Risk Management

Information Security Concepts

March 21, 2017 2:52 pm

Security tools are constantly evolving—as they should be—to keep up with the changing landscape of threats, technology, and vulnerabilities. Every day brings new stories of breaches, many that have occurred months before they are found, and the threat of which keeps CIOs up at night.

Two items can help take information security to the next level for healthcare entities: two-factor authentication and blockchains. One is familiar in the world of information security, and the other is gaining momentum.

Multifactor Authentication

To increase the security of access to all the information housed in a hospital, the security feature of multifactor authentication (also known as MFA) should be considered. This feature has been around since the second recorded breach of information. From website access to credit card usage, requiring MFA can reduce the risk of unauthorized access, issues, or fraud. MFA requires that individuals have any two out of the three basic types of credentials or elements to be able to access information: items a person can commit to memory (e.g., a pin number), items a person can possess (e.g., a bank card or organization-issued laptop), and items that are part of a person’s physical features (e.g., a fingerprint or voice pattern print).

Moving beyond a password to access a computer, organizations should consider using MFA as it relates to drug cabinets, credit cards, and patient information (not maintained in the cloud or a database).

There is a particular focus today on using MFA to strengthen security for credit cards. Credit cards that require a ZIP code already employ this security feature. However, having something such as a smartphone that requires the user to approve the purchase by physically having the phone nearby, answering a text message, or logging into an app is not far off. This approach significantly decreases the threat of loss or fraud, and it is making its way into the healthcare arena.

Securing items such as drug cabinets and access to facilities or rooms that house patient information would be a simple matter using a combination of fingerprinting and an access card. And additional security could be derived from data analysis on how frequently these items are accessed, which would disclose when someone is accessing them more often than they should. Creating a baseline of what to expect and reviewing the security protocol’s actual application can help hospitals identify potential security issues.


A blockchain is a decentralized digital ledger that records transactions across many computers in such a way that the registered transactions cannot be altered retroactively. Although originally created in 2008 to secure financial transactions, the concept can be applied to any recorded information in a database. Blockchain technology is being used for all areas of a business including digital storage and transfer, authentication and authorization, network infrastructure, and database recording. Entries into accounting software or recorded patient information are created in “blocks” that are extremely resistant to manipulation and that anyone, anywhere can access anytime with the right access credentials. Once something is recorded, a timestamp verifies the creation of the information block, and the computer moves to the next block to record additional information. The blocks will grow over time and continue to build upon one another.

Blockchain technology also has potential beyond security. The Economist described one implementation of the second-generation programmable blockchain as coming with “a programming language that allows users to write more sophisticated smart contracts, thus creating invoices that pay themselves when a shipment arrives or share certificates which automatically send their owners dividends if profits reach a certain level.” This autonomous concept can change the way healthcare organizations think about patient care. If we can program baselines into a patient’s chart of information, then the occurrence of anything unexpected could trigger automatic ordering of tests or drug treatment. Imagine a scenario where a nurse takes the temperature of a patient and if the recorded results are above 102, a fever reducing drug is automatically ordered and charged to the patient account information.

Necessity is the mother of invention. When it comes to new security features of IT environments, there are rarely any new ideas— just concepts applied differently. The needs in health care are ever changing, and the driving force for ideas can easily be taken from other industries and retrofitted to improve patient care.

Paul M. Perry, FHFMA, CITP, CISM, CPA, is a member with Warren Averett CPAs and Advisors, Birmingham, Ala., and a member of HFMA’s Alabama Chapter.


googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text1' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text2' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text3' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text4' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text5' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text6' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text7' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-leaderboard' ); } );