Patient data security: How hospitals keep pace
By Susan D. Hall - Fuente: FierceHealthIT
In their efforts to secure patient data, hospital executives continue to worry about mobile devices--and are employing technology to help. But they acknowledge that the human factor remains the trickiest part of data security.
"There's this expectation that you should have access to everything, everywhere," Peter Odegard, information security officer at Children's Hospitals and Clinics of Minnesota, told FierceHealthIT of his concerns about the consumerization of mobile devices.
A second big worry is that the number of vendor partners that host, store or analyze data just keeps growing.
Government regulations such as the Meaningful Use program and the HIPAAregulations have been a good thing, he says, because they have provided funding and mandate security practices such as risk assessment.
"It's giving us broader input," he said. "Now we're collaborating across departments and pushing priorities. It's providing accountability that we didn't really have before."
Odegard and two other executives--Frank Davis, Chief Medical Informatics Officer at Savannah, Georgia-based Memorial University Medical Center, and Denver Health CIO Jeff Pelot--recently spoke to FierceHealthIT about their efforts to protect patient data across a variety of platforms.
Systems management key for Children's Hospitals in Minnesota
As Children's Hospitals and Clinics of Minnesota, with 326 staffed beds at two campuses in St. Paul and Minneapolis, increasingly gets rid of paper, the number of systems to be managed continues to grow. It has to know what data it has, where the data resides and its points of vulnerability.
The organization uses data loss prevention software to provide a broader view of how data flows. Though it's focused on keeping its data within its own walls, it also faces the issue of data flowing outside, but securely and appropriately.
"You can see it and the people doing it, which makes it more real," Peter Odegard (pictured), information security officer at Children's, told FierceHealthIT. "A lot of times, it's a physician wanting to send something back to their practice."
Though it's involved with HIE efforts, which aren't totally widespread, the organization focuses on sending children back to their families, which also means securely sharing information with providers back in the community and with families through a patient portal.
Dealing with around 1,600 providers--400 employed by the organization and the rest a range of pediatric specialists--security becomes an ongoing issue.
"We're in this constant state of cultural conflict. They're operating as a small business and we're operating as an enterprise. So it becomes an issue of risk assessment and what that means," he said. With the latest HIPAA update, the hospital has been working to educate physicians about business associate agreements.
He pointed to three areas of particular focus:
- Secure email
- Screen timeouts: Children's is using badge technology to let providers log back in and quickly get back to the place they left. "If it were my child they were treating in an emergency, I wouldn't want them worrying about getting back in," Odegard said. At the same time, workers have to be mindful of the information displayed.
- Authentication and hard tokens: With more people logging in, it becomes a sales job to press for authentication such as challenge questions, while understanding workers' workflow needs, he said.
Memorial's challenges with texting, image sharing
Patient data security: How hospitals keep pace
Texting and photo-sharing are two areas of concern for Frank Davis, chief medical informatics officer and trauma/critical care surgeon at Memorial University Medical Center, a 654-bed regional hospital in Savannah, Georgia.
"Everyone wants easy access to the data, but easy access makes us a very vulnerable target," Davis (pictured) told FierceHealthIT. "Security is always a balance between easy access and keeping the data safe. ... The safer you make it to keep the bad guys out, the harder it is for the good guys to use it. That's the battle we all face."
As a teaching hospital, he noted that residents in particular rely on text messaging.
"They hardly ever even use a telephone anymore," Davis said.
To that end, Memorial is transitioning to a secure text-messaging platform, which is a big challenge because of the costs involved. It's looking at a complete communications platform that requires each person to download an applet to their phone.
"We have around 4,000 employees and most services charge per device," Davis said. "If it's $5 per month per employee, that's a lot of money, but we have a responsibility to keep the information safe."
Memorial also plans to deploy, in the next quarter or so, technology for secure image sharing. Images remain a challenge, Davis said.
"I'm a trauma surgeon and often in the middle of the night, I'll be in the operating room with a pretty bad wound," he said. "I'll need to send a picture of that wound to the plastic surgeon who might not come in that night. I need to get it to the subspecialist in a HIPAA-compliant way, but we really need to get that image into the electronic health record, and that's the ultimate goal.
"We still have to treat patients, but like a lot of hospitals, we're struggling with all these [security] issues," Davis added. "Without spending billions of dollars right this second, we can't fix everything."
Davis said that the devices Memorial deploys can totally lock down and control, but noted that there are employees who'd rather bring their own, which can only be locked down to a certain point.
"I can't prevent them from going to their own texting software and sending a message," he said. "This is all a balance, and it's imperfect."
The organization makes privacy training a priority, David said, and sends out continual reminders, thing like, "You can't talk about patients in the elevator because it's not a secure area." It's an ongoing project, he said.
However, he said, he would like to see more emphasis in the industry on two-factor authentication, particularly with the use of biometrics.
Security plans are a bull's-eye at Denver Health
Denver Health CIO Jeff Pelot (pictured) likes to think of its security plans as a bull's-eye, with layers of protection growing out from its center, which would be its data centers.
In the end, though, he told FierceHealthIT, "it's more how our personnel think about it. It's not so much the electronic systems."
The 477-bed safety-net hospital has had some incidents, generally with younger residents, trying to get work done by taking patient information home on a USB drive--and then having that drive or the home computer lost or stolen, he said.
"It's always at the end points, when you get into the people processes and social aspects of how people move around, that it gets much more difficult," he said.
Though employees can log into the systems from anywhere in the world, no data will be stored on their devices and they can't print it, Pelot said.
"But internally, at the desktop ... at the fax machine, those areas are uncontrolled for the most part," he said. "So we want to make sure people are paying attention."
Years ago, the organization adopted single sign-on and a system to prevent people from sharing accounts. A decade ago, he said, it was common in an ambulatory setting for PCs to be on all day in patient rooms with no controls, with staff treating patients roaming from room to room. Denver Health adopted a card system that allows each staffer to swipe into the system and swipe out afterward. The next person, with role-based controls, swipes in to his or her own session later. That system has grown more sophisticated and now uses tap-and-go technology to make access even quicker, but to provide appropriate access.
Pelot acknowledged that HIPAA compliance and security aren't necessarily the same thing.
"If you look at Target, they were probably totally PCI [Payment Card Industry standards] compliant, but that didn't make them secure," he said. "You can see a corollary in healthcare. We've got these regulations--we're bound by PCI and HIPAA and the College of American Pathologists have their own rules. The FCC's got rules. So we're working with all these things to protect our information, but that makes you compliant, but not necessarily secure."
Security, he added, comes at a cost.
"This is a common conversation with my peers, just because of the cost of [that security] provides no specific value into the business purpose," Pelot said. "But you have to pay attention to it. How much is enough? When is it enough? And it never stops."