At a Glance
A provider's initial priorities for protecting the security of healthcare IT should include the following:
- Security governance and management
- Laptop and device encryption
- Internal content filtering
- E-mail encryption
- Access management
- Social media policies and guidelines
It has become increasingly clear that the daily functioning of a healthcare provider depends on the integrity and reliability of the provider's information systems. Patient care, research, operations, and finance all rely on highly available, trustworthy, and robust applications, data, and infrastructure.
But at a time when hospital and physician dependence on healthcare IT has increased, the bar for security in healthcare IT also has been raised. The use of healthcare IT has increased significantly as more providers use electronic health records (EHRs) to support direct patient care. This dependence on the EHR leaves the organization less able to tolerate viruses and other malware threats that can make the EHR unusable. Meanwhile, the prevalence of mobile technologies and the sophistication of today's IT security threats further erodes the ability of the provider to protect its healthcare IT systems.
A provider's ability to ensure that its IT systems are there when they are needed can be threatened by hackers, viruses, and worms. And the confidentiality, integrity, and availability of patient, personal, and business data can be threatened by phishing and the loss of portable devices.
Now more than ever, knowing the risks that healthcare IT systems could face-and increasing the security of a hospital's and physician practice's information systems in response to these risks-is critical.
Challenges Facing Healthcare IT Systems
Over the past several years, most providers have made great strides in ensuring that their information system (IS) environment addresses security threats. But the need for increased diligence regarding healthcare IT security has become critical as the challenges to healthcare IT systems have become more complex and diverse and have continued to evolve rapidly.
As EHR use grows, so too does the number of EHR users. Busy clinicians may view security controls as impediments to patient care, and busy managers fall behind in managing user access rights.
EHRs will be viewed as an important foundation for clinical affiliations and support for referring physicians. These uses extend access to the EHR to multiple organizations and individuals outside of the control of the organization offering access. Meaningful use incentives emphasize clinical data exchange, which further opens up a provider's EHR.
Broadening the number of users who can access an EHR is not the only challenge. A class of powerful mobile devices marketed primarily as consumer devices are increasingly being used to access the organization's systems. These devices can be purchased outside of the normal purchasing and IT controls. The organization may not know how many mobile devices are being used, let alone the degree to which these devices have encrypted hard drives, or whether they have appropriate access controls.
Wireless networks are both a boon to mobile clinicians and a new way for hackers to access the organization's systems. Organizations implementing wireless must not only identify means for restricting which devices connect to the network, but also prevent employees from implementing rogue access points outside of the control of the IS organization.
There are Internet-based services emerging that enable physicians to communicate with other physicians about patients and that enable patients to communicate with their care teams and access their records. Although these services have the potential to improve care, they may also become a means for inadvertent and inappropriate release of patient identifiable health information. And to the extent that physicians self-register for these services, their use of such a service poses risks due to the lack of knowledge about the service's security controls.
Both the EHR and the relentless improvements in the capabilities of healthcare IT can bring great value to the organization. They also pose new security challenges, some of which cannot be anticipated until an organization implements the technology.
The importance and challenge of healthcare IT security is not lost on most hospitals and physician practices. Nor is it lost on federal and state government. Government has a central role in protecting citizens, and in the case of healthcare IT, it has acted accordingly, publishing regulations that require greater levels of information security-levels seen as necessary to protect people from the consequences of released, sensitive information and disruptions in the operations of organizations that serve the public good.
The draft regulations resulting from the federal Health Information Technology for Economic and Clinical Health (HITECH) Act, the legislation that provides for EHR meaningful use incentives, require that providers conduct risk assessments of their security policies and practices. The regulations also require that EHR vendors be able to demonstrate that their applications support foundational security controls, including audit trails, encryption, and robust user authentication mechanisms.
The Federal Trade Commission has enacted regulations, called "Red Flag Rules," that are intended to reduce identity theft. Additional privacy and security rules can be expected from the Office of Civil Rights in the months and years ahead.
