Data Privacy & Security: Staying Ahead of Moving Targets
 |
The HHS' omnibus privacy and security final rule that will govern protection of health information is expected by the end of the year, according to the Department of Health and Human Services' Office for Civil Rights. In the meantime, rising patient expectations of data security, demand for data exchange and evolving security threats have organizations wondering what to do next.
Start at the beginning
A good first step is to assess your organization's compliance with HIPAA regulations, says Lisa Gallagher, BSEE, CISM, CPHIMS, senior director of privacy and security at the Healthcare Information and Management Systems Society (HIMSS)."You really need to be doing ongoing security risk management," she notes. "That's a challenge because smaller organizations are not always able to do that yet because of limited resources or lack of in-house knowledge. But even for the organizations that are doing it, the risks are constantly changing, so it's an ongoing activity." There are many external variables and internal ones as well—such as employee behavior—that create risks that need to be actively managed.
The "multiple, parallel schedules" for ARRA and HITECH Act regulations have further complicated compliance, she says. For example, some HITECH regulations—such as the breach notification rule—are already out. But others, like the Office of Civil Rights' rule on accounting of disclosures, are coming. Under Section 13405(c) of the HITECH Act, HIPAA has been amended to require covered entities to account for disclosures of protected health information (PHI), and to enact treatment, payment and healthcare operations if such disclosures occur through an EHR. "When that comes out, [it's] going to be challenging to implement, and new to the industry," she says.
Tracking the regulatory environment and adhering to the different compliance schedules and deadlines, both administratively and technically, can be as challenging as keeping up with the threat landscape, she says.
 | |
| Networked medical devices sit at the center of an expanding universe of interconnected issues, from HIPAA and other federal regulations to product lifecycle management and data safeguards. Source: HIMSS | |
Meaningful use and security
The healthcare security framework—maybe patchwork—is one of the main issues and risks associated with meaningful use, "not just in Stage 1, but also certainly Stages 2 and 3," said Eric Pupo, MBA, CPHIMS, during a presentation at the HIMSS annual meeting in February. He is the former HIMSS Privacy and Security Committee Chair. "As more information is exchanged, there will be more risks associated with that, including the exchange itself, storage and encryption of information."The good news? "There's only one Stage 1 meaningful use privacy and security requirement: eligible professionals and hospitals must be able to demonstrate that they've conducted a risk analysis and have made changes based on that analysis," says Gallagher. "Meaningful use has lots of other requirements, but for privacy and security, in theory, you should already be doing that because you have [to comply with] HIPAA."
The organization must attest that it has conducted ongoing risk analysis and can prove that if they need to. "If you're mindful of HIPAA, you should be OK as far as Stage 1," says Gallagher.
Security does not ensure protection
Healthcare organizations are mindful of security as they work to comply with other aspects of meaningful use, such as implementing clinical decision support systems. However, "security is the ability to manage data and to track who touches what data. It does not ensure protection," says Khalid Moidu, MD, corporate director of medical informatics at Orlando Health, a not-for-profit healthcare network based in Orlando, Fla. The organization is in the process of integrating clinical decision support with EMRs throughout its 1,780-bed system."The biggest problem is when people use the word 'privacy,' they equate it to anonymity," he continues. "It doesn't happen."
Orlando Health' CDS system, which will exist "in parallel" with the EMR, enables physicians to receive alerts on their BlackBerry devices. All of the information is stored on a server behind the organization's firewall; when physicians respond to an alert, the system authenticates their devices and they enter a password. Only then can they can see identifying patient information, he says.
"If for any reason the device is compromised for 10 seconds, you only got to know the information about one patient," says Moidu. No personal health information is stored on the device, he adds; "Information is displayed through web services, so you're only getting a view."
Data left to their own devices
Keeping personal health information off medical devices isn't always an option, however. With some 18,000 networked medical devices, Children's Medical Center takes a centralized approach to protecting data, says Pamela Arora, CIO at the private, not-for-profit Children's Medical Center, a 559-bed facility in Dallas and one of the largest pediatric care providers in the nation."We've had over 4,500 attacks this year—these attacks were network attacks caught by our software. While we have not had a cyber threat that has impacted our biomedical devices, attacks need to be guarded against on all fronts," Arora says. "There is no single challenge and unfortunately, there is no single silver bullet solution to protect patient data."
| Open Source Closes Gaps |
| Open source technology might be more breach-proof than proprietary systems, according a study, “Open Source, Open Standards, and Health Care Information Systems,” that was originally published online in the Journal of Medical Internet Research. The U.S. has developed an open-source-based health information system, the VA’s VistA hospital system, which serves or forms a core part of the software serving almost 30 million Americans, according to authors Carl J. Reynolds, BSC, MB, BS, Centre for Health Informatics and Multiprofessional Education at UCL Medical School in London; and Jeremy Wyatt,MB, BS, DM, FRCP, of the University of Warwick’s Institute for Digital Healthcare. “However, outside the VA network of hospitals, uptake of open-source HIS has been poor,” according to the study. Reynolds and Wyatt argue that open standards are needed for interoperability and a healthy market, and that open source software is the best way of creating and securing open standards because it is diffused well and adoption is facilitated by having an active working open reference model. “There is a lag in widespread understanding and adoption of open source,” says Reynolds. “I think this is partly because open source software licensing is still conceptually unfamiliar to many, and partly because of concerted efforts by vendors to maintain the status quo.” he says. Because open source has appealed to technical, or “geeky,” users, there remains an image problem with respect to perceived usability and suitability of open source by more “average” end users, according to Reynolds. Nevertheless, open source’s open nature is what makes it more secure. “There are more eyes checking the code for vulnerabilities and fixing them,” says Reynolds. “Programmers’ output is transparent and they are accountable, there’s nowhere for unsafe code to be hidden. Bugs tend to be ironed out more quickly on the open source model when the user/contributor base is sufficiently large, because it turns out people write better code when others can see and check it, and some talented people will make valuable contributions for free.” The advantages will lead to a larger role for open source in healthcare IT in the future, he predicts. “The open source model is superior and most of the big players in IT—i.e. Apple, Sun and IBM—have recognized this and adopted hybrid approaches [to] sell, sponsor or make use of open source software in their products. I think cost and quality drivers will lead to more vendors selling open source software together with implementation and support as a package, and this will benefit buyers and users of healthcare software alike. |
To protect medical devices, Children's uses a firewall, VLAN and DMZ, and software; however, the market provides more solutions to secure PDAs, laptops, desktops, than for medical devices," she notes.
