internal security threat

Health IT

Your Worst Information Security Threats Are Internal, but You Can Fix Them

, , , , ,

internal security threat

What’s the biggest threat to health data security? Not the cloud. Not hackers.

“Your biggest threat to health systems is internal access to records,” said Ken Bradberry, chief technology officer at Xerox Healthcare Provider Solutions.

The real security vulnerabilities are not “in the cloud,” but in the hands of the people using the tech every day, he said.

Proper data management, system design and diligent training can help head off internal vulnerabilities, and protect against most security breaches, he said.

Data Management

“It’s poor data management if you allow 10,000 patient records to sit on the laptop of a doctor, and that laptop gets stolen,” as happened at Stanford over the summer, Bradberry said.

“Make sure you are patched and architected appropriately, make sure you have security measures in place,” Bradberry tells security designers. “Security is a full time job.”

A well-educated clinical team is critical to adoption and efficient use of applications.

Secure systems need to track which records and case reports are open in rooms of the hospital, for one thing.  Another thing that deserves attention is server patching. (Check out these tips).

Administrators often forget to keep track of directory services even though that’s a fairly quick fix, he said. Make sure employees who were fired years ago don’t still have usernames and access to policy or records – those loose ends may come back to haunt you.

“Health IT systems operators have to be vigilant about architecture and policy. Without that combination you are opening up deliberate or accidental access to health information.”

Training

“All malicious threats aside, most hospitals or IT departments are their own worst enemy because they lack the discipline it takes to ensure continuous protection of their patients’ health information,” he said.  “You have to have a level of discipline that is unwavering.”

Unwavering discipline comes from rigorous training. Clinical staff, like nurses and doctors, need to know not just how to enter data into an EHR, but how to use applications and adhere to policy in the most appropriate way.

“I could have walked up and selected any patient I wanted and accessed all of their records.”

“A well educated clinical team is critical to adoption and efficient use of applications,” he said.

To elaborate, he offered an anecdote: When his wife was recently in the hospital, her doctor (“a great guy”), left the hospital room with the census list still open on his Epic EHR workstation.

“He didn’t know I knew about this kind of stuff, but I could have walked up and selected any patient I wanted and accessed all of their records,” Bradberry said.

Design

But that’s not the only way.

“The physician should not have to click and close every window,” Bradberry said.

When designers take clinical workflow into account, they should be able to create systems that make it easier for the provider.

“It’s not just the technology, it’s the intelligent application of the technologies that enhance the clinical experience.”

“Follow-me” desktop capabilities track where the doctor is, following him from patient to patient and between workstations, automatically logging out when appropriate.

Effective security systems use single sign-on, or require only one username and password for accessing multiple applications. Others use multifactor authentication, which combines passwords with a physical key or biometric information. These easy security fixes don’t put any extra pressure on the provider.

“Technology is critical for empowering physicians to enhance patient care and services,” he said. “It keeps them more focused on the point of care, they shouldn’t have to arbitrate with technology all the time.”

Connection to Clinical Workflow

Truly understanding how providers interact with technology helps designers streamline the experience for providers.

“It’s not just the technology, it’s the intelligent application of the technologies that enhance the clinical experience,” Bradberry said.

For designers, Bradberry recommends working closely with physicians in hospitals to understand where certain applications make sense and how they can be integrated into workflows with the least disruption.

“It’s interesting and fun to go with whiz-bang tech that rolls up on an iPhone, but…”

He recommends three tips to adopt secure technology:

  • Take lots of lead-time before choosing an application to adopt.
  • Don’t try to go it alone – partner with a trusted advisor.
  • Go for technologies with a proven track record.

“It’s interesting and fun to go with whiz-bang tech that rolls up on an iPhone, but if it has no track record, you can’t trust it as much,” he said. The longer a product has been on the market, the more opportunities hackers have had to try to compromise it, and the more time designers have been able to respond to attacks.

A Final Word of Caution

The above tips apply to IT professionals, but what of the patient?

Too much caution about securing health data has it’s own drawbacks. Statistically, breaches will happen, even with perfect vigilance on the provider’s part.

According to entrepreneur and author Faisal Hoque, “Your digital identity is already out there.”

Even browsing the table lamp selection on Amazon.com plays into your digital identity, as do airline ticket purchases, billing addresses and lunch preferences.

“There is far more private information out there already than just your medical information,” he said.

Crippling concern for privacy of personal health information is one of the things holding the healthcare industry back from evolving and advancing as a business, he said. Other industries have embraced digitization much faster, which came at the price of reduced privacy, but it was a price we were willing to pay. We will need to pay the same price in the healthcare industry, he said.

One Response to “Your Worst Information Security Threats Are Internal, but You Can Fix Them”

Vipul Karkar

The best option to Secure the data is by making the operator aware about the criticality of the Data.