It seems that at least twice a month we are hearing about a health care organization that has had a data breach because of a lost of stolen laptop. Every time I read about a new breach I shake my head and ask myself why aren’t these organizations using encryption to protect the contents on the laptops? I have come up with 2 conclusions:

1. The organizations are not familiar with encryption technology and think it is too complex to implement
2. The organizations think that implementing encryption technology is too expensive and cost prohibitive

So I thought I would take a few minutes to hopefully help enlighten some people on just how easy it is to implement encryption and how affordable encryption is.

There are many encryption products on the market.  Some are free such at TrueCrypt, while others vary in cost and complexity.  PGP is one of the leaders in encryption and has recently been purchased by Symantec Corporation.  PGP ranges from encryption of a few laptops to 1,000s of laptops in an enterprise.  PGP usually requires some infrastructure setup that allows administrators to control policies, safeguard encryption keys and monitor which laptops have been encrypted. There is some complexity that is associated with setup and deploying PGP encryption.

A product that we have been using for ourselves and our clients is called AlertBoot.  AlertBoot is an easy to install encryption product that encrypts the entire laptop’s hard drive.  The install is web based from the AlertBoot’s site and is very easy and painless.  Depending on the size of the hard drive and the speed of the drive it can take anywhere from 30 minutes to 4 hours to encrypt the drive.  You can even use the laptop while it is doing the one-time encryption.  There is no risk of losing the encryption password and then being locked out of the laptop.  AlertBoot has 7×24 hour support that can help a user recover a lost encryption password.

AlertBoot Support, Password Recovery, and Helpdesk

Forget your password? Have a question about AlertBoot? Don’t worry: help is always just a phone call away. AlertDesk is your personal helpdesk for password recovery and assistance— open 24 hours a day, 7 days a week, 365 days a year.

AlertDesk is completely secure and confidential. You’ll be challenged with security questions as a safety precaution to verify your identity. AlertDesk Support will never have access to your devices or your personal data.

AlertBoot encryption costs $12.95 per month per laptop.  There is a 10% savings if you prepay for the year.  So for around $150/year per laptop you can fully encrypt the contents of the hard drive.

Now to be clear, AlertBoot is just one of the many products on the market and I am only using them as an example because I am familiar with the technology and their monthly cost per laptop makes it easy to calculate the true cost of encrypting each laptop.

So say you have 10 laptops in your organization, you are looking at $130 month to encrypt all 10 laptops.  That to me is a very reasonable price to pay to ensure that you are protecting the data on each laptop, complying with HIPAA regulations and ensuring that any patient data on the laptop is secure and protected.

To put the costs into perspective let’s take a look at some estimates of cost if a laptop is lost or stolen.  According to the Ponemon study (PDF) titled “The Cost of a Lost Laptop” published in April 22, 2009, a lost laptop will cost:

According to the report, the use of encryption can reduce the cost of a lost laptop by $20,000. That makes the $12.95/mo seem incredibly cheap.  And now that you know encryption is easy to install and the risk of being locked out of the laptop is not an issue, you should seriously consider encrypting each of your laptops. There really is no good excuse not to implement Laptop encryption.

Medical practices are not only tasked with protecting their patient’s health but now are responsible for protecting their patient’s electronic information as well. Protecting data is probably something that most practice employees have not been trained to do nor are they familiar with best security practices. Data security is usually left to IT consultants who maintain and support their network.  Here are 5 things that you and your IT consultants can do to ensure you are properly protecting patient data.

Security Patches

The reality of software is that most software has security vulnerabilities that allow hackers, viruses and spyware to exploit these vulnerabilities and compromise the security of a network. Software vulnerabilities are in Windows operating systems including desktops (Windows XP, Vista and 7) and servers (all versions). Software vulnerabilities are also in applications such as Adobe Acrobat, Microsoft Office, and Internet Browsers. In order to minimize the risk of software vulnerabilities, vendor security patches should be diligently applied.  Microsoft issues patches at least once a month.  These patches should be applied by your IT vendor.  Desktops can be set to automatically update with no need for IT or user intervention.  Employees should be trained to diligently update programs such as Adobe Acrobat and Flash, Java and Internet Browsers. An even better strategy is to invest in software that allows IT administrators to control the deployments of vendor security patches and software updates. Microsoft has free tools to control Microsoft specific security patches to be centrally deployed. Unfortunately the Microsoft tools do not take care of 3^rd party applications.  Additional tools will need to be purchased to address these 3^rd party apps.

