Posts Tagged ‘mhealth’

By Sylvia Rosen

Security breaches in are, no doubt, terrible for business owners. But when dealing with the healthcare sector, these breaches intensify in their potential for causing humiliating, or potentially, dangerous ramifications.

In 2010, 42,275 people were affected by stolen, paper healthcare records, encouraging hospitals to make the switch to electronic health records. Still, industry experts say that electronic health records are still at risk from security breaches if they aren’t handled with care. Kroll Advisory Solutions found that the frequency of healthcare data breaches has increased steadily over the past six years, and the main cause is a lack of training and awareness among staff.

“Human error by employees was a major factor in health breaches, according to respondents [in the 2012 Kroll/HIMSS Analytics Report]. Of the respondents, 79% said security breaches were initiated by an employee, and 56% said breaches occurred because employees had unauthorized access to information.” – Brian T. Horowitz, health writer at eWeek.

“Any server or other data warehouse with patient health information must be securely protected. The expanded use of mobile devices offers new operational efficiencies and increased vulnerabilities. Security steps for mobile devices should be included in the action plans so that guidelines are set.” – Lisa Gallagher, senior directory of privacy and security for HIMSS.

“Another significant takeaway [from the 2012 Kroll/HIMSS Analytics Report] is that mobile devices might be great for giving clinicians information at the point of care – but they’re not so good at keeping PHI safe. Nearly a third (31%) of respondents indicated that information available on a portable device was among the factors most likely to cause a breach (up from 2%  in 2010 and 4% in 2008).” – Mike Millard, managing editor at Healthcare IT News.

“As healthcare organizations turn to sources like the cloud and like remote computing, one of the things I think that every healthcare organization should do is to look across its suite of applications, is for those they are not hosting, that are not running on a remote server, that are running in the cloud if you will. They should be asking the questions like, what logs are there, what security features are there, what record keeping is turned on? As we move toward portability of electronic medical records, as we move toward new and evolving systems of payment, you can be certain that the risk factors are going to change. So, I think the key is continual vigilance; you can never get to the point of saying it’s good enough. Because the best you can is say it is good enough right now, today, under the circumstances in which we find ourselves.” – Alan Brill, senior managing director at Kroll Inc.

Security breaches in the healthcare industry might be inevitable. But with employee training, awareness and advanced data encryption on devices, healthcare professionals stand a better chance at preventing their patients from turning into victims.

Sylvia Rosen is an online writer who writes on a variety of security topics, trends and tools such as document management systems

It’s no secret that healthcare is going mobile. According to a recent survey of 250 mobile executives from around the world, 78% said they consider the healthcare vertical to have the most to gain from 4G connectivity. Yet, with the increasing dominance of open platforms, like Android, and the huge diversity of mobile devices, maintaining mobile health security will be an ongoing challenge for healthcare organizations.

This year, a study by Boston Consulting Group and telecommunications company Telenor found that the implementation of mobile health could lower costs of caring for the elderly by 25%, while potentially reducing caretaking costs for the chronically ill by up to 75%, by reducing the amount of in-person medical consultations. Not only would mobile health significantly lower the number of doctor visits required for care, but it could also ensure an overall more integrated and seamless caregiving process.

For instance, consider smartphone apps that can communicate directly with medical personnel or close family members so that vital signs for chronically ill patients can be monitored—and assistance can be offered—in the event of an emergency. This would help lighten the burden on caregivers, enabling them to stay connected with patients and be alerted to any health changes. Beyond this, mobile health has tremendous potential to enable doctors to collaborate on care, accelerate the diagnosis process and much more.

But what about mitigating the security risks around mobile health? We’ll look into that in part two – stay tuned.

This week, we feature the second part of our conversation with Martin Rosner, director of standardization at Philips – North America. Rosner chairs Continua Health Alliance security and privacy discussions and contributes to relevant security initiatives within the healthcare industry. Continua Health Alliance is a non-profit, open industry organization of more than 230 healthcare and technology vendors focused on delivering interoperable health solutions.

VPN Haus: Let’s talk about identity management. What is it and what role does Continua play in this process?

