Skip to content

Healthy Data Security

IN THE FOURTH CENTURY B.C., the father of medicine, Hippocrates, was well known for having asked doctors to swear to do no harm. It is less well known, however, that he also wrote in his famous oath about the importance of keeping medical information private. He asked doctors to make this declaration: “All that may come to my knowledge…which ought not to be spread abroad, I will keep secret and will never reveal.”

Healthcare data today remains sacrosanct. Numerous laws protect it. But ensuring that the information stays between patients and relevant healthcare providers has become considerably more complex.

Mobile devices such as laptops and smart phones can greatly improve patient/caregiver communication, reduce costs, and improve overall healthcare. They can simultaneously put data at significant risk, however. The main concern is that these portable devices are easily lost or stolen, which could result in the data on them falling into the wrong hands. A full 51 percent of healthcare breaches from 2000 to 2007, in fact, stemmed from theft—primarily of laptops, according to a study by PerimetereSecurity, a Milford, Connecticut-based security-as-a-service firm.

No other industry pays a greater price for a data breach than healthcare, according to research by the Ponemon Institute. Its most recent annual U.S. Cost of a Data Breach Study found that the average cost of a compromised record for business at large was $202, while for the healthcare industry, the average cost incurred was $282 per compromised customer record. The study looked at 43 organizations across 17 industries.

The biggest cost associated with any business data breach was the resulting loss in customers, according to Ponemon. This rate was highest in healthcare, which often stores highly valuable customer data. In 2008, healthcare had an average customer churn rate of 6.5 percent, compared to an average industry rate of 3.6 percent.

But financial damage is just part of the price. “A hit like a data breach in the media would be the last thing we need,” says Michael Landsittel, IT director at the Visiting Nurse Association of Northern New Jersey (VNANNJ).

Another consideration for healthcare providers is the cost of heavy fines for noncompliance with privacy regulations, such as the Health Insurance Portability and Accountability Act (HIPAA). Last July, for example, Seattle-based Providence Health & Services was the subject of penalties levied by the U.S. Department of Health and Human Services, which enforces HIPAA.

The hospital system had been audited after reports in 2005 and 2006 that lost or stolen laptops and storage media contained 386,000 unencrypted patient records. Sanctions included $100,000 in fines and a requirement that the hospital beef up its portable device protection.

But more important than cost is the issue of trust. When patients worry about the privacy of their data, it damages the whole healthcare system, says Dr. Deborah Peel, a psychiatrist and founder of Patient Privacy Rights, a nonprofit in Austin, Texas. In her field, psychology, Peel estimates that about a third of patients pay for services in cash out of privacy concerns. Leaked healthcare data can haunt patients for years, she says. “It’s like the Paris Hilton sex video. You can’t make it private again.”

Some technology companies are creating cutting-edge solutions that can help keep mobile healthcare data private. For example, one device from Paris-based Alcatel-Lucent can remotely lock stolen or lost laptops. It can also ensure that devices are encrypted at all times, among other features. Another solution, from CSL Behring, based in King of Prussia, Pennsylvania, is an Internet-based system that helps hemophilia patients manage the disease with a smart phone by including healthcare record protection, among other security measures. Following are highlights of how two healthcare providers have implemented these solutions.

Always-on Security

The mission of the 100-yearold nonprofit VNANNJ is to provide caregivers to the elderly and persons with ailments ranging from terminal cancer to birth defects. The laptops the staff take into the field hold critical data on these devices such as, Social Security numbers, medical histories, progress notes, care plans, and financial/insurance information.

A few years ago, IT Director Landsittel began looking for a new laptop security solution. One of the possible solutions that Landsittel explored was a Global Positioning System (GPS) that would track the devices. He also looked at USB- based solutions that would authenticate nurses and encrypt data. Merely tracking devices with GPS didn’t seem sufficient, he says. He also worried that the USB devices could easily be misplaced.

As he was doing this research, Landsittel became aware of Alcatel-Lucent, which described its OmniAccess 3500 Nonstop Laptop Guardian.

Alcatel employs “computer on a card” technology; cards inserted into laptop card slots have their own battery, memory, processor, operating system, and software. The laptops don’t work without the card, so a thief cannot circumvent the security simply by removing the card.

Working off their own battery power, the cards can receive information from IT managers even when the laptop is switched off. That way, IT managers can see whether security features are properly configured.

Cards automatically encrypt all of the information on the laptop. IT can remotely disable the encryption/decryption keys to further secure the data.

The solution also includes device-tracking GPS, which can locate lost and missing laptops as well as improve nurses’ safety by making it possible to track their location when they have the laptop.

Set up. The solution took almost 18 months to roll out. But this was mainly because the company phased in the purchase of new laptops for its nurses, which it needed to do anyway.

Installation began with setting up a dedicated server. This took most of one day, says Landsittel. It mainly consisted of configuring the server to work with VNANNJ’s network and firewall.

Pilot and rollout. Before general rollout and training, VNANNJ conducted a pilot, which involved a small group of clinicians using the product in real-world settings. Coverage was also tested. Participating nurses were given a dedicated phone line that would give them access to IT help 24 hours a day, seven days a week, says Landsittel.

Almost all the product’s features were tested during piloting, he says. Not all have been put to use during actual implementation, however. There’s a fine line between securing laptops and making them user-friendly, he says.

When it came time for implementation, each nurse was given about 30 minutes of training, consisting mainly of going over some possible troubleshooting events. Users were shown some of the icons they might need to click on and some of the screens they might need to access.

One system advantage is that it’s been easier for IT staff to troubleshoot laptop problems for the nurses in the field, because IT managers can view laptop data, such as virtual private network (VPN) connectivity and available applications, from a central Alcatel interface. Previously, Landsittel needed to look at several screens, and during troubleshooting, he often had to phone nurses back at a later time.

