Home  > Examining Healthcare’s information security risks
Share Share Print Print Version Mail Email

Other Translations

Examining Healthcare’s information security risks

Content provided by IBM-ForwardView eMagazine .

View Video  

How does a healthcare organization ensure that security policies don’t get in the way of the practice of medicine? Because unauthorized information access can be hard to detect, many healthcare providers institute blanket security policies to ensure compliance with regulations that ensure patient privacy. But as a nonprofit healthcare organization in North Carolina discovered, understanding areas most likely at risk can result in better security policies that are less likely to impede treating patients.

“I’m surprised at how unprepared most of the [healthcare] industry seems to be when it comes to dealing with security,” says Avery Cloud, CIO of New Hanover Health Network (NHHN). “We’re really exposed, but nobody talks about it. I don’t think the industry is prepared for what full automation of patient records really means to healthcare.”

The need to secure patient information has become a major compliance challenge for the healthcare industry. Provider organizations in the United States must now comply with the stringent standards of the Health Insurance Portability and Accountability Act (HIPAA), as well as the Joint Commission on Accreditation of Healthcare Organizations (JCAHO).

But as hospitals prepare for comprehensive information automation, healthcare management wonders which new systems and software can be monitored for intrusions and unauthorized information access. Understanding these matters can help guide future IT spending decisions, as well as ensure that hospital organizations do not face costly fines or lawsuits.

Cloud and the board of directors at the Wilmington, North Carolina–based nonprofit hospital network sought to identify which systems could be exposed to unauthorized data access —and discovered unique ways to track access, as well as understand the likelihood and consequences of undetected information breaches.

Managing security risks without compromising care

According to a recent study by the IT Policy Compliance Group, 70 percent of the compliance deficiencies in all organizations are directly related to flaws in IT security. And the main sources of healthcare information breaches, says Chris Davenport, IBM senior managing consultant, stem from both intentional and unintentional actions, such as employees inappropriately accessing data, while unsecured networks leave hospital organizations susceptible to malicious software, outside interception of instant messages and peer-to-peer file sharing.

And what is this data? Davenport ticks off a list of personal information few people would want to the world to have access to: “There’s information such as the social security numbers, credit card numbers, credit card numbers associated with expiration dates, expiration dates associated with security codes and IDs on the back of the cards,” he explains.

But understanding where in an organization these risks originate is critical, says NHHN’s Cloud. “I needed to understand the risks associated with everything from patient information to marketing and financial plans,” he says. “After all, compromising the security of our business could be just as problematic as compromising confidential patient information.”

Outside assessment pinpoints vulnerable areas

According to IBM’s Davenport, understanding when a breach occurs is difficult to ascertain, “One of the biggest challenges that organizations face today is basically that whenever a security breach occurs, oftentimes it will go unnoticed.” Still, he says, organizations able to evaluate, or audit, system data logs—which provide a record of how and when information is accessed—can pinpoint areas likely to be the target of data security violations.

To further complicate matters, Davenport says that poring over this information manually is extraordinarily time-consuming and difficult for most healthcare organizations to perform. “That’s one of the challenges in the healthcare arena, actually, is that there’s so much information—whether it’s electronic medical records, whether it’s your business records or any of the thousands of records that are generated by physicians and physician practices that are associated with the hospital,” he says.

Cloud and his colleagues retained expertise from IBM’s security and compliance practice to determine which NHHN systems could be audited—as well as the best practices the three-hospital organization could implement to halt unauthorized information access.

Cloud says seeking outside help ensured that potential security problems would be discovered. “The truth is, unless you have the expertise to stay on top of all the issues around information security—and few healthcare IT organizations have the budget for that—you’re going to be vulnerable.”

In order to discover all areas that were potentially vulnerable, the IBM team used a set of specialized workbooks and worksheets that match current practices with HIPAA security provisions. This, says Cloud, allowed the examination of every system in the healthcare network—networks, servers, applications—to determine which NHHN systems were auditable. Information gathered through the assessment was then used to develop a program that would help NHHN make informed decisions about purchasing new security solutions, as well as form the basis of a guide to best security practices throughout the organization.

Information protection gets smarter in three key areas

The work IBM performed for NHHN has helped enhance security in three key aspects of the healthcare provider’s information systems:

·   Improved confidentiality—which contributes to the privacy of data contained within information systems; it supports physician, patient and staff expectations and assists with compliance for regulations regarding the management of patient information
·   Improved integrity—which supports the soundness of the information and ensures that it hasn’t been inappropriately altered without detection
·   Improved availability—which means that information systems are functioning and accessible when needed, contributing to consistent financial results and patient safety

IBM’s Davenport says that healthcare isn’t the only industry that can benefit from examining systems capable of having their logs audited. “Information security is becoming more and more of an issue—a critical issue,” he says. “It’s affecting decisions by boards, it’s affecting decisions by managers, it’s affecting finances.”

While discovering system logs capable of being audited is just one way to achieve greater security, the examinations can go a long way in achieving compliance with regulations. As the IT Policy Compliance Group notes in a recent report, “The amount spent on compliance and data protection is a very small percentage of the financial value that is at risk. Good compliance pays for itself.”

Learn more

Content copyrighted by IBM Corporation.

Share Share Print Print Version Mail Email
Comments &Ratings (0)
If you are a human, do not fill in this field.
Click stars to rate.
   Comments are truncated at 1000 characters


woman smiling
How can I survive an economic downturn? 5:58
When unpredictable swings in the economy occur that have a negative effect ...

man standing on beach
An Overview: SME Small Business Training6:24
Dr. Wililiam Osgood provides an introduction to Buzgate and the SME Toolkit.
girl at computer
Should I Incorporate My Business?5:37
There are several forms of business organizations to choose from when deciding whether to...
woman at white board
What type of bookkeeping/accounting system do I need?7:02
Using a reliable bookkeeping and accounting system in your business is key to supporting profitability...
people meeting
How do I manage business credit? 5:43
Business credit involves the strategic management of business and credit services...
woman at computer
How Do I Finance My Business? 8:20
There are many ways to finance both the start-up and growth of your business...
woman in business suit
Do I need to register or trademark the name of my business? 5:58
If you are doing business under any name but your own, you are required to ...

man with headset
How do I avoid business burnout?   5:58
Running your own business is demanding, dynamic and often unpredictable making it ...
asian woman
How can I build my business support networks? 5:58
Many of us have been told since early on in life that “it’s not what you know ...

ethnic woman
How can I sell my products/services to the Government? 5:58
Selling your products or services to the government can mean a significant source of ...
caucasian woman
Is email marketing a good strategy for my business? 5:58
Marketing, in any form, is a good strategy for most any business ...
caucasian woman
Do I need special insurance for my business? 5:58
It is wise for any business to possess a general business insurance policy, which includes liability  ...

Other Media

Powerful Tools for Entrepreneurs IBM, the IFC and a vast network of partners have provided entrepreneurs and small businesses with advice and guidance...
caucasian woman
Meet the Business Owners Five entrepreneurs talk about their experience and how the SME Toolkit has helped them build their businesses.