Though security issues remain a top concern, the wireless component will increase in use to overcome human latency among other problems. Human Latency - the phenomenon by which the amount of time that one part of a system spends waiting for another part to catch up, where a human's involvement can cause a delay in resolving a critical situation, or prevents the delivery of critical information or expert advise - has plagued the $2.26 trillion dollar health care industry for decades.
“Human latency poses a huge liability in health care,” says Laurence Guihard-Joly, vice president of Integrated Communications Services at IBM. “In an environment where anytime, anyplace communications is critical, wireless and mobility solutions allow health care providers to dramatically improve decision-making processes and bring more resources directly to the patient.”
Toronto East General Hospital, a large urban, full-service community hospital in Ontario, recently introduced an IBM solution that included a unique combination of Cisco wireless network, wireless communication devices from Vocera, and real-time event driven notification software from GlobeStar Systems. The hospital estimates that upon project completion, approximately 800 critical care staff members will be using the hospital's innovative wireless communicators.
While that’s all well and good, few physician practices can go to such lengths to achieve wireless accessibility and still safeguard the information. So, what can a physician’s office do to obtain the same secure ends? First, understand where the liabilities lie.
Absolute Software identifies the top five computer security risks for healthcare as:
1. Failure to Protect Sensitive Data Beyond Encryption
According to the 2003 Health Insurance Portability and Accountability Act (HIPAA) Security Rule, healthcare organizations must encrypt electronic protected health information (EPHI) stored on open networks such as laptops. However, a recent Research Concepts survey found that 72% of IT asset managers believe their own employees – those with access to encryption keys and passwords – were responsible for most incidents of data breach in their organizations. With lost or stolen mobile computers cited as the cause of nearly 50% of data breaches, healthcare organizations must complement encryption with the ability to remotely delete EPHI from missing computers for the highest level of data protection.
2. Inability to Accurately Manage Mobile Computer Assets
In order to achieve HIPAA compliance, healthcare organizations must be able to audit how many computers they have in their inventory, where they are assigned, who is logging into them, what software is installed and where the computer is physically located. However, recent studies show that most organizations are able to locate only 60% of their mobile computer assets. Internet-based, firmware-persistent IT asset management solutions such as Computrace can provide visibility into as much as 99.7% of a computer population – regardless of computer location.
3. Sensitive Information on Public Terminals
Many healthcare facilities allow public information to be accessed on open-air terminals, such as reception desks, nursing stations, public information terminals, and help stations. These workstations are at great risk of data breaches and information can be easily accessed and downloaded. Unattended stationary computers should always be monitored and protected with an authentication prompt.
4. Difficulty Implementing a Comprehensive Data Security Plan
Healthcare facilities need to institute a comprehensive data security plan to secure computing assets and sensitive information. Asset tracking and recovery software should be part of a comprehensive approach, which also includes cable locks, encryption software and secure passwords. The plan needs to be reviewed and updated consistently to ensure maximum effectiveness.
5. Reluctance to Create a Data Breach Policy
Few healthcare facilities have ‘nightmare scenario’ policies in place should a data breach occur. In the event of a data breach, there should be a standard procedure in place for timely notification of supervisors, law enforcement, patients and the media. In a data breach situation, computer theft recovery software solutions have the capability to remotely delete sensitive files, track lost or stolen computers and partner with local law enforcement to recover them.
At a bare minimum, physician practices should cover three essential checkpoints to tighten security, according to Richard Stiennon, chief research analyst at IT-Harvest, an independent research firm covering the IT security industry.
1. Strictly control access. There are many ways that data is made available for transfer from clinical data systems. Never have an open ended system. Require suppliers of technical support to log in with individual user names and passwords using SSH, not telnet or FTP. Use a secure file transfer system for exporting data.
2. Use a firewall to limit access to pre-determined locations. In other words only specific IP addresses should be granted access and that only to specific destinations within your office.
3. If you create physical backup disks, CDs, or tapes you must encrypt that data.
Stiennon recommends the following product suppliers…