October 14, 2011 – For many security-conscious executives, the next big frontier will be health information exchanges. "HIEs are the biggest access and security challenge moving forward," says Bill Spooner, senior vice president and CIO at San Diego-based Sharp Healthcare.
"The usefulness of the HIE will depend on how well we work through it. We want to be absolutely secure in getting patient consent for sharing their information, and at the same time, make sure their information is available."
It's an issue being raised across the country. The University of Pittsburgh Medical Center recently launched a data exchange with several area hospitals. Access to information will be based on having a prior relationship with the patient, says John Houston, vice president privacy and information security. "You want to make sure that not just anyone can query the HIE," he says. "Members will be contractually committed to doing the right thing. But the members will need to enforce appropriate conduct." Technology can only go so far in preserving patients' rights, he says. "The HIE is based on trust."
In addition to data exchanges, the influx of personal portable devices in the health care setting will bring their own set of access challenges.
Providers have been caught off guard by smartphones and other devices, says Noa Bar Yosef, senior security strategist at Imperva, a security software vendor.
"Providers have suddenly woken up to the reality where sophisticated mobile devices are being used as access points to online services and enterprise networks," says Bar Yosef. "The sudden dramatic increase of these devices in the past couple of years left the IT and security departments to scratch their heads and wonder how they lost control of IT Organizations need to recognize the introduction of these technologies to the workplace, and they need to start planning how to secure the devices and their interaction with the enterprise networks."
The good news, notes Bar Yosef, is that security tools for smartphones are readily available, including anti-malware, encryption and authentication. However, securing the end-device is simply not enough, she contends. "Organizations need to recognize that these devices are accessing the network, which means that even a compromised device might be introduced into the health care organization," Bar Yosef continues. "For example, a malicious mobile app might attempt to download private patient health care data. The hospital can prevent that data from leaving the hospital's cyber perimeters by restricting this type of activity. In another scenario it might be that a malicious app attempts to access data beyond what the user needs to perform her job. In this case, a monitoring device could alert the security team that some abnormal activity is originating from the user's mobile device."
For now, most providers dictate that patient records may be accessed only through corporate issued devices. "Policies will only take you so far," observes Steve Porter, CIO at Phoenix-based Touchstone Behavioral Health "You have to have the ability to monitor, or you will get steamrolled by the fact that devices are coming in." He frets about the "shadow IT department," or tech-savvy amateurs, who can figure out ways to access corporate networks on their own smartphones. Touchstone issues its own smartphones, giving the organization considerable control over security settings. But personal devices are a story that is yet to be written, Porter says. "People would like to carry their own device, but from a security perspective, I am not in a position to do it."
This story originally appeared on Health Data Management.