State governments also have stepped in. Massachusetts, for example, recently put forth regulations regarding encryption of data and networks, reporting of disclosures of patient data, and procedures for the destruction of paper and electronic records.
Action Steps for Providers
Hospitals and physician practices have no choice-they must implement an effective security program. Failure to do so puts them at risk of violating the law, losing reimbursement, and unnecessarily exposing their systems to those who seek to damage the organization.
It is not possible to fully protect an organization from all security risks. However, there are prudent management steps that healthcare organizations should take.
Governance. Large and medium-sized provider organizations should establish an IT security steering committee. This committee should be composed of clinicians, operations managers, and staff from the organization's IT, finance, compliance, security, and audit departments. This committee should be responsible for establishing the security strategy and policies. Examples of policies that will be needed include policies regarding computer timeout/logoff, laptop encryption, security roles, and sanctions for breaches of confidentiality and information security.
A provider also may decide to establish an IT security operating committee. This committee should oversee the tactical implementation of IT strategy and policies (considering, for example, how medical staff are to be educated about the need for additional authentication steps when accessing patient data remotely).
Providers also would be well served to designate a chief information security officer (CISO). In larger organizations, the position of CISO would ideally be a full-time position with a support staff. The CISO and his or her staff should identify and manage the projects needed to improve security and implement the policies and procedures defined by the committees.
Large and medium-sized provider organizations should also think beyond mere regulatory requirements. The Health Insurance Portability and Accountability Act and other regulations describe high-level requirements for an organization's security program. However, they do not describe detailed issues necessary for compliance, such as how to secure a server or protect a wireless implementation.
Providers can find the answers they need to such compliance questions by reviewing industry standards. The National Institute of Standards and Technology offers guidance to federal agencies for securing their data and systems, ranging on a host of topics, including network security, security awareness and training, and other related areas. These standards can be leveraged by provider organizations to define how they will comply with security regulations.
Small hospitals and physician practices may choose not to form these committees, but should make security a regular point of discussion among management and appoint an individual to be accountable for the implementation of the security program.
Incidence management plan. Sooner or later, all healthcare providers will face a security incident. This could be the loss of a laptop that contains patient data, the discovery of a virus that is crippling an application, or a barrage of phishing attempts that ask staff to rush a check for $1,000 to some faraway country.
To respond to such events, the organization should develop an IT security response plan that defines various types of security incidents, the personnel who should be notified when incidents that threaten IT security occur, and how these incidents should be managed. Organizations should work closely with legal counsel in developing these plans to ensure that applicable federal and state security breech notification requirements are met.
With a governance structure and incident management plan in place, efforts to define initial priorities should begin with a security risk assessment. This assessment, which can be conducted by the CISO or a designated security manager, the organization's auditor, or external consultants, should identify the areas that need the most immediate attention.
That being said, most organizations are focused on the following set of initial priorities for protecting the security of healthcare IT. These initial priorities reflect the fact that most organizations have some means to manage user passwords, have taken steps to secure access to the computer room, and have performed other foundational security steps. They also reflect newly published regulations that extend security requirements.
Laptop and device encryption. Laptops, mobile devices (e.g., iPhones and Blackberries), and thumb or USB drives should be encrypted. For users who purchase their own devices, hospital policy can require that they encrypt their devices and that they attest that they have encrypted their devices.
Internal content filtering. These technologies help to prevent viruses, phishing, and other "malware" from getting through to the organization's internal network. Such technologies also can be used to prevent hospital and practice staff from accessing Internet sites that the organization views as counter to its mission.
E-mail encryption. Many patients and their providers communicate through e-mail, while some healthcare staff exchange business information with suppliers, payers, and others that work with the organization. Although e-mail exchange of information has enormous value in instances such as these, this electronic exchange of information also poses a security risk should an e-mail be forwarded in error or intercepted. E-mail encryption protects sensitive information in transit.
Access management. Although most providers have instituted passwords for access to applications, healthcare organizations would be well served to review their policies, standards, and procedures for managing access to confidential data and important applications. In conducting such reviews, most organizations are surprised to learn which people have access to various systems and data.
