Many would say that controlling costs is the toughest challenge facing the U.S. health-care industry. But safeguarding patient information in a digital world isn’t proving to be much easier.
Consider this: In the two years since the Department of Health and Human Services mandated public disclosure of any exposure of data involving 500 or more patients, breaches affecting more than 10 million individuals have been reported. And most people think that’s just the tip of the iceberg—many other individuals likely have had their data compromised and many more will in the future.
Why are medical records so vulnerable? In part, it’s because the health-care industry has lagged behind the corporate world in adopting integrated systems that are designed with security in mind and prevent data from being downloaded into portable files. The result is that many health-care organizations have applications and data spread throughout departments, creating plenty of opportunities for leaks.
On top of that, the fragmented nature of the industry—with myriad hospitals, physicians, ambulatory health-care providers, laboratories, insurers and providers of services such as billing and collecting—means there are many small, unsophisticated players handling sensitive information without the tools to protect it.
When a person’s health record is exposed, the implications often go beyond basic fraud and financial-identity theft. Data may end up on the Internet, leading to embarrassment and social stigma. Criminals can exploit patient information to steal drugs, supplies or health care itself. And when a stolen identity is used to gain medical care, it can carry health consequences for the victim, whose medical record becomes corrupted by the thief’s own medical data. Correcting fraud, or even stopping it, can be a byzantine nightmare.
Even scarier, some security experts have demonstrated how devices such as insulin pumps potentially could be hacked to deliver a lethal dose to unsuspecting patients.
Proactive, Not Reactive
Preventing such failures requires a clear strategy and a blend of security measures. The problem is, Health IT security is primarily reactive, with managers working to close holes after data has been exposed or to comply with the latest government regulation. It isn’t working. Our recent research has shown that security investments made after a breach aren’t nearly as effective in protecting against the next breach as proactive investments.
So how should health-care organizations approach information security? Consider these four steps.
Take inventory. Security managers should carefully monitor personal health information and other sensitive data to see how it is used, where it is stored, and how it flows through their organization and to partners. In doing so, they will uncover how and when patient data is most likely to be improperly exposed, which in turn will allow them to identify and implement the right blend of security measures to reduce those risks.
Consider access. Who in the organization needs to see patients’ personal data and under what circumstances?
Historically, health-care IT was built for openness, not security. When I was a kid, community media from church bulletins to local newspapers carried hospital-admission announcements to encourage friends to visit and help. Within hospitals, physical medical records were made readily available to make it easy for any doctor or nurse to review a chart.
That openness was copied into many electronic health-record systems. But openness doesn’t work in the digital world, where sensitive data can easily fall into the wrong hands via stolen laptops, misdirected emails and network hacking, among other things.
Simply limiting who can see personal health information is one option. But that can have devastating consequences when emergencies arise. If a patient’s regular doctor or nursing team isn’t available during an emergency, other providers may need instant access.
To be sure, many hospitals and health-care organizations have so-called break-the-glass systems in place that allow protected data to be viewed during emergencies. But they aren’t always capable of weeding out cheaters from those who legitimately need access.
The solution is a new breed of access-control systems that considers both the identity of the person requesting the medical information and the context of the request. The UC Davis Health System, for example, has automated rolling audits of emergency access to catch anomalies, such as an employee who accesses data of a patient with the same last name (possibly a relative). Suspicious behavior is flagged for further manual audit and investigation.
Make the technology easy to use.Too often, IT installs a security application that ends up causing bigger problems.
For example, one hospital technology executive shared how he had installed a virtual private network to ensure doctors had secure connections to patient data when working at home. It was so slow, however, that the doctors started exporting data into files and sending it to their personal Gmail accounts—big problem!
Data hemorrhages are often fueled by such workarounds, which typically occur when an application either doesn’t work or is just too difficult to use in practice. The result is that frustrated users move sensitive data into convenient formats like Excel and Word, making them portable and vulnerable.
Educate the doctors. Doctors present unique challenges in this area. As Eric Cowperthwaite, Providence Health & Services’ chief information-security officer, put it: “Doctors have been taught that they are the ultimate arbiter of what happens in their sphere of influence.” That means traditional security education—such as messages designed to scare users into periodically changing their passwords—may not work on this audience.
Getting doctors to carry more than one device also is a tough sell, even though it is common for professionals in fields such as investment banking to carry a BlackBerry crippled to protect sensitive data, as well as a phone for personal use.
For many health-care practitioners, consumer devices such as iPads are the technology of choice. Thankfully, there is software for phones and tablets that provides security for business applications, while allowing users to enjoy games and social media.
But technology alone won’t solve every problem. The key is coaching health-care professionals in security hygiene in much the same way they are taught to understand any risk in health care. It is all about caring for the patient—something everyone in health care is passionate about.
By M.Eric Johnson