"The numbers of medical devices are immense and many of them have not historically been networked. As networked medical devices increase to allow patient information to flow into the EMR, the medical device vulnerabilities also will grow."
Children's is deploying its fourth asset management system in six years, in an effort to keep scrubbing the data.
"Centralized visibility to device information, such as whether ePHI is stored on the device or not, is extremely helpful. Without this information, it is difficult for any organization to understand their weaknesses and properly protect patient data." In the past, Children's had to combine multiple sources to obtain a single source of truth—which was a manually intensive process at best. However, the more data are used, the better they get, says Arora: "A centralized source has many content users scrubbing the information and learning their part in strengthening the protection of our patient's data."
An emerging threat: Identity theft
Although device theft accounts for many of the incidents on the OCR's breach list, medical identity theft is another evolving threat. The Ponemon Institute's Second Annual Survey on Medical Identity Theft, released in March, shows that medical identity theft is already a $1 billion crime in the U.S. that affects approximately 1.4 million people. In most cases, stolen identity is discovered months after the fact, when a victim receives a statement for care he or she never received, or when erroneous information shows up in a medical record."In other industries, identities are stolen primarily for financial gain, but in healthcare, identity theft is often used to gain access to or payment for care," says Gallagher. This is one reason it can be hard to build into risk analysis, she adds.
"What we see most of the time [in healthcare] when there is identity theft, the patient detects it and reports back to the source [provider or hospital]," she says. "When you're doing risk analysis, you have to think about threat motivators. It's hard because often [when] the patient reports it, it goes back to the provider institution, and it's difficult to know whether they process it and pay attention to it."
In some cases, insurance has already paid the bill and there's often no process for correcting the records so bad data may reside in an EMR, causing potential care impacts down the road, she adds.
Patient expectations may be one driver of tighter security in the future. During a recent web presentation on identity theft, audience members were asked if they've taken steps to educate staff and patients about identity theft. Twenty-one percent said they regularly conduct education and communication; 3 percent said they do so sporadically and 14 percent plan to offer identity theft education in the future. However, the second-largest percentage of respondents—18 percent—haven't started. In contrast, the Ponemon Institute research found that patients had high expectations for their provider to safeguard their PHI.
Mature provider institutions are training their employees and implementing identity-proofing measures, according to Gallagher. "I think the difficulty is on the back end—when it's reported, what do [organizations] do with that information? For me, the focus would be, how do you bring that threat motivator back into the risk analysis."
Specific threats such as networked device breaches or identity theft don't represent a gap in HIPAA, Gallagher asserts, but are something to be managed as part of the risk management process. "You'd look at your threats and vulnerabilities, come up with a risk profile, take a look at what the security controls are that you have in place to mitigate those risks. Then you monitor to see if they're working, and if they're not, you make adjustments," she says, "The HIPAA security rule stands on a pretty solid foundation of risk management."
At Children's, "We're in the midst of this, like many organizations. You can't move fast enough because there's so much going on right now. Organizations have to get their arms around PDAs, thumb drives, laptops, and desktops. And, it's not just technology that protects the organization; it's also the individual users. They need to understand their accountability in protecting ePHI."
| Data Downstream |
| A survey of network administrators by IT security vendor Ipswitch revealed that HIPAA compliance presents big IT headaches: Almost 40 percent of respondents cited it as the most nettlesome from a regulatory standpoint. The breadth of the HIPAA requirements—which extend to healthcare system partners and other entities—is one reason for this. The Ohio Department of Disabilities handles data that fall under HIPAA guidelines. It turned to virtualization to consolidate servers and cut costs, and in the process made its networks more secure, says Kipp Bertke, IT manager at the department. The agency embarked on an effort to consolidate its HP servers, taking 10 small data centers with five to 10 servers each throughout the state down to one. “Security was a big factor—now that we have [our systems] centralized, we have significantly better control over security from a ‘where’s the data’ perspective, but also from a business continuance perspective,” says Bertke. The system has a built-in disaster recovery and business recovery capability. “A secondary data site hosts the agency’s development servers and quality assurance servers. If a major breach or outage should happen, the department can failover production servers via VMWare’s Site Recovery Manager to repurposed servers in a cluster for development and disaster recovery at the secondary data center,” he says. The department plans to reduce 16 public IP addresses down to two, and those are strictly going to be for DMZ ranges, according to Brian Brothers, network administrator manager. “Everything else on our network that doesn’t talk specifically to someone or something on the internet is going to be on private 10-dot [addresses]. That was important for lowering our attack signature.” “We protect the data, we back them up and we recover them for people, we don’t look at them,” Brothers says. “We’re not application developers and we’re not touching documents for users, [but] we are [covered by HIPAA].” Centralized data are important for compliance, he adds. People save data to their desktops because that method is quick and easy, says Brothers. But if a desktop at a developmental center comes up missing, “it only takes one document with some [protected] data on it to hurt us.” |