When the North Carolina Cancer Hospital (NCCH) opened its doors in August 2009, Michael Young was keenly aware that the protection of patient information was going to be an ongoing task.
Young, director of telemedicine at the Lineberger Comprehensive Cancer Center, the research arm of NCCH, each housed on the south end of the campus of the University of North Carolina at Chapel Hill, was instrumental in developing a high-definition video-conferencing system for the facility. Using primarily a Tandberg video-conferencing setup transmitted over IP, the system connects virtual rooms among the multidisciplinary groups at NCCH and other facilities for consultation and education purposes.
But while the technology succeeded in connecting the various units, Young's next challenge was meeting federal compliance requirements. This meant figuring out how to move data from the brand new, 315,000-square-foot, $180 million, state-of-the-art facility while making sure patient information is stripped out. This was achieved using Video Control System (VCS), a technology solution that keeps the video secure. Video data comes in before a firewall, where a series of functions encrypts the file. Using Covescent, a secure web application that allows a remote site to be put on a web portal, the file is then directed to the security team who opens the record and make sure it contains no personally identifiable information (PII). It is then passed on to a team of doctors who review and discuss the medical condition and treatment options of a patient.
"We have a secure PACS [picture and archiving communications server]," says Young (left). This sends data via a Digital Imaging and Communications in Medicine (DICOM) standard – a secure jpeg file with information about the patient in headers – without touching electronic medical records (EMR) at the site or hospital.
“These high-definition video-conferencing capabilities allow teams of UNC specialists from various disciplines to talk with physicians across the state in real time, so that we can collaborate with them to develop the best, individualized treatment plans for each patient – an approach that has been shown to improve patient care,” says Richard Goldberg, NCCH's physician-in-chief, as well as chief of the division of hematology and oncology at UNC-Chapel Hill School of Medicine.
In addition to the videoconferencing capabilities, the hospital also uses a password-protected, electronic medical records (EMR) system, says Goldberg (right). The EMR does practice management and lets people tie records together. It ensures that only credentialed users are accessing the system via a secure VPN connection. It can prove challenging for some to use, but Goldberg says he has found it helpful.
"While adapting to UNC's homegrown EMR, known as WEBCIS, can involve a learning curve for new physicians and staff, I personally find that it is very useful in interactions with patients and for sharing patient information among the medical teams involved in their care," Goldberg says. "For example, at NCCH, we have the EMR terminals in the room. This allows me to call up a patient's scans and discuss them with the patient and family right there in the room.
Further, all laptops, flash drives and mobile computing devices are required to be password-protected and encrypted, says Goldberg, who formerly served as professor of oncology at the Mayo Clinic in Rochester, Minn. "UNC Health Care is continually upgrading encryption software to meet the changing industry parameters and distributes it enterprise-wide to those who need to use them. Clearly there is a need for constant vigilance to ensure the security of patient records."
In addition to the technology solutions, hospitals are required to adhere to strict policies to ensure the safety of patient records. Being that NCCH (left) – one of very few facilities designated comprehensive by the National Cancer Institute – is part of the UNC Health Care System, it has enterprise-wide policies, procedures, practices and technology to protect patient privacy and confidential information and comply with all applicable state and federal law, says Goldberg. "We simply imported these policies and procedure when we occupied the new building."
These rules, he adds, are on the minds of the hospital's patient care personnel and are an integral part of their practice every day. "All UNC Health Care employees are trained annually to refresh their knowledge of the laws and update them on any changes to them. Protection of patient privacy and confidentiality is and has been an integral aspect of professional practice for our physicians and these regulations, in many cases, simply formalize or make more explicit principles and practices that we have followed for years."
ChallengesBut the migration to electronic medical records (EMR) comes with challenges. Once a health care organization moves to EMR, securing access to that data takes on a new level of complexity and importance, says Kristi Roose (left), information technology director of Mahaska Health Partnership (MHP), a 25-bed critical access hospital with a versatile medical campus located in Oskaloosa, Iowa. Sometimes though, the measures of protection that are applied in order to secure data end up hindering productivity and in lean times, producing waste, she says.
"Through the use of technology, we've removed this perceived waste produced by securing un-integrated systems, giving our clinicians value." At MHP, she says, this equates to more time for doctors, nurses and support staff to care for patients.
