Sick of Data Protection Rules
Print Issue: October 2011
SOUTHWEST WASHINGTON MEDICAL CENTER, OF VANCOUVER, Washington, wanted to develop a good strategy for complying with privacy and data security laws and regulations in a more efficient and cost-effective manner.
Working with colleagues, Christopher Paidhrin, security compliance officer, developed a framework for doing just that.
The use of common security frameworks in healthcare is becoming increasingly common, according to experts. Developed by individual organizations, industry consortiums, and others, such frameworks are “beginning to come together well for healthcare and other industries,” says Jim Koenig, director of PricewaterhouseCoopers’ privacy and identity theft practice. They can frequently improve security while also generating efficiencies and reducing costs, he says.
For Southwest, the framework, or map of best practices, would become an ongoing guide to a holistic approach to privacy and data security that Paidhrin terms Awareness in Depth. The map, which remains a work in progress, has helped the hospital focus on the highest-risk areas, he says. In recent years, that’s meant an increasing focus on such components as security awareness training. It’s also included the implementation of new tools, including encryption and software that monitors employee access. Such approaches—which some experts say are especially important in healthcare data security—are described in more detail ahead.
Hospitals and other healthcare organizations are under growing pressure to protect sensitive data. Each healthcare breach costs healthcare organizations about $6 million on average, according to the Ponemon Institute, a nonprofit research organization. Costs include the expense of notifying customers, paying legal fees and regulatory fines, and the loss of income from patients who choose to go elsewhere in the future.
Fines can be steep. The Department of Health and Human Services (HHS), which administers the Health Insurance Portability and Accountability Act (HIPAA), fined two healthcare organizations $5.3 million in one case when an employee left sensitive patient data on a subway train and in another case when the facility failed to provide patients with their own records.
The latter case, which involved Cignet Health, was the first time the government punished an organization for breaking HIPAA’s privacy rule. HIPAA consists of 43 main security stipulations, mainly concerning protecting electronic data, and a Privacy Rule, pertaining to issues such as policy.
HIPAA’s regulations have also grown stricter in the past year or so due to amendments. For example, the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was part of the American Recovery and Reinvestment Act of 2009, included several provisions that strengthened HIPAA security regulations and penalties. Those took effect in 2010.
Among the provisions was one requiring organizations to report to the HHS any breaches that involved 500 or more patient records. At least a few states have also strengthened data protection rules and requirements in the past few years.
Aside from HIPAA and state data breach laws, Southwest, like many other hospitals, has had to comply with numerous regulations, such as the Payment Card Industry Data Security Standard, which helps protect customer financial information. Even with so many requirements, though, “you don’t need to just throw your hands up,” explains Paidhrin. Many security and privacy regulations have significant overlap, he says. Many of them “dovetail beautifully.”
Paidhrin began building Southwest’s framework by examining several major international standards that assist with security, data protection, and business best practices. They included the 27000-series standards from the International Organization for Standardization (ISO), which contain numerous agreed-upon best practices to protect healthcare information and other types of sensitive data. Another standard was COBIT, written and managed by ISACA, a nonprofit group for information security professionals. The COBIT standard aims to assist IT professionals with areas including compliance, technical and workflow issues, and business risks. HIPAA’s security regulations and its privacy rule were also integrated into the map. But many of HIPAA’s requirements were already contained in the COBIT and ISO standards, says Paidhrin.
Southwest’s framework, called Information Technology Services Management (ITSM) Best Practices, fits on one large page. It looks like a tree with roots and branches. Larger branches contain major business, IT, and security-related goals and categories. These then lead to smaller branches containing individual or small sets of systems, policies, and goals. A small portion of headings are underlined or shaded a particular color, indicating that the heading is particularly important in meeting particular guidelines, such as COBIT or those from ISO.
One of the main benefits of the map is that it helps managers, both in IT and throughout the organization, communicate, says Paidhrin. The map helps create a standard language and set of goals, serving “as a reference point for discussions, awareness, and analysis throughout the organization, he notes. “Executives can look at it, and it makes sense.”
One branch in the map is labeled governance. This leads to a branch titled “risk management,” which then leads to topics including reputation and fraud. Another branch stemming from governance leads to “vision,” which leads to subsections including “social and community responsibilities.” Under a section titled “wireless,” for instance, the map leads to a branch that lists devices including laptops, PDAs, tablet computers, and pagers.
Before the company undertakes new projects or initiatives, the map helps ensure that important elements aren’t neglected. The map is also valuable in terms of change control, says Paidhrin. By showing how systems and policies are associated, the document helps IT know which departments and managers to speak with before initiating a new project. The map can also help show how shutting a particular system down could affect other systems and processes.
The map has been helpful when the IT department wants to ask high-level management for certain technologies and funding, explains Paidhrin. It was helpful when, for example, the IT department recently requested new funding for encryption solutions, he says. In the ITSM map, next to a branch listing laptops and other mobile devices, there’s a “dash,” followed by the word encryption, indicating the importance of encrypting such devices. (Southwest’s implementation of encryption technology is described in more detail ahead.)
Paidhrin also keeps a list of available IT department services. The list of services, along with the map, have helped the IT department make sure the appropriate controls are being implemented.
In addition to using its ITSM map, Southwest, like many healthcare organizations, has been adding technical controls to strengthen security and meet compliance needs. Encryption is one especially important technology.
Under HIPAA and many other data breach laws, organizations don’t have to report missing data when it’s encrypted. Encryption can also be particularly important for laptops. According to the most recent data on breaches published by HHS, out of nearly 200 listed breaches in 2010, 24 percent were listed as laptop theft, the highest source of breaches. About 14 percent were attributable to loss of hand-held devices, such as smartphones.