Thanks partly to the cards’ always-on 3G wireless data connectivity, nurses now have the advantage of automatic VPN logon when the machine boots. When they used a traditional wireless signal, they would have to go through several steps to access the firm’s secure network. Landsittel calls the 3G connectivity throughout VNANNJ’s service area “very good.”

The machines also synchronize data better with a database of medical information located at the company. In the past, synchronization occurred only a few times a week at best. Nurses sometimes had to bring the laptop back to the office to establish a connection, says Landsittel. The updated data helps the nurses provide better care because they can access the most recent data. Patch management is also easier with the constant connection.

The company did a thorough cost analysis before implementation. Switching to the 3G cards cost about $10 more a month, but the reduced labor for both nurses and IT staff more than compensates, Landsittel says. The real value, of course, is in the security improvement itself, he notes.

Healthcare Calling

For a number of years, CSL Behring had produced a hemophilia drug, Helixate FS. A few years ago, it wanted to find a way to help patients better manage the disease and improve communication with healthcare providers between office visits.

The solution became the HeliTrax Internet-based data management system. One main feature is a smart phone, which lets patients snap photos of bleed events and send communications and information about Helixate FS use to a dedicated HeliTrax server. It also prints out concise reports for healthcare providers.

The company wanted to make sure that the system was “unhackable,” according to Jill Leon, a nurse and a product development consultant. To help fortify the system, CSL Behring turned to McLean, Virginia-based Trust Digital, which helps companies manage and secure smart phones and PDAs. The Trust Digital software client can include a range of security features.

CSL Behring wanted higher security partly to appeal to patients and partly to ensure that it would comply with regulatory requirements in both the United States and Canada. While U.S. companies face HIPAA, Canada’s Personal Information Protection and Electronic Documents Act is considered stricter by many.

CSL contracted with Mobile Data Force, of Boise, Idaho, to set up the HeliTrax system in hospitals and to show caregivers how to securely access patient information online.

Fortified phone. The security of the HeliTrax phone, which is an AT&T Tilt model 8525, starts with user authentication with a personal identification number (PIN). The device can be programmed to lock after standing idle for a specified period of time. To access any HeliTrax-related information, a second PIN is required.

Many of the phone’s specifications can be uniquely configured by a HeliTrax administrator. Basic system patient data, including pictures taken of a bleed event as well as a calendar of medication given, are automatically encrypted. But users can choose to encrypt additional applications, such as Microsoft Word or Notepad. Device data passes over a Secure Sockets Layer connection to the server in the healthcare clinic or hospital.

Four levels of encryption are available: Advanced Encryption Standard (AES) 128, 196, or 256, as well as Triple DES. AES 128 is generally the minimum needed for HIPAA compliance.

That could be sufficient. “It’s never been hacked,” says Mike Freeman, president of Mobile Data Force, which is involved in several pilot programs using smart phones to help patients manage AIDS in Africa.

HeliTrax administrators have the option of application blacklisting—prohibiting certain applications and Web sites (such as browsers) from running on their phones. Trust Digital has also added a patent-pending feature called Trusted Application. This architecture is designed to prevent malware from accessing protected data. Applications must be in a trusted application list to open files.

Restrictions can also be placed on features such as removable media, WiFi, Bluetooth, infrared (IR), and Short Message Service (SMS). The device includes a firewall. A locking feature on the phone can also prevent applications from being removed or transferred to removable media.

By telephone or through a secure Web portal, users can report a lost device and remotely delete its contents. Data deletion policies can be set based on device inactivity and the number of failed password attempts.

Added benefits. Only the physician who refers a patient to HeliTrax has access to records. After that, any other healthcare provider, except in emergencies, must have an electronic signature from the patient or guardian.

That’s considerably more secure than most electronic health records, says Leone. In many hospitals, a broad range of workers can frequently access a patient’s electronic records.

CSL Behring also has no access to patient data, which is stored in Boise in a Mobile Data Systems server. Such data separation isn’t typical.

“The trouble with many product vendors is that they feel they own the [healthcare] data,” says Peel, who notes that the resulting risk in those cases is that vendors might try to resell the information, which can be valuable to various types of organizations ranging from insurance companies to research centers to marketing firms.

The electronic forms save caregivers considerable time, says Shirley Smith, of Hariman, Tennessee. She’s been using the system to manage her 10-year-old son Tyler’s hemophilia since late 2007. Before HeliTrax, she would record bleeding event and medication dosage information on paper. Doctors would have to sift through the logs to find data. Now it can be accessed with just a few keyboard clicks.

The technology could also be used to treat many other diseases, says Dan Dearing, vice president of marketing at Trust Digital. Similar systems are in place, in relatively small numbers, to treat problems such as birth defects, heart ailments, and other conditions that require continuous at-home treatment.

CSL doesn’t have any hard estimates on how much money HeliTrax can save hospitals and insurance companies. The company, hoping to promote the product, is still footing most of its costs.

For end users, the benefits tally up not in dollars but in terms of more freedom. HeliTrax has made it possible for some patients to attend summer camp, for example, and still accommodate their medical needs.

Aside from boosting patient-caregiver communication, the product can help reduce some of hemophilia’s stigma. “No one knows the phone contains their treatment,” says Leone.

Mobile devices have the potential to greatly improve healthcare. They can cut costs, generate efficiencies, and improve the relationships between patients and healthcare providers. But strong security is a must. HeliTrax and Laptop Guardian are two examples of how technology can help to make secure remote healthcare management possible.

John Wagley is an associate editor at Security Management.