At West Virginia University (WVU) Hospitals, the traditional barriers of data protection have always been in place, but for Mark Combs that just wasn’t good enough.
Combs, the organization’s chief information security officer, says the Morgantown-based multi-hospital, nonprofit health system has tried to stay ahead of the game when it comes to use of electronic health records (EHRs) and the subsequent protection of that data. Even before it implemented its current EHR, from the Verona, Wis.-based Epic Systems, it had a physician order entry system from Eclipsys (now part of the Chicago-based Allscripts). Back then, it did manual audits of user activity from various systems to ensure there was no inappropriate access of protected health information (PHI).
Over time, leaders at WVU Hospitals decided they had to strengthen this capability, adding enterprise-wide audit manager software (from the Boxford, Mass.-based Iatric Systems), which allows the organization to monitor access to patient data across multiple applications. Combs says his organization didn’t take this extra step because of a single incident, but just in the realization that it had to do more.
“We wanted to be proactive,” Combs says. “We wanted to make sure we are preventing breaches. The mindset I tried to take is that our patients come to us for care and treatment of some pretty sensitive issues at times. If the patient doesn’t trust us with this information, then they are less likely to tell us if they have some sensitive issue going on with their body.”
Mark Combs
In an increasingly dangerous environment for data protection, this is the mindset providers should take, say multiple data security experts. The stats back them up. A whopping 94 percent of healthcare organizations have had at least one data breach in the last two years, according to a 2012 independent study by the Ponemon Institute. The same study estimated that overall economic impact of a breach has risen six-fold in the last few years and now costs millions.
Not just that, but as Jared Rhoads, a senior research specialist with the Falls Church, Va.-based CSC’s Global Institute for Emerging Healthcare Practices, and Mac McMillan, co-founder and CEO of CynergisTek, Inc. and current chair of the HIMSS Privacy & Security Policy Task Force, both explain, the threats to data security are evolving. Cybercriminals are becoming more sophisticated. “It’s much easier to be on offense than on defense,” says McMillan. For all these reasons, he and Rhoads implore providers to go above and beyond.
“We’re encouraging organizations to get out of the compliance mindset,” Rhoads says. “For a long time, security and privacy were dealt with as the sort of things you had to comply with. There was HIPAA [the Healthcare Insurance Portability and Accountability Act] and maybe some state level laws. You basically needed to know the law and the requirements, and go through it like a checklist. That’s not sufficient anymore.”
Mac McMillan
PROTECTING PATIENT SAFETY
At WVU, investing in emerging technologies for data security comes down to that notion of patient safety. With the security audit manager, the organization feeds several different clinical and administrative data applications into it simultaneously. The data comparison platform allows a team of auditors to see when PHI could possibly being used amiss, possibly with VIP patients or in the case of neighbor snooping.
“The fact that we could correlate logs from different applications, when I was picking out a system, [this capability] was sort of unique. This pulls everything together and gives you that picture of what people are doing with the PHI in your organization. That’s important. One of the things HIPAA requires is that we know where PHI lives and how it’s working within our network,” Combs says.
For the diverse healthcare organizations that have gotten out of the compliance mindset and taken those extra steps, often, there are outlying reasons. At Riverside Medical Center, a 336-bed hospital in Kankakee, Ill., employing biometric dual-factor authentication, single-sign on technology (from the Lexington, Mass.-based Imprivata) made credentialing seamless and easy for its physicians, who were using several different log-ins for different clinical systems.
“Convenience was a big driver,” says Philip Bierdz, infrastructure manager at Riverside. In the past, to log onto an application, the doctor would be pulling out a small sheet of paper with their various passwords on it. Many times, he says, the physician would accidentally leave that paper at one station and have to rush back to get it. “We had to make it as simple as possible for the physician to use the technology; otherwise, they were going to rebel against the whole order entry process.”
Phil Bierdz
The system Riverside implemented allows physicians to use access an application with a fingerprint and one log-in. The use of their fingerprint allows the system to remember their credentials. If the fingerprint doesn’t read, they have to type in the password themselves. To Bierdz, the use of a secure fingerprint scanner wasn’t about regulatory compliance, but rather protecting patient information and their safety. The added fact that it made the physicians’ lives easier was a win-win.
