Data Security is More than Passwords | [node:field-byline] | Healthcare Blogs Skip to content Skip to navigation

Data Security is More than Passwords

August 26, 2010
by John DeGaspari
| Reprints

I recently had an opportunity to speak with industry experts and hospital CIOs on the challenges faced by hospitals in securing patient data against breaches. To be sure, there have been a number of highly publicized data breaches involving health providers over the last few months. Some potential security gaps are the result of new technological trends—such as the wave of smart phones and other mobile devices—while others are of a decidedly low-tech variety.

One of the most egregious—and low-tech—incidents occurred last month when a reporter from the Boston Globe discovered paper patient records from four Boston-area community hospitals in a pile at a public dump. Those records included results of laboratory tests, together with patients’ names, addresses and social security numbers. The records were alleged to have been discarded by a local billing company used by the hospitals.

To me, the incident demonstrated that not all breaches can be prevented by secure passwords and firewalls, although those are certainly crucial as hospitals move toward electronic health records. But it’s important to keep in mind that there are really no alternatives to thoroughly vetting outside vendors on which health providers depend on a variety of services.

I recently asked Mac McMillan, who is chair of the HIMSS Privacy and Security Steering Committee, as well as CEO of CynergisTek, Inc., about his biggest concerns over healthcare data security. High on his list is vendor management, by which he means “having a good handle on the security capabilities and precautions of the people you do business with.”

He maintains that it is the responsibility of health providers to do a thorough evaluation of third-party vendors that will have access to a hospital’s protected health information. When evaluating vendors, McMillan says healthcare providers need to ask questions about a potential vendor’s security procedures, put their expectations in a contract, and lay out specific requirements that the vendor must meet in order to do business together.

I think that is common sense, and is good advice for hospitals to guard against all types of security breaches, whether they are sophisticated threats against the electronic health records or sloppy handling of paper records. Both the vendors and hospitals share responsibility in protecting against security breaches, McMillan notes. But it is the hospital’s reputation that suffers when breaches occur.




Security is only half the issue. Security is about authorized access to the application. Privacy is about controlling who gets to see what. Strong authentication, encryption, and access logging are only part of the solution. What needs to be addressed is privacy. The question is, should patients have control over how their health information is shared or not?

It does not take a "breach" for information to potentially go to someone the patient does not want to see it.

Data Security is more than Passwords, but simultaneously passwords are also important to keep secure. For the security of a patient's electronic medical records, such as laboratory tests, together with the patients' names, addresses, and social security numbers must be kept secure. It should be displayed to only the patient and doctor. But there should be an option for the patient's doctor, which medical record he wants to show. Suppose a patient has a normal fever and also has any critical disease. If he visits the doctor for the purpose of a fever, then he should only show his demographics information and previous fever history, but not his personal critical disease records. For that there should be two passwords in his medical record software. Such as Public password and Private password. He uses his public password to show only his demographics record and his normal disease record (such as fever, cold etc.), but not his laboratory related and critical disease related medical record to any general doctor. Similarly using this password he can show only those data to hospital administrators or insurance officers who are required to give the basic information for their work, while the rest is still secure. And using his private password he can show his critical disease-related data to that particular specialty doctor. This way, the patient can decide which data to be display to which doctor according to the role of that doctor. And nobody else can see the patient's medical data, which should be kept secure. So there is a great use of passwords which will help to protect the patient's electronic medical record.