Processing Your Payment

Please do not leave this page until complete. This can take a few moments.

March 2, 2015 FOCUS: HEALTH CARE

For providers, data security is a never-ending battle

Privacy has been an obligation of the medical profession dating back to the ancient Greeks and the Hippocratic Oath. However, safeguarding patient information has transformed alongside an industry that increasingly relies on technology in every area — including storing and accessing medical files.

The medical industry must balance ease of access to vital patient information and maintenance of patient data security as part of the Health Insurance Portability and Accountability Act, or HIPAA. Similar to those in other industries, these regulations guide hospitals and health providers in managing their security, but provides a certain level of interpretation and flexibility that allow them to respond to ever-changing challenges.

“What is at the forefront will come and go but people want to be able to sit down with a doctor, social worker or psychologist and tell them things and feel they will be protected, and I think the (professionals) understand that,” said David Szabo, a partner at law firm Locke Lord Edwards who works with hospitals around data security.

Safeguarding stored electronic medical records that don't need to be immediately accessed requires the use of security safeguards such as firewalls. The challenge in the medical field is providing secure access to vital information when minutes, even seconds, count.

In the cases in which patient data must be accessed remotely or transmitted, hospital technology officials rely on encryption — which makes data unreadable without the proper code to unscramble the data — to create secure connections and allow the flow of data.

Encryption is also a key component in safeguarding sensitive information on laptops and mobile storage devices such as thumb drives. While Nicole Heim, chief information officer at Milford Regional Medical Center, tries to minimize the use of laptops, the information they carry is encrypted. The hospital will soon install technology from EMC that will allow encryption for all data held in storage, not just in transit.

But even the best defenses can be breached by the biggest vulnerability of any organization — the human factor. When a data breach affected the UMass Memorial Medical Group last year, it was not from an outside hack, but an employee who may have accessed billing information outside his or her job duties, according to UMass Memorial. This incident potentially affected 14,000 patients. UMass Memorial declined to comment on security for this report.

Ongoing training, communication

Hospitals use training and ongoing communication of security policies to curtail security issues. They will also limit access to what is needed by a particular employee and ensure, through system monitoring programs, that they're accessing information appropriately.

“As you expand the number of people who have access, you have a greater burden of work to keep that secure,” said Chantal Worzala, director of policy for the American Hospital Association. She explained that patients' Web access to their own medical files also opens up the system to infiltration.

But even as hospitals attempt to incorporate security measures and dole out the appropriate levels of access to employees, they must ensure that it doesn't interfere with patient care. At Milford Regional, new security measures go before its Physicians Advisory Committee before they're adopted.

“Any time you put security solutions in place, it is going to add a level of complexity,” Heim said. “So you have to weigh that. We need to protect the information, but we need to allow effective access to that so the doctors and nurses can have access to the information and care for the patients.”

This constant shifting and maneuvering of hospital defenses helps respond to ever shifting security challenges. The hospitals must not just safeguard patient information, but also financial information of patients and insurance subscribers, especially since credit cards and Social Security numbers are used.

Use of hospital equipment with interconnected and wireless capabilities has also been cited as possible points of entry for malware and hackers. In fact, any connection from which a hospital's information system links to the outside world is a concern, said Worzola, even an infusion pump that transmits information wirelessly to electronic medical records as it injects patients with drugs. The U.S. Food and Drug Administration and American Hospital Association have said medical device manufacturers must also take potential security concerns into account.

Security will only grow as a concern and require more investment by hospitals and other health care providers. While large hospitals and hospital groups have at least one person dedicated to overseeing security, even small facilities must do the same. The ever-changing ways to gain access to sensitive information require vigilance from providers, said Heim, of Milford Regional.

“You can mitigate all the risks you have today and then tomorrow have new risks,” she said. “You have to be aware of what is in the market and what is happening in the industry.”

Sign up for Enews

WBJ Web Partners

Related Content

0 Comments

Order a PDF