Security experts warn that provider leaders who ignore data security put their organizations at risk
As hospitals move forward in implementing electronic health records, data security is often treated as the proverbial 800-pound gorilla in the room: many still have not taken adequate steps to control the data in their organizations. That will change in the next few years, say experts, who predict that hospitals will face increased pressure to develop a good understanding of where sensitive data reside, who has access to it, and how data are being used.
ACROSS THE BOARD WE ARE NOT SPENDING ENOUGH ON DATA SECURITY, AND THAT TELLS ME THAT IT IS NOT QUITE AN INSTITUTIONAL PRIORITY.-MAC MCMILLAN
“There is still a lot of work to do in the industry with regard to security,” says Mac McMillan, chair of the HIMSS Privacy and Security Committee at the Chicago-based Healthcare Information and Management Systems Society.
As noted in the 2010 HIMSS Security Survey, released in November, Stage 1 meaningful use incentives call for the use of formal risk analysis and the application of the outcomes to modify the use of controls, policies and procedures. At present, one-quarter of the sample population would not qualify for meaningful use incentives. Moreover, a robust security environment is crucial as hospitals and medical practices increasingly share information with outside organizations, the report says.
According to McMillan, all of this comes back to one issue: providers need to get a handle on their data. And to do that, providers will need to do three things:
Perform risk assessments to identify where the risks are or could be.
Use data loss prevention technology to discover where data reside, and understand the scope of what they need to do to protect it and the types of controls they need.
Audit, using network log management and, especially, application log management technology to track what people are doing with the data.
To be sure, putting in the proper controls requires a fairly significant investment-which McMillan estimates at about $1 million in upfront costs-but is just a fraction of the outlays that are required for a certified electronic health record system. “Across the board we are not spending enough on data security, and that tells me that it is not quite an institutional priority,” he says.
Traditionally, security has been viewed as a cost; when in fact, it is an enabler. Once hospitals have a good handle on where their data are, they will be able to make informed decisions about where to make investments in appropriate technology.
Sagi Leizerov, a data security expert with Ernst & Young LLP, Secaucus, N.J., notes that while many of the security issues facing CIOs, chief security officers, and privacy officers at hospitals are not new, the convergence and uptake of various IT technologies is bringing new urgency to the data security arena.
As providers move forward on compliance with meaningful use under the HITECH Act, they are implementing electronic health record solutions capable of communicating with an ever wider array of portable media. Mobile devices such as smartphones, iPads, and Droids have proved to be very popular among clinicians. Portable media are an especially sensitive area for provider organizations because they allow clinicians to work with protected health information using their own devices, Leizerov says.
SECURITY AND PRIVACY MEASURES HAVE TO CHANGE, AND THE LEVEL OF RIGOR BEHIND THEM, BECAUSE OF THESE GREAT IMPROVEMENTS.-SAGI LEIZEROV
Cloud computing, which is being embraced by many hospitals as a cost-effective way to introduce new software solutions, also presents security challenges. Many cloud services providers may operate outside the U.S., putting them out of reach when breaches of electronic protected health information occur, Leizerov says.
In addition, various technologies that are allowing patients to take a more active role in their healthcare are on the rise. Leizerov says many providers are using social networking tools to stay in touch with and monitor their patients; pharmaceutical companies have been adept at supplying devices such as blood pressure monitors, allowing the patient to communicating information from the device to a Web site.
RAISING THE BAR
“These are fantastic improvements,” says Leizerov, but he cautions that the level of use of these technologies and the increased amount of data has raised the bar for maintaining security at provider organizations. He says that data breaches are a concern, and also points to an increase in the incidences of health-related fraud, as well as insider threats by employees abusing the access given to them.
“We cannot assume that the status quo of the CIO or security officer or privacy officer can be maintained” at the same levels, he says. “Security and privacy measures have to change, and the level of rigor behind them, because of these great improvements,” he says.
In Leizerov's view, the core security elements of managing security are still there; it's how providers apply them that must change. This means paying careful attention to access management or the use of thin clients so that health data is not stored on laptop hard drives. He also notes that encrypted laptops will not protect data while the user is logged on. He recommends using both hard drive encryption and file level encryption to protect information in a folder.
Providers will also need to exercise diligence with cloud services providers. “You have to think of it as a complex vendor management exercise,” he says. This includes setting up requirements that a vendor must meet, as well as validating that a vendor can provide those services. He recommends that providers periodically monitor the relationship to make sure the commitments are being met, as well as getting assurances that data will be returned or destroyed when a relationshiop is terminated.
In a new development with implications for cloud vendors, SAS-70, a set of standards developed by the American Institute of Certified Public Accountants to assess internal controls of vendors, will be phased out in June. Leizerov explains that SAS-70 was originally developed to assess financial controls, but has often been applied to assess vendor controls in the security arena. Beginning in June, SOC-2, a new standard, will be introduced that will be geared to that purpose.
Overall, those charged with maintaining security in a hospital need to work on many fronts, say experts. John Kahanek, a principal at CSC, urges hospitals to take a broad view, which goes beyond satisfying requirements of the Health Insurance Portability and Accountability Act (HIPAA), to protecting financial information and the privacy of children as well.
To meet a broad range of compliance issues, Kahanek recommends developing a security framework based on existing standards from the International Organization of Standardization and the National Institute of Standards and Technology, which is referenced in HIPAA. A hybrid approach incorporating standards from both organizations can be used to establish a strategic, high-level framework, as well as more prescriptive control structures, he says. Not least, having such a framework in place can help lend credibility for investments in security technology during budget meetings, he says.
Healthcare Informatics 2011 March;28(3):32-33