Ban USB drives

A majority of patient data security breaches are due to lost or stolen portable devices such as USB drives, smart phones and laptops. In order to reduce the risk of a data breach, I recommend that you set a policy to ban USB drives. If an employee absolutely needs to use a USB drive to perform their job function then invest in encrypted USB drives. I am a fan of the Kanguru encrypted drives.  You can also get other encrypted drives here. Many people I talk to about data encryption admit to me that they really don’t understand the technology and are reluctant to use it because of this.  Simply stated an encrypted USB drive secures the data on the drive and requires a password to read or write information to the drive. The technology is super easy to use.  These drives cost more than unencrypted drives but the cost is not significant.  For example an unencrypted 4GB drive might cost $10 and an encrypted drive might cost $35.  The cost difference is nothing compared to the cost of a data breach.

Encrypt Laptops

As mentioned above, stolen or lost laptops are a leading cause of data breaches. All laptops should be encrypted. There are many types of encryption on the market. Some of these require IT support and installation. An encryption service that we started to work with called AlertBoot sells a very easy to use product that will encrypt a laptop’s disk drive. The service can be used with no IT support required. After AlertBoot encrypts the laptop’s disk drive, an employee simply enters the encryption password once each time they start the laptop. AlertBoot can help reset the encryption password if an employee forgets it so there are no worries about losing a password and being locked out of the laptop. At $12.95/mo. it is not the cheapest on the market but its ease of installation, minimal impact to a laptop’s performance and 7 x 24 hour support make it a great choice to protect each of your laptops.

Password Controls

One of the cheapest and most effective security steps that you can do is to implement passwords controls.  Password controls include:

• Disabling a user account after a number of failed password attempts (think 5 failed passwords and your account is locked and can only be unlocked by your IT administrator)
• Require complex passwords. Simply stated, complex passwords require a user to set a password that is 6 -8 characters and must have letters, numbers, and special characters (! @ # $ % ^ & * + ).  These prevent using easy to guess passwords.
• Force users to change passwords every 60-90 days. Unfortunately I can guarantee you that your employees will complain about this. It always amazes me how people hate to change their passwords. I guess with so many different passwords, changing one makes it even harder to remember them. As a note, security is a fine balance between protecting your network and making it easy for employees to perform their job function.

Each of these password controls can easily be set by your IT administrator using the tools that Microsoft provides to manage a Windows networks.  At most this setup will take 1 or 2 hours of time.

Encrypt Backup Tapes

Backing up your data is very important and is a best practice to ensuring that you protect your patient’s information. If you backup your EMR on a nightly basis you will have all of your patient’s records on the backup tape.  That can be 100, 1,000 or 100,000 patients depending on how much data is in your EMR.  Now think about what would happen if that backup tape is lost or stolen.  Having the tape lost or stolen is not that hard to imagine and could happen if someone breaks into your office or if an employee is responsible for taking the tape out of the office and has it stolen from their car.  The good news is that most backup software has data encryption built into the software.  All that has to be done is to configure the software to encrypt the data and set an encryption password.  Unfortunately what I have seen is that the encryption setting is usually not set and the data is backed up to tape without encryption. Make sure your IT vendor has encryption enabled and that your tapes are encrypted.

If you follow these 5 steps to securing your patient’s data your will significantly increase your level of security.  As I mentioned, none of these are very expensive and the expense is insignificant compared to the expense of a data breach.  And as an added benefit, these will help you with your HIPAA security compliance as well.

Let me know if you already have implemented some of these security measures or if you have other examples of easy and cheap security protections.

Image: jscreationzs / FreeDigitalPhotos.net

A story over at FierceMoblieHealthcare reports that two laptops were stolen from the Department of Veterans Affairs.  Neither of the laptops had the hard drives encrypted.

Two recently disclosed potential breaches of health data in government health programs, potentially impacting more than 10,000 patients, were the result of stolen, unencrypted laptops belonging to contractors.     

The Department of Veterans Affairs said that a laptop stolen from an unspecified contractor’s car April 22 contained unencrypted, personally identifiable information of about 644 veterans. And New Mexico’s Health and Human Services Department reported last week that an employee of West Monroe Partners, a subcontractor that processes dental claims for Medicaid enrollees, had an unencrypted computer in the trunk of a car stolen in Chicago March 20. That computer may have contained data on 9,600 beneficiaries, Government Health IT reports.

