Healthcare Data Security In Need Of Care

• By Sharon J. Watson
• Jul 11, 2008

A thief steals a laptop full of medical records from a nurses’ station. A veteran emergency department clerk text messages an accomplice the Social Security numbers of badly injured patients. A disgruntled former employee sabotages the network of a large healthcare provider.

Data breaches like these often grab headlines, highlighting the fact that healthcare providers maintain data ranging from credit card numbers to a person’s most intimate health details.Yet while it may seem obvious such sensitive data should be treated with the highest levels of physical and virtual protection, many healthcare providers fail to do so.

A lack of coordination among physical, privacy and virtual security officers, a focus on regulatory compliance as compared to data security and a culture in which patient care must not be compromised are key factors in a slower move to convergence in healthcare than in many corporate settings.

“Physical security generally isn’t connected to virtual security,” says Lisa Gallagher, senior director of privacy and security for the Healthcare Information and Management Systems Society in Chicago. “Risk management is still nascent in healthcare.”

Many Specialties

Just as physicians practice various medical specialties, in many healthcare institutions, security issues cut across physical, virtual, administrative and clinical boundaries. Healthcare’s physical security demands are intense, encompassing the flow of caregivers, patients, visitors and support staff across buildings and grounds, parking lots or garages, gift shops and sometimes certain patient wards, such as the emergency department and maternity/pediatrics.

Meanwhile, many healthcare IT shops are charged with maintaining high-volume, high-bandwidth networks running vital clinical applications ranging from electronic health records to image-intensive radiology and lab results, and Web-based physician portals -- in addition to critical business applications like patient administration and billing.

Next, many providers have a chief privacy officer responsible for ensuring the institution complies with federal and, increasingly, state laws governing the privacy of health information.

In this complex world, healthcare sources say it’s hard to develop and fund converged security solutions unless security, IT and even privacy officers cooperate to coordinate technology requests, reduce duplicate efforts and present clear benefits to hospital administrators.

“IT and security are seen as expenses; they don’t generate revenues,” says Evelyn Meserve, executive director of the International Association of Healthcare Security and Safety, Glendale Heights, Ill. Meserve has worked in physical healthcare security for more than 15 years. “One way directors of these areas have been successful in funding new projects is by showing a business plan and return on investment.”

The most effective plans, Meserve says, show potential losses from security problems, including problems recruiting or retaining personnel.

A cooperative approach between physical and virtual security is critical, says Bob Pappagianopoulos, chief information security officer and corporate director of technical services for Partners HealthCare in Boston. The integrated healthcare delivery system has about 60,000 employees and encompasses Brigham and Women’s Hospital and Massachusetts General Hospital, along with nearly a dozen community hospitals and other clinics and physicians’ groups.

Coordinating agendas, dividing duties and preventing duplicate efforts all come down to physical and virtual security experts having a strong working relationship, Pappagianopoulos says. “Success really depends on the people in the positions,” he says.

Pappagianopoulos has worked with Bonnie Michaelman, Partners’ director of physical security, for about 10 years.

“We’ve built on really good communication between our worlds,” he says. One joint project between his department and physical security has been researching means of securing physicians’ laptops, such as encrypting data on them and potentially using location-based data measures to alert police if one is lost or stolen. “We definitely partner anywhere data can sprout legs and walk away,” he says.

Data With Legs

Mobile data device protection is one area in which physical and virtual data security convergence is necessary -- and urgent, say consultants and providers.

“If there’s patient data on those, you’re in the newspaper,” Gallagher says. Healthcare providers increasingly use portable equipment to collect patient data, to access data and to signal caregivers.

The range of easily lost or stolen devices and media includes PDAs, laptops, CDs and DVDs, flash and thumb drives and data cards.

Human behavior is a crucial factor in securing not just mobile data devices, but all healthcare data, say consultants and hospital security sources.

“You can have the slickest physical security, the greatest technical measures in place, but if you don’t have policies or they aren’t followed, you’re not secure,” says Chris Apgar, CISSP, president of Apgar & Associates, a healthcare security consultancy based in Portland, Ore.

Healthcare security policies often are shaped by regulations designed to ensure data privacy, especially the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This federal law establishes security procedures and guidelines for maintaining the confidentiality of protected health information. Similarly, the healthcare industry’s powerful accreditation body, the Joint Commission, now includes data privacy reviews in its credential reviews.

Compliant, But Not Secure

While high data security might seem the obvious means of ensuring data privacy, that’s often not the case in healthcare provider settings. Many providers focus on complying with regulations while remaining blind to their greater data security risks, according to the 2008 “HIMSS Analytics Report: Security of Patient Data,” commissioned by Kroll’s Fraud Solutions.

That report says “by and large, healthcare organizations have not been dealing with the area of accessing data with malicious intent.” Yet simultaneously, the institutions are extremely familiar with, and in compliance with, HIPAA and other regulations affecting them, such as Sarbanes- Oxley and state or local regulations. HIPAA in particular focuses on inappropriate or inadvertent access or disclosure of private healthcare data, such as by caregivers discussing cases in public areas or situating computerized medical records screens in visible areas.

“The institutions are focused on meeting the existing letter of the law versus risk management,” says HIMSS’ Gallagher. When an institution is declared compliant by a privacy expert or officer, CIOs often don’t think additional data security measures are necessary, she says.

This is not true for all institutions. At Partners, data security was the larger goal that encompassed privacy measures, Pappagianopolous says.

“I see data privacy and data security as tightly integrated,” says Ronald G. Mar- cum, M.D., CISO and chief privacy officer for Oregon Health and Sciences University in Portland.“You cannot achieve one without the other.”

Yet some caregivers concerned about privacy don’t always appreciate its connection to security.

“It’s tough getting the connection between privacy and security in a physician’s mind,” Apgar says.“That’s slowly changing, but it’s slow.”

Patient Care Vs. Security

That resistance may come because caregivers sometimes view security measures as interfering with their ability to deliver care.

In the corporate world, a lost or forgotten password is a nuisance. In healthcare, being unable to log onto a PC with health records literally could be fatal to a patient.

So it’s common for caregivers to share passwords, use a group password or fail to log off so another caregiver may have quick access to data. Using strong passwords has to be balanced with access needs, say healthcare security experts. Healthcare provider sources cite other examples of how the unique nature of their work strongly influences their security measures.

Biometrics has not gained a large following in healthcare because most providers are gloved. Video surveillance would need to be vetted to ensure its viewing area was in compliance with privacy laws.

Integrated physical and virtual access control, such as a badge reader that must verify users before they can access the hospital network, is rare, say healthcare security sources. They point out most hospitals are open facilities -- and, in fact, see openness as part of their mission.

“Changing that means changing culture and workflow,” Gallagher says. She and others note that vendors trying to enter the healthcare security market need to recognize the potential impact of their solutions on a provider’s patient care flow.

“We on the security side are trying to be more business-friendly,” Pappagianopoulos says. He says physicians are becoming more technology and security savvy, yet ease of use is still their top priority. His department tries to supply secure but workable solutions physicians will use, not work around.

Finding that balance is critical to building a foundation of trust between patient and healthcare institution, Marcum says. “Patients need to feel their data is being appropriately used and disclosed,” he says. Or put more simply: “If you don’t do security right, you can’t do good patient care,” Pappagianopoulos says.