The study evaluated current industry information security practices, assessed the level of risk related to EHR systems, benchmarked healthcare information security practices against other industries, and produced a set of recommendations on protecting information systems in the healthcare industry. It addressed concerns over the impact on the adoption of e-health from security breaches in EHRs and PHRs. The study surveyed security professionals representing approximately 850 healthcare provider organizations and showed an increasing level of annual security breach encounters reaching 1.5 million this year. The main conclusion of the study was that the healthcare industry must do more to protect EHRs.
Most patient healthcare records are accessed from some sort of Web-based system. These systems are vulnerable to hackers, viruses, unauthorized access, malicious code and other forms of intrusion. Most healthcare companies cannot realistically afford the time, budget and resources that go into assembling an appropriate defense for these systems. As the industry evolves beyond just HIPAA compliance and fully realizes the potential of using EHRs to improve quality and efficiency, sound security practices will be vital to the wellbeing of healthcare organizations.
Since security is not a core competency of healthcare organizations, they can look to a security software-as-a-service approach to alleviate the burdens of time, resources, compliance liability and expense. These security services are provided “on demand” at a predictable monthly subscription rate that is a fraction of the cost to the healthcare provider that it would take to build the infrastructure and hire the staff required to do this themselves. It eliminates the costs of continuous upgrades, compliance audits and tests, additional IT staff, and lengthy network integration projects. This approach offers several different layers of security for the most robust defense and full compliance coverage.
All but the largest organizations can be completely overwhelmed with the time and resources required to put the proper audits in place to be in compliance. According to a recent Gartner Report by Richard Mogull, “Top Five Steps to Prevent Data Loss and Information Leaks,” from lost laptops to misplaced backup tapes to accidental e-mails filled with sensitive information, we seem to be in the midst of a data-loss epidemic, with tens of millions of individuals receiving data-loss notification letters this year.
In the following sections, I will explore the top five solutions that healthcare companies can use to protect EHRs.
Solution 1
Monitor all outbound network traffic and look for policy violations. This includes all e-mail and Web traffic. The tools that are needed to help prevent data loss or theft in this solution include:
· Network Intrusion Detection/Prevention — make sure that you are watching for malicious incoming traffic.
· E-mail Content Filtering — enforce rules that sensitive information can not be sent though normal e-mail.
· Web Browsing Content Filtering — make sure that when your employees are surfing the Web, they are not downloading malicious code.
· Restrict IM to an “Internal Only IM Service” — This is a huge security risk if you are allowing IM outside of your organization.
Solution 2
Assume that all lost tapes/media have the potential for exposure of sensitive information. The tools that are needed to help prevent data loss in this case include:
· Investigate offsite storage options — maybe a secure remote data backup solution is better than tape or disk shipments.
· Encrypt during delivery and storage — things will get lost or stolen, and anything shipped needs to be encrypted.
· Own the encryption key — so you are the one in control of the encryption.
Solution 3
Workstations and laptops can be a major source of loss, resulting from:
· Poor configurations
· Out-of-date anti-virus and spyware protection
· Policies on portable media
The tools that are needed to help prevent data loss or theft in this solution include:
· A formal patch-management program — make sure that you are patching all software, not just Microsoft applications. More attacks now are coming through other applications like Adobe because organizations are not as diligent about patching these applications.
· A personal firewall
· Comprehensive anti-virus and anti-spyware — make sure that all PC servers have the latest AV and spyware protection and that updates are pushed automatically so that no human intervention is required.
· Restrict use of CD-ROM and USB devices, and enforce encryption when downloading to them.
· Cable lock laptops to work areas to prevent them from being stolen.
Solution 4
Laptops and e-mail can be another major source of loss.
· Lost laptops — full information accessible to anyone
· Ease of use leading to easy transfer of sensitive data
The tools that are needed to help prevent data loss or theft in this solution include:
· E-mail — enhance your content filtering with encrypted delivery program
· Encrypt laptop drives
· Secure portable media
Solution 5
Database monitoring tools are needed to look for suspicious activity. According to the above cited Gartner report, database activity monitoring tools observe all activity within a database, record this activity in a secure repository and generate instant alerts for unusual activity. Through detection of unusual behavior, database activity monitoring can limit insider misuse of database systems, enforce separation of duties for database administrators and limit certain external attacks, all without affecting database performance.
The tools that are needed to help prevent data loss or theft in this solution include:
· Separation of duties so that no one person controls everything.
· Employee security-awareness training
· Host intrusion detection and prevention on critical servers so that you can be alerted to any suspicious activity that may occur.
With so many different layers of defense needed today such as e-mail, user, network, system, vulnerability, and intrusion, it can be quite difficult for any organization to decide where to start. Virtually all healthcare organizations have at least two or three layers of defense in place, so the big question becomes: what else do I need and what should I do next?
It has long been understood that a layered approach is the best defense. It is important for healthcare companies to focus their efforts in the most risk-appropriate areas. With thousands of security technologies on the marketplace, it can get very confusing. A proper risk analysis will help healthcare companies focus their funds on the layers of security that will help them most and avoid those that are not essential.
Clark Easterling is vice president of marketing at Milford, Conn.-based Perimeter eSecurity.
