compromised has brought the security and
privacy of patient health information back to the forefront. Healthcare
providers and affiliated organizations seem to be the next target for hackers, the
reason being that they appear to be relatively easy targets, and in many cases
don’t have the comprehensive security mechanisms that the financial
institutions and e-commerce sites have learned to put in place.
Medical records are very valuable as they can easily be used
by another person to create an account, for example at a bank, get access to
existing accounts, and perform many other actions that can provide cash by
using false identities. These hacking incidents can be very lucrative for hackers;
knowing that a complete person-record might fetch between five and ten US
dollars, stealing 100,000 records could fetch between $500,000 and $1 million
US dollars.
How does the healthcare industry deal with this? The answer
is that you put as much deterrent in place as practical, affordable and
feasible, without impacting patient care. Any security expert will agree that
it is virtually impossible to have a 100 percent secure system, but if you make
it relatively hard, the potential hacker will search for an easier target and
move on. By the way, security is not rocket science but more common sense than
anything else.
A key part of security includes using passwords that are not
being shared, hard to decipher and have a combination of characters, letters
and special characters. If you go to the site “how secure is my password” you can
actually see that the pw “123456” can almost instantly be cracked. By the way,
this particular password happens to be in the top three used passwords,
together with “password” and “12345.” But if you look at the list of common
passwords, you’ll find that “baseball, football, monkey, batman superman and
even Michael” are all in the top 25. This information is based on the
statistics done of stolen passwords that were made public. Needless to say, there
is a lot that can be improved in this area.
In addition, the use of firewalls, a DMZ, intrusions
detection at your external gateways, use of VLAN’s for vendor access, VPN’s for
external connections, shutting down unused ports, and other commonly known
practices are a must. The use of a centrally managed virus protection is
critical as well. This goes hand in hand with policies about the use of
external media such as flash drives, which are notorious for transmitting viruses,
and opening email attachments and downloading Internet spam.
The overriding concern however should always be the impact
on patient care. There should be a balance between the means and tools that are
needed by clinicians and what is allowed by what many people call the “IT mafia.”
I actually believe that for every institution that hasn’t done its due
diligence with regard to protecting patient privacy and security, there is at
least one that goes too far. I personally have had a few experiences in that
regard, In one instance, I wanted to provide support to a service engineer on another
continent, we had set up an agreed upon time, and at the time that we were
supposed to have the call we found that the IT department of the far institution
did not allow users to connect to Skype. Another example, was when I saw my
specialist, and I had brought my ultrasound exam on a CD, while specifically
requesting a DICOM CD without a viewer from the imaging center (to avoid having
them putting some proprietary images on there that could only be viewed on
their own viewer). So, for this “clean” CD to be read by the specialist, he
needed a DICOM viewer to be installed on his PC. I instructed him where to find
one on the Internet, but his PC was locked down by his IT department and therefore
he could not review my case. I learned that next time I will bring my own
laptop for him to review my case, but this was definitely impacting patient
care at the time of my appointment.
What to do next? As required by the US federal privacy
regulation Health Insurance Portability and
Accountability Act (HIPAA), a comprehensive risk analysis is
definitely in order. This should be done at least once a year, and it might
make sense to use an outside consultant for this. This audit should include all
of the HIPAA items, such as physical security, policies and procedures, and
technical means such as encryption, access, authorization, password usage or
misuse, etc. You might come to the conclusion that there are more areas of
patient information than you might be aware of, for example, on discarded
computers, on the disks on intelligent copiers and fax machines, etc.
This analysis will identify weak spots and things to fix and
monitor. Put an action plan in place to fix them and continue to provide
patient care unhampered by extreme security measures but by policies,
procedures and technical means that are pragmatic and make common sense.