Strict security policies are enforced at MHP (right), says Roose. The increase in the number of applications its clinicians came to rely on meant an increase in the number of complex, randomly changing passwords that they needed to remember, which became challenging. "When we moved our data to electronic records, the average number of passwords per user rose from approximately four to approximately eight. Then, when the HITECH Act was passed in early 2009, giving real teeth to HIPAA, we decided it was time to reevaluate our existing policies pertaining to how our data was protected, and put new and revised policies in place to tighten security in this electronic world - without producing waste."
At that point MHP added another layer, and, in some cases, two layers of security. Often, complex passwords can actually create a security risk, tempting users to share or write down passwords that are too difficult to remember, she says. Of course, this behavior would be a serious HIPAA violation. After reviewing its options, MHP implemented a combination of complex passwords along with single sign-on (SSO), so that the number of passwords its care givers needed to remember was significantly reduced.
"We combined passwords with finger biometrics for two-factor authentication – and convenience for our providers," she says. "For secure remote access we deployed one-time password (OTP) tokens. Our goal was to meet stringent security requirements and HIPAA regulations by implementing technology that would protect data without negatively impacting workflows or reducing time spent caring for patients."
By deploying SSO and strong authentication, MHP was able to secure its virtual and traditional computing environments. With the technology, the facility streamlined clinician access to patient data, both within the facility and from remote locations, while effectively addressing key mandates introduced in the HIPAA and HITECH Acts.
Today, all of Mahaska Hospital's clinicians – employees and non-employees – use SSO with strong authentication to simplify and secure access to patient data in more than 30 applications. There is no need to write down or share passwords and the system handles password changes and role-based policy settings behind the scenes. This approach enables clinicians to chart securely from any location, says Roose. For example, a nurse can swipe a fingerprint to authenticate at a workstation in the hall, access a patient's chart, then log off. When they use a fingerprint to authenticate in that patient's room, the nurse's last session will be presented.
"When they are at home, our physicians use their OTP tokens to authenticate to MHP's system," says Roose. "When it comes to compliance auditing, we can simply run reports on which users have accessed what patient data, from where, and when."
MHP relies on Healthland for EMR and uses a combination of Imprivata OneSign for SSO and authentication management, UPEK biometric scanners and RSA tokens for secure remote access. Roose says they use these technologies in traditional and virtual desktop environments to allow secure access to patient data as clinicians roam throughout its health care system. The biometric readers support most virtual desktops and all virtual HP laptops located in MHP's inpatient unit. Biometric support is also available on all computers on wheels (COWs) located in the facility's operating rooms (ORs) and geriatric psych unit.
"By moving to electronic records, and deploying SSO and strong authentication, we have reduced the security burden for the care givers, allowing them to focus more time on their patients," says Roose.
Another facility making use of Imprivata technology is Parkview Adventist Medical Center (left), located in Brunswick, Maine, which is about 25 miles north of Portland. Affiliated with the Seventh-day Adventist Church, Parkview, a 55-bed acute care hospital with more than 350 clinicians, was founded by three Adventist doctors and is one of about 70 acute care Adventist hospitals in the United States and one of approximately 200 worldwide.
"For years, Parkview had taken a best-of-breed approach with interfaces to health care information systems, deploying a variety of niche solutions for everything from admissions to radiology," says Bill McQuaid, assistant vice president and chief information officer at the facility. "Besides making IT management increasingly complex, this approach also led to discontent among the hospital's 350 clinicians, who complained about the need to constantly sign in and out of critical applications."
McQuaid (right) explains that because of the cumbersome login/logout process, clinicians were not particularly interested in new applications. Their general annoyance with accessing data and frustration with passwords made the chances of convincing them to buy into an advanced clinical application very slim, and he and his IT staff of seven knew they needed them on-board to move to full electronic medical records (EMR). The Computer Physician Order Entry (CPOE), which requires doctors to do their own ordering using a computer, was a particular bone of contention as well, he says.
Further complicating matters, he adds, strict regulations, like HIPAA, were put in place to protect patient information. "Under these regulations, we were challenged to protect patient information." What his team desired, was to provide clinical staff the ability to walk up to any workstation and securely log into the network and access patient data. "Our staff needed real-time access to applications and information that would enable them to provide timely, high-quality care and service to patients, and we needed an IT solution that could meet both regulatory and patient care needs," he says.
