Breach In Delivery
Healthcare industry struggles to leverage mobility while protecting patient information
- By John Livingston
- Jun 01, 2008
In order to streamline inefficiencies,
reduce errors and drive down the
costs associated with delivering medical
care, healthcare organizations worldwide
have transitioned abruptly from a
largely paper-based administration system
to one based on electronic health
records. With the widespread adoption of
EHRs and mobile computing technology,
the administrative gap between the standards
of healthcare and other industries
has narrowed and exposed a new threat:
data breaches associated with lost or
stolen computers.
With electronic protected health information
stored on laptop computers in the
hands of physicians, nurses, HMO brokers
and insurance underwriters, health
organizations face negative publicity,
fines—averaging $197 per record across
all industries—and increased costs if
even a single laptop goes missing. To
avoid becoming the next media headline,
healthcare organizations now must
demonstrate that they know where their
mobile computers are, who is using them
and what information is stored on them.
They also must be able to demonstrate
that patient information is protected in
the event that a computer goes missing.
Move Toward Mobility
In 2008, one in every two computers in
the world will be a laptop. Health organizations,
including HMOs, clinics, hospitals
and related organizations such as
pharmacies and home care services, are
participating in this trend. At the same
time, pressure to drive down costs and
improve administrative efficiency has
fueled a convergence of electronic protected
health information on laptops.
Together, these trends make healthcare
organizations profitable targets for identity
thieves and other computer criminals.
Identity thieves typically attempt to use
stolen information to obtain credit cards,
mortgages or travel documents. Recently,
a new breed of thieves has begun to use
stolen identities for free medical care. For
example, having gone into the hospital for
shoulder surgery, a 56-year-old retired
schoolteacher was shocked to receive a bill
for the amputation of her foot. Her foot
was intact, and the person who had stolen
her identity had received the operation free
of charge. The teacher faced a lengthy
process to prove that she was the victim of
identity theft and not the perpetrator.
The Regulatory Landscape
No single factor in recent history has had
a greater impact on the administration of
healthcare than regulatory compliance.
For healthcare IT professionals, the
impact of regulation ranges from relatively
nontechnical auditing requirements to
sophisticated technical procedures aimed
at protecting health information.
The 2002 California Security Breach
Information Act added a new, public
dimension to regulatory compliance in
healthcare. In the event of a data breach
such as a lost laptop computer containing
sensitive information, the law compels
organizations—healthcare included—
to notify all parties whose personally
identifying information has been
exposed. Following California’s lead, the
majority of states have enacted similar
data breach laws.
So, while the much-talked-about
HIPAA has mandated a more methodical
approach to managing sensitive health
information, state data breach laws have
provided strong motivation for healthcare
organizations to protect information and,
consequently, themselves.
Prevention Strategies
How can healthcare organizations take
advantage of recent advances in mobile
computing while safeguarding patient
and HMO member information?
While many watchdogs and analysts
promote encryption technology as healthcare’s
data security savior, recent headlines
have made it abundantly obvious
that no single data security measure will
provide adequate protection. Many times,
this is because employees undermine
otherwise robust data security plans.
After a laptop theft at a 2,400-physician
Michigan-based hospital, for example, a
nurse sheepishly admitted to taping
her laptop encryption key to the laptop’s
keyboard. In fact, a recent Research
Concepts survey indicates that only one
in 100 employees consistently follows
company policies regarding data security
such as those requiring the encryption of
sensitive data.
While encryption is a necessary security
measure, only a multilayered approach
to protecting health information provides
adequate protection when a laptop containing
health information is lost or stolen.
A typical multilayered strategy includes
clear data security policy, physical deterrents
such as cable locks and encryption
backed by BIOS-supported remote data
delete and theft recovery capabilities.
Data Breach Preparedness
After a 2007 data breach resulting from
the theft of a nurse’s laptop, IT staff at
Minneapolis-based Allina Hospitals and
Clinics changed the way the 11-hospital
system managed mobile devices. Two
weeks after the incident, Allina deployed Computrace IT asset management,
remote data delete and theft recovery
services from Vancouver, Canada-based
Absolute Software as a complement to its
Utimaco encryption system.
“Computrace immediately gave us visibility
into our laptop population. We can
see where the laptop is, who is logging in
and what software is installed,” said Brad
Myrvold, Allina’s manager of desktop technology.
“It also allows us to verify that the
laptop’s encryption is up to our standard,
which is key for regulatory compliance.”
With a multilayered data security plan
in place, Allina is able to use laptop computers
while delivering the highest standard
of protection for its computers and
the sensitive information they contain.
“Computrace makes managing laptops
much safer and easier,” Myrvold said. “We
know immediately if a laptop begins to
drift off our radar, and we can send the
department manager a message asking
them to investigate. If a computer is lost or
stolen, Computrace is a lifeline. If we are
concerned about the information on it, we
use Computrace to remotely delete it. We
can also use Computrace to verify that the
computer’s encryption was up to standard
at the time of the theft. Finally, we can
physically recover the computer, which
puts everyone’s mind at rest.”