Social media policy and guidelines. Clinical and administrative staff will undoubtedly use workplace computers to access social media sites such as Facebook, LinkedIn, blogs, and Twitter. Staff should be educated regarding the appropriate uses of these sites-particularly from workplace computers-just as parents should remind their teenagers that the information and photos they post today could be a source of embarrassment later if they are not careful.
All of these initial steps require policy, requisite security technologies, clinical and administrative staff awareness and training, and the means to audit compliance. As the expression initial steps implies, establishing IT security is not a one-time management event. Rather, it should be an ongoing topic of discussion for managers and area of investment for the organization. As such, visible support from the organization's CEO and senior management is necessary to counteract challenges to IT security.
Other Important Considerations for Providers
Healthcare organizations will face several challenges as they strive to improve the security of their applications, infrastructure, and data.
First, IT security threats can be remarkably diverse. Recently, a story appeared on network news about the risks associated with copiers-namely, residual data left on the copier hard drive. Data from each scan were being stored on the copiers' hard drives, including patients' social security numbers, medical record numbers, names, addresses, and health conditions.
Second, there is no good way to know how much money the organization should spend on IT security. Clearly, a healthcare organization should meet the basic legal requirements regarding the protection of data. But how much more should an organization invest in its efforts to reduce disclosures of patient data or to strengthen application authentication? The ROI of IT security investments is no more easily defined than the ROI of life insurance. IT security expenditures require careful judgment, and there may never be a time when a healthcare organization can know with certainty that it has invested enough in its IT security initiatives.
Third, improving security often comes at the expense of clinical and administrative staff time and can increase the complexity of workflow. Asking a referring physician to go to a secure web site and sign in to receive a consulting physician's report takes more time than receiving an insecure e-mail with the report pasted into the body of the e-mail.
Overworked staff will be quick to point out the "hassle" of security. At times the hassle is exacerbated by clunky and immature security technology. Reminding staff of the importance of security may gain one few points. Reminding staff that protecting the security of healthcare information is the law may not gain any points, but it might improve compliance.
Fourth, perhaps the greatest threat to healthcare IT security lies in the increased use of IT by staff who blur the boundaries between their professional and personal lives. Consider the prevalence of technologies such as Skype, mobile devices, and Facebook. These technologies have become an integral part of the lives of staff, and staff bring these technologies into the work setting. These technologies also enable staff to bring the work setting into their homes.
The security threat related to these technologies is due to the fact that managers may have limited ability to control staff use of these technologies (assuming management is even aware of the extent of use). The organization can ban Facebook access on its inpatient units, but it cannot prevent a nurse at home from inappropriately sharing patient data on a social media site.
Security technology and policies are very important steps to address this threat. However education is the most important step management can take.
The Time to Step Up IT Security Is Now
Maintaining appropriate levels of healthcare IT security is a never-ending task-as the technology, its uses, and its threats evolve, so will the necessary security efforts. It is also a difficult task: User behaviors often have to change, existing security technologies can be at various stages of maturity, and IT security invariably brings restrictions. The simple fact is that implementing IT security programs will disrupt established organizational practices.
Building IT security also is not simply a matter of implementing new security technologies, although those are obviously important. It also includes policies and procedures as well as the appropriate actions that staff should take to ensure that systems remain available to those who need them-and that data that ought to stay confidential remain confidential.
At times, IT security can seem like a real pain. And in a way, it is. It takes time to change a password, to secure an e-mail, and to encrypt a disk drive. However, it takes time to vote, to make dinner for your family, to service your car, and to get a physical exam.
We routinely give time when that time is needed to protect something that is important. Increasing the security of a hospital's and physician practice's information systems is essential.
John Glaser, PhD, is vice president and CIO, Partners HealthCare, Boston, and is a member of HFMA's Massachusetts-Rhode Island Chapter (firstname.lastname@example.org).
Jennings Aske, JD, is chief information security officer, Partners HealthCare, Boston (email@example.com).
The content of this article reflects the information security program implemented by Aske at Partners HealthCare.
Publication Date: Thursday, July 01, 2010