As hospitals move rapidly to electronic health records, there is an increased need for enterprises to pay attention to data security. Just because it's a hospital doesn't mean it's immune to data theft, sabotage or viral intrusion.
One hospital chief information officer says achieving Most Wired hospital status without an enterprisewide IT security commitment is like playing baseball without a glove. "It may be possible, but it's risky, and sooner or later dangerously painful," says Ben Clark, vice president and CIO of Centra, Lynchburg, Va.
Health care IT security requirements aren't necessarily unique. Many security controls are just sound IT best practices found in any concerned industry.
Information security officer Betsy Carwile Mewborn says Centra uses a variety of techniques to achieve enterprise IT security. "We constantly monitor for viruses and malware on all devices, and intrusion detection software is in place between us and the Internet," she says. Centra also enlists outside help to perform such periodic tests as network penetration, business impact analysis and threat and risk assessment to identify areas where more effort is indicated.
Centra runs a network risk assessment at least once a year and after major network and infrastructure upgrades.
Denver Health schedules different audits at different times. It conducts internal audits quarterly, including wireless, mobile, application and access security. "We use a quarterly schedule so negative findings from one quarter can be remediated and validated the following quarter," says CIO Gregory Veltri.
Veltri also runs internal and external vulnerability scans as needed after system changes to ensure that new exposures have not been created during upgrades. Also, scans of new devices, such as application servers, allow the hospital to establish a baseline to compare against future scans, he says.
ProMedica Health System in Toledo, Ohio, runs vulnerability tests on all new servers as they are deployed. "In addition to these routine scans, we periodically select server samples and perform vulnerability scans to ensure they continue to comply with established policies," says CIO Dave Selman. A third party performs annual network and application penetration tests. "Any findings are forwarded to legal counsel for protection and are immediately corrected," he says. However, ProMedica prefers to keep risk assessments in-house.
If risk assessments are outsourced though, John Kahanek, a principle at health consultancy CSC, advises that hospitals ink a confidentiality agreement to ensure that any internal deficiencies are not disclosed outside of the organization. Also, he says hospitals should request information on the vendor's own security process, and even ask for three references.
Aspirus Wausau Hospital in Wisconsin engages an outside auditing firm to assess its IT environment. Vice president and CIO Jerry Mourey says these annual efforts are designed to promote effective and efficient change management and also to ensure current access credentials for business associates, who often are loosely affiliated physicians and their staffs.
Still, even the most secure enterprise can be compromised if e-waste is mishandled. Health data on unused or discarded computers can be harvested for sinister reasons. A Department of Defense-grade secure wipe is crucial. Many hospitals deal with e-waste by hiring professional services that not only wipe data securely on-site, but also ensure responsible disposal of parts.
Regions Hospital in St. Paul, Minn., uses an outside vendor to manage the discarding of old computer equipment. "This vendor provides a certification by serial number of asset disposal," says Vice President and CIO Kim LaReau.
Likewise, Aspirus and Denver Health contract equipment disposal to local firms certified in data destruction. These vendors take all old surplus and dispose of it according to DoD standards, and then provide a report on the destruction of each asset. For internal items such as CDs, Denver Health has a Web page that instructs end users on the proper method of disposal, complete with logs to record the date and method used, such as shredding.
ProMedica sends used IT equipment to a recycling company. Hard drives and media are shredded in place before being separated into recycled components.
Douglas Page is a freelance writer in Pine Mountain, Calif.
This article first appeared in the December 2010 issue of H&HN magazine.