Southwest has a policy of encrypting all laptops, says Paidhrin. It uses software from GuardianEdge Technologies, which is owned by Symantec. Paidhrin says that placing the solution on individual laptops can sometimes be time-consuming, taking “several hours.” But it’s worth the time, he says. Encrypting laptops “gives us peace of mind.”
The software is not particularly cumbersome for employees, he adds, and mainly involves inputting an additional password.
Southwest has also been focusing more on protecting other mobile devices. Physicians and their employees are increasingly using such devices, including smartphones and iPads, for instance. Sometimes these electronic devices are issued by the hospital to doctors and staff; other times, they are personal devices. In either case, even though employees aren’t able to copy or download documents on to these devices, they can access the network with them. Thus, a mobile device could create a security exposure. “Security standards will have to be anytime, anywhere,” Paidhrin explains.
The hospital currently urges employees to use passwords and device time-out features with which devices lock after a certain number of minutes.
Paidhrin also recently bought a mobile security product from McAfee. The software can run on numerous operating systems, he says, ranging from Windows Mobile to Android. It provides various security features, including encryption. It also allows the hospital to remotely wipe data on lost or stolen devices. Another feature allows administrators to set a device to wipe data after a certain number of failed password attempts.
Southwest has also been strengthening security controls related to employee access and network monitoring. Such technology can be important to protect against inappropriate health-record access, identity theft, and other risks, Paidhrin says.
In Southwest’s ITSM map, one section, called “monitoring/auditing,” is labeled green, meaning that it’s a high priority under COBIT, one of the underpinnings of Paidhrin’s map. The “monitoring/auditing” heading leads to other map subsections including “appropriate use,” “networking traffic monitoring,” and “investigations.”
Access control. One of the programs used is a surveillance and audit product from FairWarning, aimed at detecting electronic healthcare record breaches. The solution works across more than 150 healthcare applications, according to the vendor, and has more than 200 types of behavior-based analytics to detect different kinds of suspicious behavior.
Installing the product was relatively simple, says Paidhrin, partly because it’s an appliance. Installation involved plugging in the device and downloading software from the vendor, he says. FairWarning is run from a central management console.
Paidhrin says he’s set up the product so that he can receive alerts based on certain activities, such as a large number of failed log-in attempts or when an employee attempts to access records an unusually large number of times. With such alerts, he can see whether an employee might be working a double shift, for example, or whether two or more employees may be sharing passwords.
The product is also highly effective for audits, he says. He can conduct searches by categories such as patient record, employee access, or time period, and download a spreadsheet that provides the results of his search. He can determine activity, such as whether patient records or other data points were printed.
Looking for such information without FairWarning would have been far too time-consuming, he says, likely involving sifting through individual application log files. Speed matters, because regulations require that reports about some inappropriate access be filed within 60 days.
Paidhrin says the hospital is fully committed to reporting any privacy or security violations if necessary. When incidents are detected, they’re sent to a breach committee, which uses a harm matrix to consider any violation’s significance.
To date, many of the events detected have involved employees snooping into a family member’s records, he says. Under current guidance from HHS and other regulators, he hasn’t felt any incidents have warranted reporting so far.
Network overview. Another component of the hospital’s data protection is a security information management (SIM) product. The solution, from ArcSite, which is owned by Hewlett Packard, is like a far more comprehensive version of FairWarning, says Paidhrin. But while FairWarning concentrates mainly on applications, which can be especially important in monitoring employee access, the SIM tool can wade through large volumes of log data derived from numerous systems, devices, and security tools to pinpoint suspicious activity on the network. “It’s my eye in the sky for all things security,” says Paidhrin.
Paidhrin explains that he can adjust the solution to look for particular types of activity. He has also programmed it to send alerts based on certain events or activity thresholds.
The tool is extremely effective at identifying and mapping myriad types of incidents. Recently, for example, Paidhrin was approached by one of the hospital’s network engineers who asked if the ArcSite tool could help better identify activity related to the hospital’s firewalls, routers, and servers. Paidhrin says he was able to glean useful, detailed information about the activity within five minutes. “I told [the engineer] I could provide him with alerts” in the future, he states.
In the past, Paidhrin says he would sometimes review firewall data manually for similar information. But it could take hours or days. “There’s no way my eyes could review firewall logs,” he says.
The SIM tool can also proactively identify potential security issues. It can be set to send an alert when a machine or system is “in distress,” he says. It can also produce a notification when an employee tries to log in multiple times without success. On at least a few occasions, those alerts led him to contact employees and ask if they needed help. Those incidents were benign, but the quick contact from IT lets the employee know their actions are watched.
Screening and Training
The human factor is, of course, a major key leading to the security of data. As a part of the effort, the hospital conducts extensive preemployment screening background checks before it hires employees, says Paidhrin.
If they make the cut, new hires receive security and privacy-related training when they begin working. All employees must take an annual Web-based test as well; anyone who scores less than 100 percent must retake it. Paidhrin also meets regularly with managers throughout the organization to discuss privacy, data security, and related matters.
The hospital also distributes a newsletter electronically to staff on a regular basis to discuss security and compliance issues. In addition, it has other campaigns to drive home the data protection message. One campaign, called “Mum’s the Word,” focuses on teaching employees not to speak about sensitive health information in hallways, elevators, and other public spaces. Paidhrin and other colleagues conduct regular walk-throughs inside Southwest, looking for possible privacy or compliance issues.
Employees are told that, due to the monitoring and other types of tools, they shouldn’t “have any expectation of privacy,” when using the company’s systems and machines.
By employing a common regulatory framework, adopting a range of technological solutions, and focusing on employee screening and awareness, Southwest has improved its ability to protect data and comply with the law. That also helps to protect patients and the hospital’s reputation and bottom line.