The American Recovery and Reinvestment Act of 2009 (ARRA) provides financial incentives to help physicians make the move to electronic health records and cloud computing, but at the same time requires an evolution to
uniform electronic standards to enable disparate systems to communicate with each other. Though Parkview had begun moving from paper records to electronic records long before this directive, McQuaid says that today with the mandate for meaningful use tied to funding or fines, it is not just important to the business of health care organizations, it is a critical requirement.
"And for us, moving all our data to electronic format meant that we needed to simplify and secure the process of accessing that data," says McQuaid. "Making access easy for physicians, without compromising the security of the patient data, was key to our move to EMR."
To address this concern, Parkview leveraged Imprivata's OneSign solution to streamline access and improve workflow through the use of single sign-on and finger biometric readers. This not only increased productivity and improved satisfaction among clinicians, he says, but it also ensured that only properly credentialed users can access sensitive information.
Adding an extra level of strong authentication meant that clinical staff now have the ability to walk up to any workstation and securely log into the network, providing quick and secure access to the data they need to perform their daily tasks, says McQuaid. "Now, when a Parkview employee steps away from a computer, the screen is automatically wiped clean after three seconds, which helps us meet HIPAA privacy regulations.
The single sign-on and finger biometrics implementation was also a critical component to achieving HIMSS Analytics Stage 6 Adoption Status for Electronic Medical Records, a feat only 69 of the 5,166 hospitals in North America have accomplished, he adds.
"Health care is a highly-complex world that is always changing, with government mandates, including HIPAA and HITECH, and as such, we have to keep up with this rapid pace," says David Ting, founder and CTO of Imprivata. "This is an industry that runs 24/7, and understanding this we have to make sure that our technologies are developed to be tightly-aligned with real-world clinician workflows under these conditions."
He says Imprivata strongly believe that technology plays a critical role in achieving improved patient outcomes. "Doctors and nurses often require near-instant access to patient information to do their jobs – increasingly fast EMR access. Imprivata OneSign makes sure that these caregivers have simplified and secure access to applications they rely on each day, at the same time, enforcing patient privacy rights and deploying transparent security to comply with stringent breach prevention mandates."
Staying ahead of cybercriminals
We're constantly trying to stay ahead of new and emerging electronic threats, says Tom Franciosi (left), CIO at Covenant Dove LLC, a Bartlett, Tenn.-based nursing home provider that has 37 locations in 11 different states. "The health care market has a huge target on its back and attacks from cybercriminals happen all too often.
Covenant Dove uses TriGeo Network Security's Security Information Management (SIM) to monitor all the security events happening on its network. "As our business expands to new locations and new lines of business, our security needs will change and our monitoring will expand significantly," says Franciosi. The trick, he says, is to evolve faster than the threats in the wild. The solution, "to implement proactive security technology that actively protects the company and its stakeholders."
Maintaining its recovery center is another challenge for Franciosi. "While it's not required under HIPAA (yet) to have a hot recovery center, we've decided that it is critical to our operations and currently have the framework for one in place." The goal is to have running replicas of every system in the production datacenter running hot in the facility's remote recovery center. To achieve this, Covenant Dove has a project slated to use products from VMware, EMC, Double-Take.
Wait a minute
But not all physicians are as enthusiastic about the imposition of federal regulations introduced recently. Tony Scialli, a clinical professor of obstetrics and gynecology at a major hospital in Washington, D.C., says HIPAA, a federal law which requires health care facilities protect the privacy of individual's health information, is a “major pain” as it makes communicating with patients using email problematic by requiring that “appropriate security procedures are established.”
"Doctors in practice are usually frantically busy and time for communication with patients is limited. Patient communication is important, but HIPAA imposes barriers that make this communication more difficult," he says.
Plus, Scialli points out that obstacles arise when technology systems are not interlinked. "We use Allscripts for outpatient records and a Siemens' product for inpatient records. There is something different for accessing lab results and radiology results in the hospital. Too many systems and no cross-talk between them."
The outpatient electronic record system used at his hospital has many advantages, he says, but also important disadvantages, including slowness in loading and little ability to open multiple documents at the same time. It also requires access through Citrix from off-campus locations.
"Electronic records are clearly the way to go, but substantial funding is needed to upgrade systems and make them compatible with one another. Compatibility between institutions is nil. When we need to send records to another hospital, we print them out and fax them. So 1990s!," he says.
