When it comes to data security, Dallas-based Children's Medical Center was a day late and a Blackberry short. On November 19 last year, a staff person reported a lost-and unencrypted-Blackberry, one that contained an e-mail with a spreadsheet attached. The spreadsheet listed some 3,800 patients who had been treated in the hospital's ICU.

Within a few hours, IT staffers at the center had remotely wiped the Blackberry clean of any data, and also determined that no one had sent any e-mails from the device. Despite these assurances, the medical center had to notify both the affected patients and the Department of Health and Human Services, disclosure stipulations mandated by the recent HITECH Act.

Ironically, the hospital was midway through a Blackberry encryption project when the theft occurred. And even though patient information most likely of value to identity thieves was not compromised (the file contained patient names, medical record numbers, and date of birth, but no Social Security numbers or addresses), officials there have suffered through an embarrassing lesson in data security. "In 20/20 hindsight, I only wish we had done the encryption project faster," says Bridget Aman, information privacy and security officer. "Patients were concerned that a piece of their record was gone. And some were very angry we failed to safeguard their data."

Children's is far from alone. More than a dozen episodes involving peripheral devices and storage media such as laptops, thumb drives, and CDs now populate the HHS Web page devoted to listing security breaches affecting 500 or more people (Children's was the only organization among 10 contacted that agreed to an interview; two provided copies of a media statement; the rest did not answer the interview request; see box, this page). The site is part of the new federal privacy and security regulations (see May cover story). And more names are likely to join the list, as in April and May several other incidents involving compromised devices were reported in the media.

Data security is no longer a theoretical issue in health care-experts concur that the days of lax HIPAA enforcement are behind us. Security is a high-stakes issue, one which could undermine public confidence in an individual hospital that must report a breach. And with the proliferation of devices, such as Blackberries, laptops, and thumb drives, the risk of data loss grows exponentially.

No Simple Solution

Storing protected health information behind a firewall is one thing; only a dedicated hacker has a chance of getting to it.

But data on unprotected portable devices? That's another issue. And while there are a variety of technologies available to help secure those easily misplaced laptops or storage devices, software alone is not going to curb the problem. An institutional culture around privacy and security needs to reinforce the technology before the industry can lay claim to data security.

"The weak link is human behavior," says James Carpenter, director of information technology and security, Parkland Health and Hospital System, Dallas. "Devices are getting smaller and more portable. And the expectation from individuals is that their devices will connect easily to the network and give them data at their fingertips. That expectation clashes with what HITECH is asking you to do, which is to have strict security controls and access management. You have to merge those two worlds."

According to some analysts, the health care industry is behind other industries facing similar problems. "Financial services firms have dealt with information security in a public manner,' says Mike Spinney, senior privacy analyst at the Ponemon Institute, a think tank devoted to data security issues. "Health care needs to do some catching up. There was a lot of fanfare under HIPAA about the privacy rule, but not a lot of enforcement. Now, we're seeing that change under HITECH." The proliferation of portable devices, Spinney says, makes it easy for negligent employees to lose sensitive data. While other industries face the same dilemma, health care is what Spinney dubs a "high trust industry." Organizations are entrusted with highly sensitive information beyond billing and financial data, he points out. Choosing a health care provider, for most consumers, is an exercise in relationship building-not seeking out the best deal. "That raises the stakes. When you choose a doctor, you are often looking for a long-term commitment."

Parkland Health is assessing its security environment in light of the new federal policies, Carpenter says. In late April, it issued a temporary ban on staff using personal laptops or storage devices while it crafts a consistent policy. In 2007, Parkland encrypted the 800 or so corporate-issued laptops used by its staff, using software from Credent Technologies, Addison, Texas. And in late 2006, it issued encrypted thumb drives, from Edge Tech Corp., Ada, Okla.

