Archive for the ‘HIPAA’ Category

By Sylvia Rosen

Security breaches in are, no doubt, terrible for business owners. But when dealing with the healthcare sector, these breaches intensify in their potential for causing humiliating, or potentially, dangerous ramifications.

In 2010, 42,275 people were affected by stolen, paper healthcare records, encouraging hospitals to make the switch to electronic health records. Still, industry experts say that electronic health records are still at risk from security breaches if they aren’t handled with care. Kroll Advisory Solutions found that the frequency of healthcare data breaches has increased steadily over the past six years, and the main cause is a lack of training and awareness among staff.

“Human error by employees was a major factor in health breaches, according to respondents [in the 2012 Kroll/HIMSS Analytics Report]. Of the respondents, 79% said security breaches were initiated by an employee, and 56% said breaches occurred because employees had unauthorized access to information.” – Brian T. Horowitz, health writer at eWeek.

“Any server or other data warehouse with patient health information must be securely protected. The expanded use of mobile devices offers new operational efficiencies and increased vulnerabilities. Security steps for mobile devices should be included in the action plans so that guidelines are set.” – Lisa Gallagher, senior directory of privacy and security for HIMSS.

“Another significant takeaway [from the 2012 Kroll/HIMSS Analytics Report] is that mobile devices might be great for giving clinicians information at the point of care – but they’re not so good at keeping PHI safe. Nearly a third (31%) of respondents indicated that information available on a portable device was among the factors most likely to cause a breach (up from 2%  in 2010 and 4% in 2008).” – Mike Millard, managing editor at Healthcare IT News.

“As healthcare organizations turn to sources like the cloud and like remote computing, one of the things I think that every healthcare organization should do is to look across its suite of applications, is for those they are not hosting, that are not running on a remote server, that are running in the cloud if you will. They should be asking the questions like, what logs are there, what security features are there, what record keeping is turned on? As we move toward portability of electronic medical records, as we move toward new and evolving systems of payment, you can be certain that the risk factors are going to change. So, I think the key is continual vigilance; you can never get to the point of saying it’s good enough. Because the best you can is say it is good enough right now, today, under the circumstances in which we find ourselves.” – Alan Brill, senior managing director at Kroll Inc.

Security breaches in the healthcare industry might be inevitable. But with employee training, awareness and advanced data encryption on devices, healthcare professionals stand a better chance at preventing their patients from turning into victims.

Sylvia Rosen is an online writer who writes on a variety of security topics, trends and tools such as document management systems

Earlier this week, we explored the innumerable medical breakthroughs that could stem from mobile health innovations. Today, let’s consider the security considerations to enable this.

Security Must Be Paramount

Yet, considering how sensitive and valuable medical information is, proper precautions must be taken to secure this data before mobile health can become mainstream. For instance, if hackers or disloyal employees scan or manipulate health data that is sent via mobile applications, the consequences can range from embarrassment to, frankly, death. It’s easy to understand why ensuring these connections are secure is absolutely critical.

Mobile health, however, requires special VPN functionality. For instance, it requires both extremely high security and flexibility. After all, a healthcare application might use a potentially insecure public Wi-Fi network to communicate with the IT system of a hospital or a medical office. In order to maintain security in such a scenario, the VPN client must be able to automatically adapt to these security settings.

The same requirements apply to smartphones and tablets used by nurses in elderly or outpatient care. Such solutions relay patient information—from homes or hospitals—onto the central database, typically via a VPN connection. And so again, the VPN connection must be able to flexibly adapt to various network connections, given some of amount of unpredictability of the locations. Also, considering that many healthcare workers are not trained in technology, the VPNs must be easy to use, so convenience is not traded for security.

There’s no doubt mobile health offers innumerable opportunities to lower the cost of healthcare and infinitely improve efficiencies and convenience. The question is, can we ensure that this is done securely?

It’s no secret that healthcare is going mobile. According to a recent survey of 250 mobile executives from around the world, 78% said they consider the healthcare vertical to have the most to gain from 4G connectivity. Yet, with the increasing dominance of open platforms, like Android, and the huge diversity of mobile devices, maintaining mobile health security will be an ongoing challenge for healthcare organizations.