The human factor
As the move to EMR rolls out, it will become increasingly important for organizations to understand that the IT department cannot solve all security problems, says Brian Lapidus (right), chief operating officer for Kroll Fraud Solutions, a New York City-based company that provides security services and risk mitigation counseling. He points out that though securing data through technology is important, organizations must recognize the presence of human error, or malicious employees, as problems that cannot be solved through technology alone.
"A dependency on technology to 'stop' a security breach promotes the dangerous (and often costly) assumption that a breach is preventable and that technology is the key to compliance. In fact, when organizations do experience a breach, training and awareness programs lead organizations' efforts to minimize the risk of future breaches.
But other experts advocate for more reliance on technology as a way to reduce human error.
"Certainly people are an important component of the solution and more emphasis needs to be placed on education for the workforce, and when I say workforce I do not mean just employees," says Mac McMillan, CEO of Austin, Texas-based IT security consulting firm CynergisTek. "Education though is not enough and needs to be augmented by appropriate controls, which are still missing in many health care institutions. Hospitals are dynamic places and by definition generally busy. This lends itself to an environment where mistakes can be made and where inadvertent exposure of data is possible."
For this reason, he says, hospitals need the necessary controls in their systems that enable operations while at the same time enforcing protections preferably without the workforce having to consciously do something. "What we are talking about here is putting the controls, security measures/rules, around the data itself instead of relying so heavily on the workforce and endpoint security controls."
Technology solutions do work if deployed properly and supported, says McMillan (left). "There is fragmentation and it does contribute to the difficulty of certain controls being optimally effective, but generally it is not the fragmentation that gets in the way, it is the lack of security technology. ISOs still struggle with getting support for security technologies. There are some really great examples of technologies that work and provide enormous benefit to hospital ISOs. Many are beginning to appreciate the power of data loss protection solutions, for instance, in assisting them identifying where protected health information is within their enterprise and enforcing rules regarding things like where that data can be sent, whether someone has permission to copy or download it, or even to what devices it can be downloaded to."
When asked who he believes needs to take charge of the security of patient data at health care facilities, McMillan points to those who are ultimately responsible for the risk: the CEO and the board. "Security is and always has been a top-down priority. If leadership makes it a priority and backs it up with action and accountability, then organizations tend to follow. Unfortunately this is still not the case across the board in health care. My experience is those organizations with support at the top, with established governance bodies and reporting, tend to have the best information security programs.
Mahaska's Roose believes that who should be in charge of patient data depends on the size and the nature of the health care organization. "In a hospital our size (25-bed critical access hospital), securing our patients' information is everyone's responsibility. It's extremely important all employees are acutely aware of the importance of data security, the potential impact on patient care and safety when data is not secured, and the ramifications of a potential breach. Continual employee awareness through internal education campaigns, signage, electronic reminders and open discussions are all important components of maintaining the security of patient data at our organization. It is important as an IT department, specifically, to make the tools and technology available for all staff to meet their data protection responsibilities."
Setting security policies, deploying technologies that protect data without constraining workflows, enabling secure access to data – from anywhere – and auditing/reporting on user access to data all fall into the realm of the IT department, she points out. "Once a health care organization moves to electronic medical records (EMR), as we have done at Mahaska Health Partnership (MHP), securing access to that data takes on a new level of complexity and importance. Sometimes, though, the measures of protection that are applied in order to secure data end up hindering productivity and in lean times, producing waste. Through the use of technology, we've removed this perceived waste produced by securing un-integrated systems, giving our clinicians value. At MHP, this equates to more time for our doctors, nurses and support staff to care for patients."
There is still a lot of confusion as to exactly what the government wants, meaning what exactly is the minimal requirement to meet compliance with c, and unfortunately that will probably prevail, says CynergisTek's McMillan. "Health care organizations, though, have many other regulatory requirements that apply to them now – from PCI to Red Flags to state breach laws, and more."
What all of this adds up to, he says, is the need for an information security program and set of controls that addresses the basics of data protection within an established security framework. "There is another kind of fragmentation that undermines security and that is the piecemeal procurement and implementation of security technologies without consideration for the endgame, which ought to be heightened awareness and control across the enterprise. Planning properly and using a recognized framework to guide development of their program, as well as selection of the right controls, will serve them well and make compliance a side benefit to data security, as it should be."