For More Coverage on This Topic:
What are the Emerging Technologies to Guard PHI? (Podcast)
TEXTING IN TEXAS
In terms of proactive measures surrounding data security, Bierdz has his sights set on text messaging in a medical setting. Because of its instant gratification appeal to both practitioners and patients, it’s becoming a desired technology in healthcare settings, but it presents some of the industry’s toughest challenges, he says.
“That’s a very difficult area for IT organizations to get their arms around, because text messaging goes through different end-point mediums. Doctors have their own phones. Hospitals sometimes provide their own phones to end-users. People have their own personal phones,” Bierdz says. Sending PHI over text messages, in an uncontrolled environment, is not only unsecure, but a serious concern for providers. For this reason, IT leaders have struggled to come to grips with the bring-your-own device movement, says CSC’s Rhoads.
In Lubbock, Texas, two healthcare organizations have taken aim at data security within the confines of mobile text messaging. Covenant Medical Group (CMG), a nonprofit medical group comprised of 182 physicians, adopted a comprehensive unified communications platform across the enterprise (from the Knoxville, Tenn.-based PerfectServe).
Seth Crouch, CMG’s director of ambulatory services, says the investment came from practitioners’ interest and use of text messaging to each other. Most were using their own devices, over their traditional cell phone networks, not realizing that it was probably inappropriate, he says.
Crouch brought in the messaging app, which can be used on both mobile and desktop devices, and got the physicians and nurses to buy-in. The app, he says, has taken off, with nearly 100 percent of the physicians having adopted it within the medical group. Not only has it effectively secured text messaging, it has also improved care coordination across different specialties.
Across town is UMC Health, an integrated, 450-bed teaching hospital of Texas Tech University, with a Level 1 Trauma Center, a burn center, a cancer center, and other specialties. At that organization, Chris Akeroyd, director of IT infrastructure at UMC Health System and other IT leaders have similarly invested into secure mobile text messaging (Imprivata), as a way to evolve beyond the old pager system and adapt securely to a growing physician need.
Chris Akeroyd
This app allows practitioners to instantaneously send out messages, often from nursing units to the physician, adhering to HIPAA-compliant protocols. While the physicians have benefited from this, ultimately, the patient is the big winner. “We understand the risk with using standard text message protocols, and we take that patient safety element seriously. We want to do what’s best for our patients,” says Akeroyd.
NOT JUST SECURITY
Leading edge healthcare organizations have found numerous platforms to enhance data security in the age of digitization. At UMC Health alone, Akeroyd says the health system has implemented data loss prevention software (from Mountain View, Calif.-based Symantec) that watches all traffic within the network, focused on potential real-time data leakage. It is also in the process of establishing a computer incident response team that will monitor network traffic for more rudimentary purposes, i.e., virus detection.
According to Rhoads from CSC, other providers are looking at managed security systems as a way to tackle data security. This is when providers bring in a third-party IT security vendor to manage its operations, whether remotely or onsite. “You’re basically bringing in help from the outside. It’s treating security like a service you would purchase from a vendor. A lot of times it can be cheaper than trying to do it yourself,” he says.
Of course, Rhoads points to an issue that all healthcare providers, even the ones ahead of the pack, are encountering when it comes to proactive data security technology: return-on-investment (ROI). As CynergisTek’s McMillan notes, one of the challenges of bringing in these technologies is their perceived cost. With providers spending millions upon millions on EHRs and coding systems to comply with meaningful use and ICD-10, security gets left in the dust.
Jared Rhoads
In this vein, McMillan says, healthcare IT leaders have to look at the system beyond the notion of security. Clearly, this is a strategy that has paid off for the UMC Healths, Riverside Medical Centers, and CMGs of the healthcare world.
“Don’t look at it as just a security system, look at it like it’s any other system, and do the analysis to identify the benefit and ROI from that technology. We look at other systems, and we say, ‘If we buy this bed tracking system, we’re able to funnel 13 more people through the system and accrue this much more revenue from an operational efficiency perspective.’ Look at security the same way, in terms of what is the cost of an outage or a data breach, and what this technology will do for ROI. We have to do a better job of understanding how these technologies fit into our businesses and contribute to the top and bottom lines,” McMillan says.