But the presence of personal laptops created confusion. Vendor employees might work in the hospital with their own laptops, while other hospital employees were prohibited by their departments from using theirs. "We put out the notice of the prohibition out of a sense of fairness," says Carpenter. "We had no unified stance. We may say we will assume the risk of allowing personal laptops, but the person will have to add encryption."

Understanding Needs

For Carpenter, crafting the new policy provides an opportunity to understand user needs. By understanding why a staff member needs to use a personal laptop or their own thumb drive, the health system can adjust its technology approach accordingly. "If there is a shortage of computers, maybe we need additional ones," Carpenter says. "And if people bring in their own thumb drives because we have not allocated adequate storage space, we will address it. We want to address the root concerns to take away the reasons people want to bring in personal devices."

Parkland might even lock down the USB ports across the enterprise - which contains some 7,200 computers - and enable only the corporate-issued encrypted flash drives to function on the network, Carpenter adds.

Other organizations have taken just that approach. Last year, the Los Angeles County Department of Health Services shut down about 4,000 USB ports across its five hospitals, which encompass some 18,000 desktop computers, says Don Zimmer, the department's information security officer. The move came in response to a board directive-predating HITECH-that called for strict end-point security.

Initially, the disabled ports were in areas of the hospital where portable storage needs were counter-intuitive, such as in house-keeping services, Zimmer says. To monitor the other 14,000 desktops, the health department uses software from Philadelphia-based Safend Inc. Now, when users attempt to use a thumb drive, they get a message informing them the storage device must be encrypted before proceeding.

The process is routine, Zimmer says, only requiring the user to set a password for the thumb drive. The only glitch with the Safend system, he says, is that it sometimes runs into difficulty encrypting inexpensive, mass-produced thumb drives.

The health department leaves some security policies to its member hospitals. Two of the hospitals configured the Safend system-which runs on local servers at each hospital-to accept only select, corporate-issued thumb drives. Other hospitals grant more latitude to their staff. The Safend package cost $245,000, Zimmer says.

As an added precaution, the health department encrypted its 1,200 laptops, using software from Pointsec, a division of Check Point Software Technologies, Redwood City, Calif. "If someone loses a laptop, and it is encrypted, we don't have to report the incident to the state or federal government," Zimmer says.

For many security-conscious hospitals, encrypting laptops is the low-hanging fruit of data security. Even those with strict policies against downloading protected health information to a laptop want to safeguard against lapses. Baylor Health Care System in Dallas is one organization that has taken a firm stand on data security.

With 20,000 employees scattered across 14 hospitals, it has to. Baylor has some 4,000 laptops in circulation, says David Muntz, senior vice president and chief information officer. Each has two-factor authentication, plus password turnover every 90 days. Using software from Sophos Inc., Burlington, Mass., Baylor is completing an enterprise encryption project which will protect its laptops, plus its thousands of desktops. The only glitch with the encryption effort, Muntz adds, is that the software requires error-free disks to work well. "You need really clean hardware before you encrypt."

Baylor is not relying on encryption alone. Two years ago, the health system implemented software from Vancouver-based Absolute Software that does what encryption could never accomplish.

If someone steals a computer, the vendor is notified, and activates technology that will wipe out any data from the device the next time it attempts to access the Internet. In addition, the software, called Computrace LoJack, enables the vendor to track down the physical location of the missing computer through an embedded piece of software that communicates with its servers on an ongoing basis.

Muntz is not sure exactly how that works-but he's pleased with the ability to track down thieves. Car theft is a common reason for laptops going missing, as staff may leave their computer behind, Muntz explains. "A lot of cars are stolen down here and we send the police out to recover them," he says.

Wipe Out

The LoJack software could be set to wipe out the entire operating system of a missing computer, and not only the data. By wiping out the data, but leaving the operating system intact, Muntz gives law enforcement an edge in tracking down the thief, who might unwittingly use the machine to connect to the Internet. "We want to recover data, but also make sure those people are treated appropriately," he says.

