Urgent care: Safeguarding data at health care providers

Our most difficult challenge

In fact, health care IT has already undergone significant change. Perhaps the most rapid and challenging, as well as beneficial, has been the explosion of mobile device use. 

“A year ago, health care companies were talking about the potential use of mobile,” says Berger, commenting on the speed with which it's taken hold, “and now smartphones are everywhere.”

But, Delano of INTEGRIS Health warns that the move to mobility is an anxiety producer for those charged with keeping data secure. “Security is hard enough as it is. Now having to extend the reach of that data becomes this whole new challenge.” Before the advent of mobile and cloud, health care companies focused on building up a perimeter defense around the centralized information assets, he says. With mobile devices, the data is moving and the same security approaches don't hold water. 

Providing security for a mobile network can be particularly challenging when hospital staff – or physicians who have access to the facility, but are not hospital employees – bring in their own devices. Delano says INTEGRIS still tries to “centralize as much as we can,” but he admits its hospitals have struggled with care providers toting their own devices to access the network. 

“In our organization, the majority of our physicians are not employed by our system,” he says. They use the facilities and refer patients there, and it is difficult to stop physicians who simply want to check a patient's EHR or bill from their iPhone while doing their regular hospital rounds. 

As a result, INTEGRIS established both a guest network for patients to access the internet and a separate affiliates' network for doctors to reach patient and hospital system data. Delano says his team is continually assessing the risk, as more and more care providers make use of tablets, laptops and smartphones. 

“At the same time, there's not a good way to really secure those,” he says. “How can we make sure that everyone using smartphones [to access the network] has downloaded the right patches? What keeps them from going to a malicious site and [getting a virus] once they're connected to the cell network?”

Nonetheless, given the rising tide of mobile, 81 percent of health care organizations are permitting doctors to use their own devices, according to Kam's research. Unfortunately, he also found that more than half of these organizations (51 percent) are doing nothing to secure these devices. Kam believes this will change as HHS' Office for Civil Rights continues to invoke penalties for companies that willfully neglect information security. 

The potential fallout from stolen electronic health records, says CDT's McGraw, is likely to be even worse than if hackers were to get a hold of financial records. “The level of sensitivity of the data is much higher,” she says. “If people get their money stolen, it can be put back and at the end of the day you will be made whole again. When health data becomes public and falls into the hands of an employer or a marketer, that has serious repercussions.” 

The prospect of compromised electronic health records is troubling enough, but the ability to hack medical equipment makes the risk even greater, says Peter McLaughlin, senior counsel for Foley & Lardner LLP and the former CPO for Cardinal Health. Sitting in as co-chair of the American Bar Association's Security Committee discussion the weekend before February's RSA Conference, McLaughlin says one of the hot topics of discussion was the potential insecurity of medical devices, like insulin pumps or pacemakers, which could be hacked remotely. “We've seen technology researchers demonstrate, in a white hat fashion, that these things are not secure at all,” he says. 

And breaches are happening: 94 percent of health care companies reported a breach within the past two years, and 45 percent say that they have suffered five or more breaches in the same period, according to research from the Ponemon Institute and ID Experts. “Health care companies are becoming more aware of what a breach is, and there are a whole host of new threats coming into play with mobile computing,” says Rick Kam, president and co-founder of ID Experts, a breach solutions company. “You don't need a truck anymore to walk away with a doctor's office full of records, just a thumb drive.”