In September 2007, the board of the eHealth Vulnerability Reporting Program (eHVRP.org), a collaborative of healthcare industry organizations, technology companies and security professionals, made public the results of a 15-month study assessing the security risks associated with EHR systems.
The study evaluated current industry information security practices, assessed the level of risk related to EHR systems, benchmarked healthcare information security practices against other industries, and produced a set of recommendations on protecting information systems in the healthcare industry. It addressed concerns over the impact on the adoption of e-health from security breaches in EHRs and PHRs. The study surveyed security professionals representing approximately 850 healthcare provider organizations and showed an increasing level of annual security breach encounters reaching 1.5 million this year. The main conclusion of the study was that the healthcare industry must do more to protect EHRs.
Most patient healthcare records are accessed from some sort of Web-based system. These systems are vulnerable to hackers, viruses, unauthorized access, malicious code and other forms of intrusion. Most healthcare companies cannot realistically afford the time, budget and resources that go into assembling an appropriate defense for these systems. As the industry evolves beyond just HIPAA compliance and fully realizes the potential of using EHRs to improve quality and efficiency, sound security practices will be vital to the wellbeing of healthcare organizations.
Since security is not a core competency of healthcare organizations, they can look to a security software-as-a-service approach to alleviate the burdens of time, resources, compliance liability and expense. These security services are provided “on demand” at a predictable monthly subscription rate that is a fraction of the cost to the healthcare provider that it would take to build the infrastructure and hire the staff required to do this themselves. It eliminates the costs of continuous upgrades, compliance audits and tests, additional IT staff, and lengthy network integration projects. This approach offers several different layers of security for the most robust defense and full compliance coverage.
All but the largest organizations can be completely overwhelmed with the time and resources required to put the proper audits in place to be in compliance. According to a recent Gartner Report by Richard Mogull, “Top Five Steps to Prevent Data Loss and Information Leaks,” from lost laptops to misplaced backup tapes to accidental e-mails filled with sensitive information, we seem to be in the midst of a data-loss epidemic, with tens of millions of individuals receiving data-loss notification letters this year.
In the following sections, I will explore the top five solutions that healthcare companies can use to protect EHRs.
Monitor all outbound network traffic and look for policy violations. This includes all e-mail and Web traffic. The tools that are needed to help prevent data loss or theft in this solution include:
· Network Intrusion Detection/Prevention — make sure that you are watching for malicious incoming traffic.
· E-mail Content Filtering — enforce rules that sensitive information can not be sent though normal e-mail.
· Web Browsing Content Filtering — make sure that when your employees are surfing the Web, they are not downloading malicious code.
· Restrict IM to an “Internal Only IM Service” — This is a huge security risk if you are allowing IM outside of your organization.
Assume that all lost tapes/media have the potential for exposure of sensitive information. The tools that are needed to help prevent data loss in this case include:
· Investigate offsite storage options — maybe a secure remote data backup solution is better than tape or disk shipments.
· Encrypt during delivery and storage — things will get lost or stolen, and anything shipped needs to be encrypted.
· Own the encryption key — so you are the one in control of the encryption.