Martin Rosner: We’ve included identity management tools in the upcoming 2011 Continua specifications to assure correct association of health information to patients’ identities. A person will typically have different identifiers at each system in a distributed architecture. For example, end users may have different credentials and means to identify and authenticate themselves across all devices deployed. The measurement device may only be able to identify the current user and assign a short and locally unique identifier to them. Such local identifiers must then be mapped to credentials on the Application Hosting Device (AHD) such that the measured data is properly linked with the correct user. Finally, such credentials on the AHD may further be mapped to multiple online systems that require uniqueness in their respective security domains. (See figure above for a diagram of the Continua interoperability paradigm including AHD.) All this implies that linking and cross-referencing identities on AHD, WAN and HRN systems should be possible.

VPN Haus: Is cross-referencing these identities necessary? How would it be done?

Rosner: Up to now, service providers often created a vertically integrated solution and dealt with this using manual methods, but larger numbers of patients, operational cost pressures, less vertical integration and vendor interoperability are pushing towards standardized inherent identity solutions.  Vital sign uploads should be unambiguously linked to a particular patient, and identity linking should be integrated (such as part of registration, update and enrollment), should use interoperable protocols, and preferably be user initiated. Continua’s specifications are currently focusing to provide the framework for doing such linking and cross-referencing while allowing for different authentication and identification schemes to be deployed. As such, the flexible architecture will allow implementers to decide on specific identification and authentication means based on local policies and results obtained from targeted threat analysis and risk assessments.

This week, we’re featuring  Martin Rosner, director of standardization at Philips – North America.  Rosner chairs Continua Health Alliance security and privacy discussions and contributes to relevant security initiatives within the healthcare industry. Continua Health Alliance is a non-profit, open industry organization of more than 230 healthcare and technology vendors focused on delivering interoperable health solutions.

VPN Haus: What is Continua’s role in the telehealth domain?

Martin Rosner: Continua’s focus is on standardizing interoperable personal connected health devices and services.  We have a unique architecture that enables electronic communication of personal health information between the consumer and the health management organization.

Click on image for larger view

VPN Haus: Are there security concerns with transferring this data?

Rosner: Often, this sensitive information includes vital signs of the remote patient so security and privacy concerns must be addressed. We’re working to address these concerns by enabling point-to-point and end-to-end mechanisms to ensure confidentiality, integrity, and availability of the communicated health information.

VPN Haus: What are you doing to secure data transfer?

Rosner: We dedicated a group of pros to tackle this issue, referred to as the End-to-End Security Task Force. This team focuses mainly on identifying appropriate standards to address transaction level security.  In 2009, we issued our Version 1 architectural specifications which addressed security and privacy issues focused on Personal Area Network (PAN) and Health Record Network (HRN) interfaces. We updated that with last year’s release of the Version 2010 guidelines, adding significant security features for the Wide Area Network (WAN) and Local Area Network (LAN) interfaces.  For the most part, this addressed point-to-point security issues thereby ensuring that the delivery of sensitive health information across our architecture preserves confidentiality, integrity and authenticity. Our current scope is to address several security issues from the device to the gateway to the electronic health record with our 2011 Design Guidelines scheduled for release later this year, namely providing security-related specifications focusing on identity management, integrity and data origin authentication, and consent management.

Stayed tuned for Part 2 of our conversation with Rosner.

By Robert Dutt

For resellers and other IT solution providers supporting healthcare clients, VPN is ubiquitous a tool as is the stethoscope their customers use every day

“We will not support a client without a VPN. Period,” says Moshe Birnbaum, director of operations at EZ MSP, a Yonkers, NY-based solution provider.

Fellow solution provider Stemp Systems Group, out of Long Island City, NY, considers the technology as an equally important component of its healthcare business. President and founder, Morris Stemp, says the company currently maintains some 750 VPN-based connections to its clients.

So, why are VPNs so critical for healthcare solution providers? For one, VPNs are a significant part of the infrastructure these providers deploy and maintain for their customers. And, VPNs are the platform on which to build new applications and solve deep-seeded customer problems.

“Part of the Infrastructure”

Both EZ MSP and Stemp offer managed IT services for healthcare clients  — from doctors’ offices to hospitals. This means, in some cases, the solution providers act as a completely outsourced IT department — especially for many smaller clients. To successfully do this, solution providers need a VPN to quickly access technology on clients’ networks and to make sure everything is running as smoothly as possible.