For many CIOs, end-point security is a means to an end-reassuring the public that their health information won't fall into the wrong hands. "A breach is bad enough," says Chuck Podesta, senior vice president and CIO at Fletcher Allen Health Care, Burlington, Vt. "But we are trying to get the public comfortable with this technology. We are setting up a PHR portal and its success depends on consumer confidence in our ability to keep their information private." Consumer access, he notes, is part of the meaningful use criteria for federal EHR incentive funds.

Last year, after the HITECH security law came out, Fletcher Allen encrypted all laptops and mobile media, using software from PGP Corp., Menlo Park, Calif. "We started with higher-risk devices used by clinicians," Podesta says. "The first step is to take care of mobile devices. That is where you will run into a problem. Anything removable is encrypted." That extends to both flash drives and CDs, Podesta notes, adding that an e-mail encryption effort is now underway.

Fletcher Allen spent about $45,000 on the PGP software and training, and about $100 per laptop to encrypt. "When you're spending millions on an EHR, it's not expensive," he says.

Overkill?

The encryption of email may seem like overkill, but as the Children's Hospital of Dallas episode reminds, unencrypted files can easily wind up on a lost device. That was the approach taken by Memorial Health System, a three-hospital delivery system based in Springfield, Ill. The health system is using software from Accellion, Palo Alto, Calif., to encrypt any e-mail attachments, says Jesse Whitehead, system director, infrastructure.

Clinicians can now send attachments to other physician practices without the IT burden of creating a secure point-to-point tunnel. Receiving physicians must register to access the e-mails, which are stored on a secure server, accessible via password.

Memorial Health typifies some of the tough political issues around data security. On the one hand, it simply disabled USB ports used by its 6,000 staff. It also encrypted some 100 laptops used for clinical documentation by its home health nurses. Other data is protected behind a firewall.

But when it comes to catering to community physicians, Whitehead faces a challenge. About 700 physicians treat patients at Memorial Health, and many of them use PDAs issued by another hospital in town. The physicians use the devices when making rounds, pulling down labs and test results. The data transfer is encrypted, but it is unclear what security protocols apply to any data stored on the PDAs.

Monitoring file transfer is a crucial aspect to end-point security, CIOs say. Baylor's set-up includes data monitoring technology that can detect when files containing sensitive information are being downloaded from its servers. "If people upload files from out network to some other network, we shut it off," says Muntz, the CIO. "We have caught consultants uploading information to their own websites."

Parkland Health has similar technology in place, says Carpenter, the security director. The system, from Websense, scans e-mails for sensitive information. "We might detect someone sending out their credit card number to their spouse, so we'll give them a courtesy call and tell them 10 or more people could see their card number before it reaches their spouse."

Parkland is activating other features of the security package to sidestep unwarranted data transfers to devices-despite the fact that the receiving device is encrypted. "The security team will have the ability to see how much sensitive information is stored on a laptop. If we know where those repositories are, we can call and tell the user to move the data off their laptop and put it on a shared network drive."

Alerting staff about their dubious use of devices is a good way to reinforce a privacy culture, experts say. Part of the problem is homegrown, some experts say. "The biggest problem health care has is a lack of education and awareness about policies around how data is handled and contained," contends Frank Kenney, a former Gartner security analyst who now serves as vice president, global strategy for data security vendor Ipswitch File Transfer, Lexington, Mass. "You can have a sophisticated system, but then administrators don't log off their machines or you have people who swap credentials. Unless you have a culture of data protection, IT won't matter."

And even then, there are limits to what hospitals can reasonably expect to attain. Even the best technology can only go so far in thwarting devious intentions. Carpenter, Parkland's security director, cautions that an unethical staff person could take sensitive data from an encrypted thumb drive, put it on another drive, and sell it. "Or someone could stare at a screen, memorize the content, and print it out at home," he adds. As Carpenter's boss, CIO Jack Kowitt says, "You cannot program ethics."

