Examining Healthcare’s information security risks
Content provided by IBM-ForwardView eMagazine .
How does a healthcare organization ensure that security policies don’t
get in the way of the practice of medicine? Because unauthorized
information access can be hard to detect, many healthcare providers
institute blanket security policies to ensure compliance with
regulations that ensure patient privacy. But as a nonprofit healthcare
organization in North Carolina discovered, understanding areas most
likely at risk can result in better security policies that are less
likely to impede treating patients.
“I’m surprised at how unprepared most of the [healthcare] industry seems to be when it comes to dealing with security,” says Avery Cloud, CIO of New Hanover Health Network (NHHN). “We’re really exposed, but nobody talks about it. I don’t think the industry is prepared for what full automation of patient records really means to healthcare.”
The need to secure patient information has become a major compliance challenge for the healthcare industry. Provider organizations in the United States must now comply with the stringent standards of the Health Insurance Portability and Accountability Act (HIPAA), as well as the Joint Commission on Accreditation of Healthcare Organizations (JCAHO).
But as hospitals prepare for comprehensive information automation, healthcare management wonders which new systems and software can be monitored for intrusions and unauthorized information access. Understanding these matters can help guide future IT spending decisions, as well as ensure that hospital organizations do not face costly fines or lawsuits.
Cloud and the board of directors at the Wilmington, North Carolina–based nonprofit hospital network sought to identify which systems could be exposed to unauthorized data access —and discovered unique ways to track access, as well as understand the likelihood and consequences of undetected information breaches.
Managing security risks without compromising care
According to a recent study by the IT Policy Compliance Group, 70
percent of the compliance deficiencies in all organizations are
directly related to flaws in IT security. And the main sources of
healthcare information breaches, says Chris Davenport, IBM senior
managing consultant, stem from both intentional and unintentional
actions, such as employees inappropriately accessing data, while
unsecured networks leave hospital organizations susceptible to
malicious software, outside interception of instant messages and
peer-to-peer file sharing.
And what is this data? Davenport ticks off a list of personal information few people would want to the world to have access to: “There’s information such as the social security numbers, credit card numbers, credit card numbers associated with expiration dates, expiration dates associated with security codes and IDs on the back of the cards,” he explains.
But understanding where in an organization these risks originate is critical, says NHHN’s Cloud. “I needed to understand the risks associated with everything from patient information to marketing and financial plans,” he says. “After all, compromising the security of our business could be just as problematic as compromising confidential patient information.”
Outside assessment pinpoints vulnerable areas
According to IBM’s Davenport, understanding when a breach occurs is
difficult to ascertain, “One of the biggest challenges that
organizations face today is basically that whenever a security breach
occurs, oftentimes it will go unnoticed.” Still, he says, organizations
able to evaluate, or audit, system data logs—which provide a record of
how and when information is accessed—can pinpoint areas likely to be
the target of data security violations.
To further complicate matters, Davenport says that poring over this information manually is extraordinarily time-consuming and difficult for most healthcare organizations to perform. “That’s one of the challenges in the healthcare arena, actually, is that there’s so much information—whether it’s electronic medical records, whether it’s your business records or any of the thousands of records that are generated by physicians and physician practices that are associated with the hospital,” he says.
Cloud and his colleagues retained expertise from IBM’s security and compliance practice to determine which NHHN systems could be audited—as well as the best practices the three-hospital organization could implement to halt unauthorized information access.
Cloud says seeking outside help ensured that potential security problems would be discovered. “The truth is, unless you have the expertise to stay on top of all the issues around information security—and few healthcare IT organizations have the budget for that—you’re going to be vulnerable.”
In order to discover all areas that were potentially vulnerable, the IBM team used a set of specialized workbooks and worksheets that match current practices with HIPAA security provisions. This, says Cloud, allowed the examination of every system in the healthcare network—networks, servers, applications—to determine which NHHN systems were auditable. Information gathered through the assessment was then used to develop a program that would help NHHN make informed decisions about purchasing new security solutions, as well as form the basis of a guide to best security practices throughout the organization.
Information protection gets smarter in three key areas
The work IBM performed for NHHN has helped enhance security in three key aspects of the healthcare provider’s information systems:
|·||Improved confidentiality—which contributes to the privacy of data contained within information systems; it supports physician, patient and staff expectations and assists with compliance for regulations regarding the management of patient information|
|·||Improved integrity—which supports the soundness of the information and ensures that it hasn’t been inappropriately altered without detection|
|·||Improved availability—which means that information systems are functioning and accessible when needed, contributing to consistent financial results and patient safety|
IBM’s Davenport says that healthcare isn’t the only industry that can benefit from examining systems capable of having their logs audited. “Information security is becoming more and more of an issue—a critical issue,” he says. “It’s affecting decisions by boards, it’s affecting decisions by managers, it’s affecting finances.”
While discovering system logs capable of being audited is just one way to achieve greater security, the examinations can go a long way in achieving compliance with regulations. As the IT Policy Compliance Group notes in a recent report, “The amount spent on compliance and data protection is a very small percentage of the financial value that is at risk. Good compliance pays for itself.”
- NHHN’s quest to achieve best practices in information security. Learn more about the 29 potential breeches and regulatory violations uncovered during the assessment and how NHHN is addressing them.
- Complimentary Healthcare security e-Kit: An electronic collection of resources, case studies and reports to help your organization meet its security challenges.
- Realize simple authentication capability across applications. Learn about IBM® Tivoli® Access Manager for Enterprise Single Sign-On.
- IBM/HIMSS webcast: Safeguarding Customer Data in the Healthcare Industry. Listen to the replay.
Content copyrighted by IBM Corporation.