Healthcare Data Security In Need Of Care

A thief steals a laptop full of medical records from a nurses’ station. A veteran emergency department clerk text messages an accomplice the Social Security numbers of badly injured patients. A disgruntled former employee sabotages the network of a large healthcare provider.

Data breaches like these often grab headlines, highlighting the fact that healthcare providers maintain data ranging from credit card numbers to a person’s most intimate health details.Yet while it may seem obvious such sensitive data should be treated with the highest levels of physical and virtual protection, many healthcare providers fail to do so.

A lack of coordination among physical, privacy and virtual security officers, a focus on regulatory compliance as compared to data security and a culture in which patient care must not be compromised are key factors in a slower move to convergence in healthcare than in many corporate settings.

“Physical security generally isn’t connected to virtual security,” says Lisa Gallagher, senior director of privacy and security for the Healthcare Information and Management Systems Society in Chicago. “Risk management is still nascent in healthcare.”

Many Specialties

Just as physicians practice various medical specialties, in many healthcare institutions, security issues cut across physical, virtual, administrative and clinical boundaries. Healthcare’s physical security demands are intense, encompassing the flow of caregivers, patients, visitors and support staff across buildings and grounds, parking lots or garages, gift shops and sometimes certain patient wards, such as the emergency department and maternity/pediatrics.

Meanwhile, many healthcare IT shops are charged with maintaining high-volume, high-bandwidth networks running vital clinical applications ranging from electronic health records to image-intensive radiology and lab results, and Web-based physician portals -- in addition to critical business applications like patient administration and billing.

Next, many providers have a chief privacy officer responsible for ensuring the institution complies with federal and, increasingly, state laws governing the privacy of health information.

In this complex world, healthcare sources say it’s hard to develop and fund converged security solutions unless security, IT and even privacy officers cooperate to coordinate technology requests, reduce duplicate efforts and present clear benefits to hospital administrators.

“IT and security are seen as expenses; they don’t generate revenues,” says Evelyn Meserve, executive director of the International Association of Healthcare Security and Safety, Glendale Heights, Ill. Meserve has worked in physical healthcare security for more than 15 years. “One way directors of these areas have been successful in funding new projects is by showing a business plan and return on investment.”

The most effective plans, Meserve says, show potential losses from security problems, including problems recruiting or retaining personnel.

A cooperative approach between physical and virtual security is critical, says Bob Pappagianopoulos, chief information security officer and corporate director of technical services for Partners HealthCare in Boston. The integrated healthcare delivery system has about 60,000 employees and encompasses Brigham and Women’s Hospital and Massachusetts General Hospital, along with nearly a dozen community hospitals and other clinics and physicians’ groups.

Coordinating agendas, dividing duties and preventing duplicate efforts all come down to physical and virtual security experts having a strong working relationship, Pappagianopoulos says. “Success really depends on the people in the positions,” he says.

Pappagianopoulos has worked with Bonnie Michaelman, Partners’ director of physical security, for about 10 years.

“We’ve built on really good communication between our worlds,” he says. One joint project between his department and physical security has been researching means of securing physicians’ laptops, such as encrypting data on them and potentially using location-based data measures to alert police if one is lost or stolen. “We definitely partner anywhere data can sprout legs and walk away,” he says.

Data With Legs

Mobile data device protection is one area in which physical and virtual data security convergence is necessary -- and urgent, say consultants and providers.

“If there’s patient data on those, you’re in the newspaper,” Gallagher says. Healthcare providers increasingly use portable equipment to collect patient data, to access data and to signal caregivers.

The range of easily lost or stolen devices and media includes PDAs, laptops, CDs and DVDs, flash and thumb drives and data cards.

Human behavior is a crucial factor in securing not just mobile data devices, but all healthcare data, say consultants and hospital security sources.

“You can have the slickest physical security, the greatest technical measures in place, but if you don’t have policies or they aren’t followed, you’re not secure,” says Chris Apgar, CISSP, president of Apgar & Associates, a healthcare security consultancy based in Portland, Ore.

Healthcare security policies often are shaped by regulations designed to ensure data privacy, especially the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This federal law establishes security procedures and guidelines for maintaining the confidentiality of protected health information. Similarly, the healthcare industry’s powerful accreditation body, the Joint Commission, now includes data privacy reviews in its credential reviews.

Compliant, But Not Secure

While high data security might seem the obvious means of ensuring data privacy, that’s often not the case in healthcare provider settings. Many providers focus on complying with regulations while remaining blind to their greater data security risks, according to the 2008 “HIMSS Analytics Report: Security of Patient Data,” commissioned by Kroll’s Fraud Solutions.

