Estimated reading time: 5 minutes, 1 second

Product Category Analysis Security on Connected Systems

ImageClinical information systems have become more connected to remote services while privacy regulations continue to be a cause for concern. “Protecting confidential data online is of increasing importance to organizations across a broad range of sectors. With HIPAA and other patient privacy measures in place, healthcare organizations are under increasing scrutiny to safeguard private health information,” said Sanjay Mehta, senior vice president for Breach Security.


Though security issues remain a top concern, the wireless component will increase in use to overcome human latency among other problems. Human Latency - the phenomenon by which the amount of time that one part of a system spends waiting for another part to catch up, where a human's involvement can cause a delay in resolving a critical situation, or prevents the delivery of critical information or expert advise - has plagued the $2.26 trillion dollar health care industry for decades.

“Human latency poses a huge liability in health care,” says Laurence Guihard-Joly, vice president of Integrated Communications Services at IBM. “In an environment where anytime, anyplace communications is critical, wireless and mobility solutions allow health care providers to dramatically improve decision-making processes and bring more resources directly to the patient.”

Toronto East General Hospital, a large urban, full-service community hospital in Ontario, recently introduced an IBM solution that included a unique combination of Cisco wireless network, wireless communication devices from Vocera, and real-time event driven notification software from GlobeStar Systems. The hospital estimates that upon project completion, approximately 800 critical care staff members will be using the hospital's innovative wireless communicators.

While that’s all well and good, few physician practices can go to such lengths to achieve wireless accessibility and still safeguard the information. So, what can a physician’s office do to obtain the same secure ends? First, understand where the liabilities lie.

Absolute Software identifies the top five computer security risks for healthcare as:

1. Failure to Protect Sensitive Data Beyond Encryption

According to the 2003 Health Insurance Portability and Accountability Act (HIPAA) Security Rule, healthcare organizations must encrypt electronic protected health information (EPHI) stored on open networks such as laptops. However, a recent Research Concepts survey found that 72% of IT asset managers believe their own employees – those with access to encryption keys and passwords – were responsible for most incidents of data breach in their organizations. With lost or stolen mobile computers cited as the cause of nearly 50% of data breaches, healthcare organizations must complement encryption with the ability to remotely delete EPHI from missing computers for the highest level of data protection.

2. Inability to Accurately Manage Mobile Computer Assets
In order to achieve HIPAA compliance, healthcare organizations must be able to audit how many computers they have in their inventory, where they are assigned, who is logging into them, what software is installed and where the computer is physically located. However, recent studies show that most organizations are able to locate only 60% of their mobile computer assets. Internet-based, firmware-persistent IT asset management solutions such as Computrace can provide visibility into as much as 99.7% of a computer population – regardless of computer location.

3. Sensitive Information on Public Terminals
Many healthcare facilities allow public information to be accessed on open-air terminals, such as reception desks, nursing stations, public information terminals, and help stations. These workstations are at great risk of data breaches and information can be easily accessed and downloaded. Unattended stationary computers should always be monitored and protected with an authentication prompt.

4. Difficulty Implementing a Comprehensive Data Security Plan
Healthcare facilities need to institute a comprehensive data security plan to secure computing assets and sensitive information. Asset tracking and recovery software should be part of a comprehensive approach, which also includes cable locks, encryption software and secure passwords. The plan needs to be reviewed and updated consistently to ensure maximum effectiveness.

5. Reluctance to Create a Data Breach Policy
Few healthcare facilities have ‘nightmare scenario’ policies in place should a data breach occur. In the event of a data breach, there should be a standard procedure in place for timely notification of supervisors, law enforcement, patients and the media. In a data breach situation, computer theft recovery software solutions have the capability to remotely delete sensitive files, track lost or stolen computers and partner with local law enforcement to recover them.

At a bare minimum, physician practices should cover three essential checkpoints to tighten security, according to Richard Stiennon, chief research analyst at IT-Harvest, an independent research firm covering the IT security industry.

1. Strictly control access. There are many ways that data is made available for transfer from clinical data systems. Never have an open ended system. Require suppliers of technical support to log in with individual user names and passwords using SSH, not telnet or FTP. Use a secure file transfer system for exporting data.

2. Use a firewall to limit access to pre-determined locations. In other words only specific IP addresses should be granted access and that only to specific destinations within your office.

3. If you create physical backup disks, CDs, or tapes you must encrypt that data.

Stiennon recommends the following product suppliers…
…of firewalls:
  • Fortinet
  • Sonicwall
  • Astaro
…for secure file transfer
  •  Axway
  •  Stirling
  •  IPSwitchFT
There are additional steps you can take to fully protect patient data. Rene Poot, international systems engineer from NCP engineering, a provider of secure remote network access and VPN solutions, believes that an IPSec VPN connection can allow for total protection of all applications in clinical information systems, as well as enable a much more flexible system for future growth. Bundled solutions that integrate data encryption, personal firewalls and one-time password token and certificate support through a public key infrastructure (PKI) are key security components for off-network handling of patient data. Dynamic firewalls allow IT managers to set policies for ports, IP addresses and segments, as well as applications. Configuration and policy logic should also be easily set and managed centrally or through the VPN client itself. Friendly Net Detection is also critical—forcing the network to identify itself to remote devices, preventing any data packet transfer until a safe network has been detected.
Read 5204 times
Rate this item
(0 votes)

Visit other PMG Sites: