Within a few hours, I.T. staffers at the center had remotely wiped the Blackberry clean of any data, and also determined that no one had sent any e-mails from the device. Despite these assurances, the medical center had to notify both the affected patients and the Department of Health and Human Services, disclosure stipulations mandated by the recent HITECH Act.
Ironically, the hospital was midway through a Blackberry encryption project when the theft occurred. And even though patient information most likely of value to identity thieves was not compromised (the file contained patient names, medical record numbers, and date of birth, but no Social Security numbers or addresses), officials there have suffered through an embarrassing lesson in data security. "In 20/20 hindsight, I only wish we had done the encryption project faster," says Bridget Aman, information privacy and security officer. "Patients were concerned that a piece of their record was gone. And some were very angry we failed to safeguard their data."
Children's is far from alone. More than a dozen episodes involving peripheral devices and storage media such as laptops, thumb drives, and CDs now populate the HHS Web page devoted to listing security breaches affecting 500 or more people (Children's was the only organization among 10 contacted that agreed to an interview; two provided copies of a media statement; the rest did not answer the interview request; see box, this page). The site is part of the new federal privacy and security regulations (see May cover story). And more names are likely to join the list, as in April and May several other incidents involving compromised devices were reported in the media.
Data security is no longer a theoretical issue in health care-experts concur that the days of lax HIPAA enforcement are behind us. Security is a high-stakes issue, one which could undermine public confidence in an individual hospital that must report a breach. And with the proliferation of devices, such as Blackberries, laptops, and thumb drives, the risk of data loss grows exponentially.
No simple solution
Storing protected health information behind a firewall is one thing; only a dedicated hacker has a chance of getting to it.
But data on unprotected portable devices? That's another issue. And while there are a variety of technologies available to help secure those easily misplaced laptops or storage devices, software alone is not going to curb the problem. An institutional culture around privacy and security needs to reinforce the technology before the industry can lay claim to data security.
"The weak link is human behavior," says James Carpenter, director of information technology and security, Parkland Health and Hospital System, Dallas. "Devices are getting smaller and more portable. And the expectation from individuals is that their devices will connect easily to the network and give them data at their fingertips. That expectation clashes with what HITECH is asking you to do, which is to have strict security controls and access management. You have to merge those two worlds."
According to some analysts, the health care industry is behind other industries facing similar problems. "Financial services firms have dealt with information security in a public manner,' says Mike Spinney, senior privacy analyst at the Ponemon Institute, a think tank devoted to data security issues. "Health care needs to do some catching up. There was a lot of fanfare under HIPAA about the privacy rule, but not a lot of enforcement. Now, we're seeing that change under HITECH." The proliferation of portable devices, Spinney says, makes it easy for negligent employees to lose sensitive data. While other industries face the same dilemma, health care is what Spinney dubs a "high trust industry." Organizations are entrusted with highly sensitive information beyond billing and financial data, he points out. Choosing a health care provider, for most consumers, is an exercise in relationship building-not seeking out the best deal. "That raises the stakes. When you choose a doctor, you are often looking for a long-term commitment."
Parkland Health is assessing its security environment in light of the new federal policies, Carpenter says. In late April, it issued a temporary ban on staff using personal laptops or storage devices while it crafts a consistent policy. In 2007, Parkland encrypted the 800 or so corporate-issued laptops used by its staff, using software from Credent Technologies, Addison, Texas. And in late 2006, it issued encrypted thumb drives, from Edge Tech Corp., Ada, Okla.
But the presence of personal laptops created confusion. Vendor employees might work in the hospital with their own laptops, while other hospital employees were prohibited by their departments from using theirs. "We put out the notice of the prohibition out of a sense of fairness," says Carpenter. "We had no unified stance. We may say we will assume the risk of allowing personal laptops, but the person will have to add encryption."
Understanding needs
For Carpenter, crafting the new policy provides an opportunity to understand user needs. By understanding why a staff member needs to use a personal laptop or their own thumb drive, the health system can adjust its technology approach accordingly. "If there is a shortage of computers, maybe we need additional ones," Carpenter says. "And if people bring in their own thumb drives because we have not allocated adequate storage space, we will address it. We want to address the root concerns to take away the reasons people want to bring in personal devices."
Parkland might even lock down the USB ports across the enterprise-which contains some 7,200 computers-and enable only the corporate-issued encrypted flash drives to function on the network, Carpenter adds.
Be the first to comment on this post using the section below.