That report says “by and large, healthcare organizations have not been dealing with the area of accessing data with malicious intent.” Yet simultaneously, the institutions are extremely familiar with, and in compliance with, HIPAA and other regulations affecting them, such as Sarbanes- Oxley and state or local regulations. HIPAA in particular focuses on inappropriate or inadvertent access or disclosure of private healthcare data, such as by caregivers discussing cases in public areas or situating computerized medical records screens in visible areas.

“The institutions are focused on meeting the existing letter of the law versus risk management,” says HIMSS’ Gallagher. When an institution is declared compliant by a privacy expert or officer, CIOs often don’t think additional data security measures are necessary, she says.

This is not true for all institutions. At Partners, data security was the larger goal that encompassed privacy measures, Pappagianopolous says.

“I see data privacy and data security as tightly integrated,” says Ronald G. Mar- cum, M.D., CISO and chief privacy officer for Oregon Health and Sciences University in Portland.“You cannot achieve one without the other.”

Yet some caregivers concerned about privacy don’t always appreciate its connection to security.

“It’s tough getting the connection between privacy and security in a physician’s mind,” Apgar says.“That’s slowly changing, but it’s slow.”

Patient Care Vs. Security

That resistance may come because caregivers sometimes view security measures as interfering with their ability to deliver care.

In the corporate world, a lost or forgotten password is a nuisance. In healthcare, being unable to log onto a PC with health records literally could be fatal to a patient.

So it’s common for caregivers to share passwords, use a group password or fail to log off so another caregiver may have quick access to data. Using strong passwords has to be balanced with access needs, say healthcare security experts. Healthcare provider sources cite other examples of how the unique nature of their work strongly influences their security measures.

Biometrics has not gained a large following in healthcare because most providers are gloved. Video surveillance would need to be vetted to ensure its viewing area was in compliance with privacy laws.

Integrated physical and virtual access control, such as a badge reader that must verify users before they can access the hospital network, is rare, say healthcare security sources. They point out most hospitals are open facilities -- and, in fact, see openness as part of their mission.

“Changing that means changing culture and workflow,” Gallagher says. She and others note that vendors trying to enter the healthcare security market need to recognize the potential impact of their solutions on a provider’s patient care flow.

“We on the security side are trying to be more business-friendly,” Pappagianopoulos says. He says physicians are becoming more technology and security savvy, yet ease of use is still their top priority. His department tries to supply secure but workable solutions physicians will use, not work around.

Finding that balance is critical to building a foundation of trust between patient and healthcare institution, Marcum says. “Patients need to feel their data is being appropriately used and disclosed,” he says. Or put more simply: “If you don’t do security right, you can’t do good patient care,” Pappagianopoulos says.

Featured

  • New Report Reveals Top Security Risks for U.S. Retail Chains

    Interface Systems, a provider of security, actionable insights, and purpose-built networks for multi-location businesses, has released its 2024 State of Remote Video Monitoring in Retail Chains report. The detailed study analyzed over 2 million monitoring requests across 4,156 retail locations in the United States from September 2023 to August 2024. Read Now

  • Gaining a Competitive Edge

    Ask most companies about their future technology plans and the answers will most likely include AI. Then ask how they plan to deploy it, and that is where the responses may start to vary. Every company has unique surveillance requirements that are based on market focus, scale, scope, risk tolerance, geographic area and, of course, budget. Those factors all play a role in deciding how to configure a surveillance system, and how to effectively implement technologies like AI. Read Now

  • 6 Ways Security Awareness Training Empowers Human Risk Management

    Organizations are realizing that their greatest vulnerability often comes from within – their own people. Human error remains a significant factor in cybersecurity breaches, making it imperative for organizations to address human risk effectively. As a result, security awareness training (SAT) has emerged as a cornerstone in this endeavor because it offers a multifaceted approach to managing human risk. Read Now

  • The Stage is Set

    The security industry spans the entire globe, with manufacturers, developers and suppliers on every continent (well, almost—sorry, Antarctica). That means when regulations pop up in one area, they often have a ripple effect that impacts the entire supply chain. Recent data privacy regulations like GDPR in Europe and CPRA in California made waves when they first went into effect, forcing businesses to change the way they approach data collection and storage to continue operating in those markets. Even highly specific regulations like the U.S.’s National Defense Authorization Act (NDAA) can have international reverberations – and this growing volume of legislation has continued to affect global supply chains in a variety of different ways. Read Now

Featured Cybersecurity

Webinars

New Products

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening. 3

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure. 3

  • Compact IP Video Intercom

    Viking’s X-205 Series of intercoms provide HD IP video and two-way voice communication - all wrapped up in an attractive compact chassis. 3