“We look at [VPN] as part of the infrastructure,” Birnbaum says. “It’s also a service opportunity that’s covered under the company’s support contract with their customers.”

Stemp says that with just an IP address, his company can connect to any of its clients in seconds. To maximize uptime for customers’ mission-critical systems, the company rolls out dual redundant firewalls and Internet connections with clients.

“They simply must always be active in order for us to provide our service to our customers,” he adds.

Also, because the healthcare industry is so highly regulated, VPNs are an apt tool for connecting to medical facilities. In fact, security requirements force most medical offices to have firewalls in place to protect electronic medical records, Stemp says.

HIPAA requires [medical organizations] have [firewall] technology available, and we take advantage of that functionality,” he says.

And from a managed service provider’s point of view, VPNs offer an elegant and efficient way to have instant access anywhere into a customer’s infrastructure, even amid the myriad devices on diverse networks spread out around a region or even the world.

“It means we’re supporting a centralized appliance as opposed to individually configuring every computer on the network for remote access,” Birnbaum points out.

“It’s Very Different than the Way Most People Use VPNs”

But infrastructure – the plumbing aspect of a technology solution – only goes so far for a reseller. To truly show their customers value and help move them into new levels of efficiency and productivity, solution providers have to continually offer innovation and new functionality.

Although it may seem like a simple and obvious way to use a VPN, Stemp says the biggest game-changer for many of his clients is actually being able to securely connect to data on the customer network away from the office.

“It totally changed the lives of our doctors, who no longer had to rush to the office to check records when a patient calls up outside of business hours,” Stemp says.

Remote access also significantly changed Stemp’s own customer support models. Before remote access, much of the company’s support requirements were during business hours, from an office. But with easy and ubiquitous access anywhere or anytime, Stemp says he has to provide more responsive service for multiple locations at any time, 24/7.

“It magnified our support requirements,” Stemp says. “When [clients] can’t connect, we now have to diagnose that. And that includes on weekends and nights when we were effectively closed.”

Tablet computing is emerging as the next frontier for remote access to electronic medical records. Although Stemp initially struggled with a functional and reliable VPN connection to the Apple iPad, he says, the company has crossed that hurdle and now has doctors using tablets both in the office and securely from just about anywhere.

The biggest challenge remains the lack of electronic medical records applications designed for the touch interface of the iPad or Android-based tablets.

“We need iPad apps from the EMR companies,” he says. “Right now, you’re essentially just doing terminal services to your desktop, and navigating information that’s designed for a 19-inch screen on your nine-inch tablet screen.”

For EZ MSP, VPNs that meet a very specific customer need opens new revenue streams. For instance, in order for medics to be reimbursed for keeping an eye on some key vital sign measurement systems during surgery, those eyes must belong to an MD. But keeping a doctor on-hand for every surgery in every surgical suite is impractical and inefficient. However, since the eyes on the monitor don’t have to be in the surgical suite, EZ MSP sometimes uses a VPN to connect from the surgical suite to a doctor’s office. This way, a remote doctor can monitor the systems in real-time over the network – making this a much more efficient and scalable model.

“It’s still extending the network, but it’s very different than the way most people use VPNs,” Birnbaum adds.

The Cloud Effect

Cloud computing is a megatrend that’s reshaping almost every aspect of the technology industry today, but providers have different perspectives on how their clients are thinking about the cloud.

EZ MSP’s Birnbaum says because critical line-of-business applications are still not offered in hosted or Software-as-a-Service models, the cloud isn’t “much of a factor” for many customers. But that’s not to say that EZ MSP is steering clear of the trend entirely.

“We are pushing people towards going to hosted [Microsoft] Exchange,” Birnbaum points out.

At Stemp, they’re hosting as many as 40 virtual servers for some of their larger clients in Stemp’s own data center, building a private cloud environment, and other clients are re-architecting their own server room or data center for a more flexible, elastic, cloud-like structure.

In both cases, Stemp says, VPN connections remain a key enabling tool.

“It just makes it much easier to get to those hosted services,” he says.