Breaches, Breaches Everywhere

Here is a partial list of data breaches involving portable devices that are listed on the HHS Health Information Privacy website. The HITECH Act requires organizations to report instances of breaches of unsecured protected health information affecting 500 or more individuals. Among the organizations below, only Children's Medical Center of Dallas agreed to an interview.

 

Mount Sinai Medical Center, Florida

Affected Individuals: 2,600

Source of Breach: Stolen Laptop

 

Montefiore Medical Center, New York

Affected Individuals: 625

Source of Breach: Stolen Laptop

 

Laboratory Corp. of America/US LABS/Dianon Systems, Washington

Affected Individuals: 2,773

Source of Breach: Stolen Portable Electronic Device

 

Laboratory Corp. of America/Dynacare Northwest, Washington

Affected Individuals: 5,080

Source of Breach: Stolen Laptop

 

John Muir Physician Network, California

Affected Individuals: 5,450

Source of Breach: Stolen Laptop

 

Educators Mutual Insurance Association of Utah

Affected Individuals: 5,700

Source of Breach: Stolen CDs

 

AvMed, Florida

Affected Individuals: 359,000

Source of Breach: Stolen Laptop

 

Kaiser Permanente Medical Care Program, California

Affected Individuals: 15,500

Source of Breach: Stolen Portable Electronic Device

 

Children's Medical Center of Dallas

Affected Individuals: 3,800

Source of Breach: Lost Portable Electronic Device

 

Alaska Dept. of Health and Social Services

Affected Individuals: 501

Source of Breach: Stolen USB Device

Data Security is This CIO's Constant Challenge

For Chuck Christian, CIO at Good Samaritan Hospital, Vincennes, Ind., end-point security is a constant and ongoing challenge. With a variety of technologies and policies in place to safeguard sensitive information that could make its way to devices, the 232-bed hospital has managed to stay off the HHS data breach website so far, in part due to the diligence of Christian and his 25-member IT staff. "You have to re-educate people-tell and tell again. No patient data on a laptop," says Christian, summarizing one key policy. "Period."

Earlier this year, Good Samaritan went well beyond its laptop policies, disabling USB ports across the computers connecting to its network. It was a pre-emptive move to preclude inappropriate data transfers to easily lost devices, Christian explains. Nonetheless, the new policy was not well-received. "It caused consternation," Christian says. Christian fielded a call from a purchasing manager at the hospital who wanted to obtain thumb drives in bulk for the stock room. "I said no," Christian recalls. "These things are so convenient, people could store unencrypted personal health information on them. You can put down a thumb drive and they're gone."

Christian's staff gives alternatives to administrators clamoring for additional digital storage space. An engineering supervisor requested eight large-size thumb drives to store building schematics and piping diagrams, asserting that if he lost the drives, little would be at risk. "I told him it could be a big deal because that is not information everyone should have." Christian created a Microsoft-enabled Sharepoint site on his network for the engineering department; it serves as a semi-private location on the network where files can be stored and accessed by authorized members.

The wound care unit also objected to the closure of the USB ports. They had used the ports to download digital photos to the hospital's EHR. "They weren't conscious they were creating a potential security or breach situation because it was so convenient," Christian recalls. His crew then installed card readers for the cameras. "You have to worry about people inadvertently storing data where they shouldn't."

Good Samaritan is currently evaluating vendors to provide device monitoring across the network, a move which would enable Christian to turn the USB ports back on. As part of the arrangement, Good Samaritan will issue encrypted thumb drives-and configure the network to accept only those corporate-issued drives. "Unless someone uses our device, they cannot download or move data to it," Christian says. "We want to keep Good Sam off the HHS list."

Christian doesn't take success for granted, however. He directed his privacy officer and media relations department to devise a crisis communications plan in case a breach occurs. "You should not put your head in the sand," he says.

This article can also be found at HealthDataManagement.com.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access