Still, the news incensed Rep. Steve Buyer (R-Ind.), the ranking member of the House Veterans Affairs Committee, because a law passed in the wake of a major breach in 2006 that threatened the privacy of 26.5 million veterans and their spouses requires VA contractors to encrypt health data on laptops. The breach indicates that the “VA lacks focus on its primary responsibility of protecting veterans’ personal information,” Buyer writes in a May 12 letter to VA Secretary Eric Shinseki.

“We would like to express our deepest concern about the continued use of unencrypted devices within VA, despite the ongoing efforts to stop such use,” he adds.

It seems to me that if your medical practice is using laptops that are unencrypted, it is only a matter of time before you experience a security breach.  Encrypting the hard drive of a laptop is neither very complicated nor is it expensive.  My advice is to start looking into laptop encryption sooner rather than later.

There is a story over at FierceHealthIT that summarizes a healthcare security study commissioned by Kroll Fraud Solutions, Nashville, Tenn.  The study concluded that healthcare organizations take security seriously but may have a false sense of how secure thier organization really is.

Reasons for this may be that organizations continue to view security in silos. Some 87 percent of respondents said they have policies to monitor access to and sharing of electronic health information, but most of the reported breaches had more to do with carelessness than technology–stolen laptops and back-up tapes, as well as improper document disposal.

 

The white paper, commissioned by Nashville, Tenn.-based Kroll Fraud Solutions, says respondents gave their organizations high marks–an average of 6 on a scale of 1 to 7–for compliance with HIPAA, state security laws, CMS regulations and the Federal Trade Commission’s “Red Flags” rule for identity theft, and a score of 5.75 for compliance with new security requirements of the HITECH Act portion of the American Recovery and Reinvestment Act. Despite these high ratings, 19 percent of organizations reported having a data breach in the past 12 months, up from 13 percent in 2008.

The first steps to ensuring that your practice is secure it taking security seriously. It is important to write security policies and procedures. But security is not about going down a list of to-do items and checking each one off. Security is about ingraining best practices into your everyday workflow. Unfortunately security at times gets in the way of how we normally perform our jobs. Security requires a few extra steps at times. You might have to encrypt the file that you are working on before copying it to a USB drive or you may have to send a patient an encrypted email rather than just a standard email. Each one of these actions required a few extra steps but you made sure that the data was secure and protected. 

Security also cost money. There is no way around it. In order to ensure that your data is protected and secure and especially to comply with the HIPAA Security Rule, you have to invest in security technology. Patients want to communicate more and more by email, you will have to eventually invest in email encryption to safely and securely communicate with patients. Data is more and more portable and you have to put in the proper technology to protect it. Portable data can be on laptops, tablets, USB drives, smartphones, etc. Each one of these devices can leave your office and could potentially be lost or stolen. Implementing encryption technology is essential to protecting the data. Unfortunately you may have to implement one or more encryption technologies that are appropriate for each device. 

Security cost money in ways you may not think about. Proper security requires that employees have unique user ids and passwords and only have access to the information that they have been granted access. But how do you know if someone is trying to access information that they are not allowed to access? How do you know if someone has hacked through your firewall and is accessing your EMR? Your servers should be setup to log important events that occur on them such as logons, logoffs, invalid password attempts, successful data access, unsuccessfully data access, etc. These server log files can become huge and there is so much information that it is almost impossible to understand what is happening on the servers. You will either have to invest in technology that goes through the server logs and notifies you if some security event is occurring or you will have to invest in an outside IT company to monitor your log files. Either way it is probably not an expense that you have considered. 

Computer networks are constantly changing. There are new programs being added, program updates being applied and security patches being downloaded and applied. Every change to the network has the potential of opening up a hole that someone could find and exploit to access your data. A security best practice is to periodically have a network penetration and vulnerability scan performed on your network. These scans are usually done by outside IT consultants that are very familiar with network security. The network penetration scan tries to access your network from outside of your office. This could be through the Internet, phone lines, wireless access points, etc. The scan looks for holes in your network security that someone could access. The holes could be created by an improperly configured firewall or by having unnecessary services running on the network that could be accessed. Without the network penetration test you would probably have no idea that these security holes existed. The network vulnerability scan looks for security holes on your internal network. Vulnerabilities could be identified by your vendors such as Microsoft or your EMR vendor. The vendors put out security patches that address the security vulnerabilities. A vulnerability scan will check to make sure that the appropriate security patches for your network have been applied. The end result of both the network penetration and vulnerability scan should be a comprehensive report on any issues that have been identified and the recommended steps to address the issues. 