This year, a study by Boston Consulting Group and telecommunications company Telenor found that the implementation of mobile health could lower costs of caring for the elderly by 25%, while potentially reducing caretaking costs for the chronically ill by up to 75%, by reducing the amount of in-person medical consultations. Not only would mobile health significantly lower the number of doctor visits required for care, but it could also ensure an overall more integrated and seamless caregiving process.

For instance, consider smartphone apps that can communicate directly with medical personnel or close family members so that vital signs for chronically ill patients can be monitored—and assistance can be offered—in the event of an emergency. This would help lighten the burden on caregivers, enabling them to stay connected with patients and be alerted to any health changes. Beyond this, mobile health has tremendous potential to enable doctors to collaborate on care, accelerate the diagnosis process and much more.

But what about mitigating the security risks around mobile health? We’ll look into that in part two – stay tuned.

Healthcare IT News recently asked its readers about the healthcare data breaches that worries them the most. Not surprisingly, the vast majority (80 percent) of respondents said electronic data breach/hack, while only 13% worried about hardware theft, followed by 7% concerned about the theft or loss of paper records. This trend is warranted. For instance, a recent article in the Fort Worth Star Telegram highlighted the growing trend of doctors using smartphones, tablets to access medical data. According to the story, hospitals in North America spent $7.4 billion on electronic records in 2010 – and the 2009 stimulus act has earmarked $50 billion to help government and private healthcare providers offer EHRs over the next five years.

So what does this look like? Here’s an anecdote from the piece:

If a patient of Arlington physician Ignacio Nuñez shows up at the emergency room when the doctor is not at the hospital, he doesn’t have to wait long to start investigating what might be wrong.

The obstetrician/gynecologist can call up an expectant mother’s medical records on his iPhone, or even watch the fetus’s heartbeat on the device once the woman is connected to a hospital monitor, wherever he might be at the time.

According to AirStrip, the San Antonio software company that developed the app Nuñez uses, there is only a three- to five-second lag to get information to the physician’s mobile device. AirStrip also makes a version for cardiologists and has an upcoming version that will monitor other critical data in intensive care units and emergency rooms.

Groundbreaking, indeed. But what about from a security perspective? We’d like to hear from you if you work for a healthcare organization is using mobile devices this way.

This week, we feature the final part of our conversation with Martin Rosner, director of standardization at Philips – North America. Rosner chairs Continua Health Alliance security and privacy discussions and contributes to relevant security initiatives within the healthcare industry. Continua Health Alliance is a non-profit, open industry organization of more than 230 healthcare and technology vendors focused on delivering interoperable health solutions.

VPN Haus: How can patients manage the sharing of their health data?
Martin Rosner: Sharing of health data can be realized only if there are means to prevent unauthorized access to the data and to protect it in accordance with security and privacy regulations. Furthermore, patient empowerment is an important aspect of preventative care—increasing the number of educated patients who have more control over their own healthcare increases the likelihood that conditions will be caught before they become more serious. Soon patients will have more fine-grained control over the dissemination of personally identifiable information as related to health status. Electronic consent that specifies and governs the use of patient health data will furthermore increase consistency, compliance and efficiency for both patients and healthcare providers in this process.

VPN Haus: What role does Continua play in this?
Rosner: Our architecture addresses several requirements enabling digital consent.  Patients should be able to define and manage their digital consent and privacy policies in a user-friendly manner, such as on an at-home device or online. Digital consent should propagate with patient data and systems of services and care providers should enforce this. Our 2011 guidelines will address the first two requirements, while work has begun to address the third requirement in the next release.

VPN Haus: Technically speaking, how does this consent management process work?
Rosner: Taking the enforcement piece aside, the 2011 specifications address consent management with the use of the HL7 CDA R2 Consent Directive standard. This recently approved draft standard for trial use defines a document format for digital consent and enables the expression of structured patient consent policies. An advantage is that it is based on CDA R2 therefore well-defined protocols exist for the exchange of these documents such as through the use of the IHE XD* family of profiles.