that they are "under lock and key."