A recent Wall Street Journal article highlighted the controversial debate around whether or not physicians should use email to communicate with their patients, prompting discussions across the healthcare industry. One expert, Joseph Kedar, a doctor associated with Mass. General Hospital, argues that email can be a valuable tool for building rapport between doctors and their patients, and that privacy concerns should not stand in the way of establishing greater patient trust. Sam Bierstock, the founder of Champions in Healthcare, takes the opposite view, arguing that the potential security and liability risks of email are just too high.
So who is right?
To answer the question of whether email can be used securely in healthcare, we need to step back for a minute. Let's review some of the key risks and trends driving the need for security in healthcare industries.
Four healthcare megatrends increase the need for better security
In clinical settings, information security issues today revolve around four related megatrends: keeping systems secure while not impeding their use; the modernization of electronic medical records and other systems; the arrival of new medical technologies into the workplace; and regulations requiring patient medical records and data to be kept private. Let's review each topic.
First, all healthcare firms must keep their systems secure in general — just like any other company. That means implementing effective measures to safeguard servers, devices and other equipment from attacks by fraudsters, criminals and your average wily hacker. As companies in all industries, not just healthcare, have discovered, this is easier said than done. According to the Ponemon Institute, healthcare-related breaches increased by 32 percent and cost organizations $6.5 billion in 2011. Security is hard — and getting harder.
Second, electronic medical records and other clinical systems introduce their own security concerns because of the rush to modernize them. For example, to date more than $2 billion in federal incentives have been paid out to 5,000 hospitals to connect systems together so that they achieve meaningful use, Stage 1. According to Gartner, by 2016 more than 80 percent of new emergency and ICU systems sold will be as modules of integrated health records systems. As with any newly purchased system, health records systems introduce new concerns because they can be deployed correctly and securely — or not.
Third, new computing technologies are transforming hospitals and doctors' offices. These include devices such as the iPad and other wireless tablets, Web-based applications and e-prescribing systems. The Apple App Store alone, for example, offers more than 200 clinical apps. More than half of providers expect to use mobile computing devices daily by the end of 2012. Although Apple vets these applications, the actual degree of security the apps provide is unknown.
Fourth, hospitals and clinics are confronted with the need — and challenge — to protect patient information. HIPAA regulations and others recently released around HITECH present complex challenges for so-called “covered entities” — hospitals, clinics and providers of care and their business associates — insurers, life sciences firms and suppliers. With all of these changes occurring across the industry, security is all too often an afterthought and networks are left wide open for hackers to steal valuable medical record information.
A prescription for security
Unfortunately, there is no foolproof cure for all security ailments related to hospital and clinical settings. Nor are there tried-and-true therapies that eliminate the security risks associated with all of the new technologies that are coming into the workplace.
That said, in working with a number of healthcare organizations, the prognosis isn't all that bleak. We've identified five best practices for increasing the security of covered entities' clinical infrastructure and their business associates. Healthcare organizations with strong security programs share five common elements:
1. Top-down oversight. Senior management teams of healthcare firms with successful programs set the tone for an informed, enterprise-wide perspective on security and risk oversight. This drives attitudes throughout the entire organization. Access to technologies and systems that support patient care comes first. But security and privacy run a very close second.
2. Rigorous risk assessment and audit. Though it can be painful, security-conscious healthcare organizations take a hard look at where they stand when it comes to their practices. They ask tough questions, then audit their processes formally and in a rigorous fashion. Typical questions include:
- What type of data resides on your systems? (Examples: credit cards, social security numbers and treatment details.)
- Where is electronic protected health information (ePHI) created, received or transmitted within your organization? (Examples: clinical systems, payment systems, file shares, spreadsheets and email.)
- What are external sources of ePHI? (Examples: vendors, consultants and business associates.)
- What are the less obvious ePHI sources? (Examples: mobile devices and employees.)
- What are the human, natural and environmental threats to systems that contain ePHI? (Examples: rogue administrators, hurricanes, network outages and device loss.)
- What self-protection methods are on the system? (Examples: system auditing and encryption.)
3. Tiered vendor risk management. Healthcare organizations are part of an extended supply chain containing numerous partners and vendors. Each has access to different levels of information about patients and medical care details. Security-conscious healthcare firms triage every third-party vendor they do business with and identify what sensitive data is transmitted, stored and processed outside of their organizations' walls. Most of these companies are considered “business associates” from a legal standpoint. The most critical business associates are screened to make sure they safely store and transport PHI, keep their sites and data centers free from intrusions, restrict and monitor administrator access, encrypt PHI when practical and have structured processes for breach notification.
4. Design for defaults. Balancing security and productivity is especially important in clinical settings. Successful healthcare firms know that access to critical systems without onerous security constraints can literally be a life-and-death matter. They strive to shape the working environment so that effective security policies are built into daily workflows. They use terminal service solutions to create “glove box” type environments that keep sensitive information off PCs and laptops. Using mobile device management (MDM) products, they leverage the hardware-based encryption built into mobile devices like Apple's iPad. The defining strategy is that employees should be able to enjoy security as a byproduct of how they do their work, without requiring much additional thought or effort.
5. Implement the right tools to secure ePHI. Healthcare firms with successful security programs use the right security tools for the job. Some tools fall into the category of no-brainers. For example, emails sent to patients should always be encrypted. Mobile devices should be secured with a reasonable pass code and managed properly. Networks containing systems that process patient data should be monitored for breaches and potential security risks. Firms can layer other technologies and services as needed, depending on the level of risk executives perceive and are willing to reduce or accept.
By following these five practices, healthcare organizations can maintain high levels of security of patients, infrastructure and business associates, without impeding productivity. They result in enhanced privacy for patients by safeguarding ePHI. And they enable healthcare organizations to confidently answer “yes” to the original question: Email can be used securely to communicate with patients.
About the author
Andrew Jaquith is chief technology officer at Perimeter E-Security. A recognized authority on data, endpoint and mobile security topics, he was previously a senior analyst with Forrester Research. Learn more at www.perimeterusa.com.