The other big piece of security is training your staff to perform their job functions in a safe and secure manner that protects patient data. It is important to go over the polices and procedures with employees but it is even more important for them to understand the benefits of security. When you start implementing better network security your will be making changes that will directly affect your employees. They need to understand why passwords need to be 8 characters and changed every 60 days (for example). They need to understand why data must be encrypted if it is leaving your network. The good news is that employees already understand security. They understand the need for safe transactions when they are buying something from amazon.com. Training should take what they already understand and apply it to patient information. The bad news is that network security means change. Many employees don’t like change and they like doing things they way they are used to. 

As you can see, security is a challenge for any medical practice. It requires a few extra steps to perform a job function in a secure manner. Security has costs that are both obvious and are hidden. Security means change and change can have a direct impact on your staff. The purpose of this article was not to scare you away from security but to shed some light on what you will be getting into as you implement better network security that protects your patients’ data.

There are literally hundreds of Electronic Medical Records (EMR) systems for sale.  Some have similar feature sets while other differ in their offerings.  There are many articles, blogs, and whitepapers on picking and implementing the best EMR for a practice.  Most of these seem to focus on the software selection, the workflow process, the implementation process and ongoing support of the EMR.  What seems to be missing is the focus on the actual network and computer system that the EMR will be running on.

As a practice goes from paper charts to a full blown EMR implementation, there will be a need to grow the practice’s computer network dramatically.   With the old paper chart model, there may be a couple of computers at the front desk for patient sign in and insurance information collection.  There may also be a few computers for billing and administration.  On the whole, a practice may have a very small or limited computer network. 

On the other hand, once a practice moves toward an EMR implementation the amount of technology required increases dramatically.  The front desk will may need scanners to scan insurance cards, driver’s licenses, etc.    Additionally the front desk may check on insurance coverage which may require Internet connectivity.    Physicians will need tablet computers to enter patient information during a visit.  If a practice decides not to purchase tablet computers then perhaps each exam room will need a computer, laptop or terminal to access the EMR system.  The billing department will need access to the EMR system as well as Internet connectivity to submit insurance claims.  Workgroup or network scanners may be needed to scan old patient records into the EMR or to scan patient’s new paper information i.e. letters, referrals, etc.  Electronic fax servers may be required to send information out of an EMR to another physician’s office or the fax server may be used to receive electronic faxes and attach them to patient records within the EMR. 

In addition to the equipment mentioned above, there is the EMR itself.  The EMR may require a database server and database software such as Microsoft SQL Server.  There may be a need for a network domain controller which stores the user names and network credentials for a practice’s employees.  The EMR database may be backed up to a tape backup unit or by a remote backup service that backs up the data securely over the Internet.  The reliance on the Internet become essential and requires a dependable and fast Internet connection.  These connections can be a T1 from a phone carrier (i.e. Verizon, AT&T, Qwest, etc.), DSL or a Cable Modem.  The Internet connection should be secured via a Firewall which protects a practice’s network.

Once all of the above technology is purchased and deployed a practice may want to roll out Email for both internal and external communication.  Email with patients may require additional email encryption technology.  With all the new computers and employees that now have access to the Internet, the potential for abuse may arise.  Technology to limit employee’s access to the Internet may need to be implemented.  Additional technology to provide Disaster Recovery of the EMR or network may also need to be purchased and implemented.  Remote Access to the EMR may be required which may require additional network technology.

As you can see, a practice may go from a handful of computers to a full blow computer network with a lot of advanced technology.  The network will need to be maintained which may include verifying data backups, security patch deployment, software upgrades, preventative maintenance, etc.  In addition, the HIPAA Security Rule and HITECH Act requires that a network be secure, audited and access to patient information must be available.  These requirements bring along the need for additional technology and network maintenance processes.

We will go into detail about a lot of these technologies in future updates.  A final thought to think about when a practice is evaluating EMRs – Don’t forget about the computer network!