The federally mandated health IT buildup taking place between now and 2015 puts hospitals in a wireless network security Catch-22. On the one hand, interoperability of applications, devices and electronic health record (EHR) systems is forcing networks open, especially with patient monitoring devices, Wi-Fi tablets and laptops -- as well as smartphones -- requiring more wireless infrastructure.
On the other hand, the Health Information Technology for Economic and Clinical Health (HITECH) Act mandates that health care providers close off networks and maintain better security for Health Insurance Portability and Accountability Act (HIPAA) compliance. The HITECH Act also gives wider enforcement powers to state attorneys general and the U.S. Office for Civil Rights.
That means many CIOs are expanding hospital wireless networks while federal rules simultaneously are requiring them to guard their systems from would-be data thieves more closely than ever before. That increased vigilance calls for risk analyses of everything wireless in the hospital environment, from the network to the access points, to the devices connecting to them.
"The data is much more accessible than when it's in a wired network," said Todd Cooper, co-chair of the International Electrotechnical Commission Joint Working Group 7, which is developing IEC 80001, a standard for risk management in wired and wireless health care networks. "Not only do the communications themselves have to be secure, but you have to deploy a whole new level of security to make sure that these devices are allowed in."
Before flipping the switch, do a security risk assessment
Conducting a wireless network security risk assessment doesn't just help uncover vulnerabilities. It also can strengthen a hospital's case that it took "reasonable steps" to protect patient data and was not "willfully neglectful" -- two HIPAA concepts that can result in fines of $50,000 per violation, up to a maximum of $1.5 million per year, if federal investigators determine a hospital is on the wrong side of the law.
Many hospital departments, including those covering safety, disaster management and risk management, use the failure mode and effects analysis (FMEA) technique to uncover weak points in operations. The method also can help determine how wireless network security could be compromised -- and can help hospitals figure out how to shore up problems before they occur, said Elliot Sloane, director of Drexel University's health systems engineering program. The federal government's patient safety site offers health care-specific FMEA tutorials for IT leaders new to the methodology.
One example of using the FMEA technique in a wireless network security risk assessment might be to imagine, "What is the worst-case scenario that can happen if a doctor hooks up his home wireless router to our network and a hacker uses this rogue access point as an on-ramp to our EHR system?" From there, one aims to prevent data breaches by either implementing a hardware solution or writing a hospital policy forbidding the setup of such rogue access points -- or both.
There are three ways to solve problems uncovered in risk assessments:
- Engineer them out, which means addressing them with technology or eliminating an offending device or piece of software.
- Create signage that warns users of potential problems.
- Train employees, which Drexel's Sloane has characterized as the least effective method.
Whatever risk assessment and mitigation method you choose, Sloane emphasized, make sure it's done for every device used on the hospital wireless network, whether it's a medical device tracking information on patients or a new iPad a physician is using for email. Assign each device a risk score that's related to how much patient data it handles and how frequently, and whether it holds or transmits data, or does both. For the most effective mobile health security policy, address first the devices that score the highest for risk.
Beyond that, it pays to partition the hospital wireless network. That way, patients or visitors on laptops, tablets and wireless-enabled MP3 players stay away from network areas where patient data is flowing.
Boost wireless network security by encrypting patient data …
Security risk assessment isn't just a one-time exercise. It's an ongoing process from which policies arise -- and must be enforced -- for HIPAA compliance to occur.
Encrypting protected health information can be a safe harbor for avoiding HIPAA violations when data is lost: Under the HITECH Act's update to HIPAA, if encrypted data is lost, the event does not constitute a data breach.
Consider encrypting all protected patient data. On the device level, encryption can be a thorny process, a reality that is leading some facilities to decide that virtual private networks, or VPNs, are the most cost-effective way to encrypt. Moreover, many hospitals use legacy systems and equipment that isn't designed to handle data encryption, so integrating data encryption into a wireless network can prove problematic.
Newer devices, however, such as patient monitors, offer HIPAA-friendly features that enable encryption of the data points that the law considers protected health data -- a patient's name, for example, the IEC Joint Working Group 7's Cooper said. That makes it easy for the IT manager, who just needs to make sure encryption is turned on and functioning properly.
The safest, most secure medical device is one on the shelf, [that is, not in use], but it's not very effective.
Todd Cooper, co-chair, IEC Joint Working Group 7
Cooper also recommended that CIOs keep an eye on the IEC 80001 standard, which, along with implementation guidance, came out in November 2010.
"The whole point of 80001 is to do risk management for these kinds of networks, including wireless networks, where you're trying to balance between three key properties -- patient safety, system effectiveness, and data and systems security. It's in the order of priority, so your priority is risk management to ensure patient safety, No. 1, but also data and systems security," Cooper said. "There's a real tension between those. The safest, most secure medical device is one on the shelf, [that is, not in use], but it's not very effective."
… And by drafting a social media policy
Personal email and social networking sites can be venues for HIPAA violations, said C. Peter Waegemann, vice president of mHealth Initiative Inc., a nonprofit industry group championing mobile health care applications. He offered several pointers for creating a social media policy to augment wireless network security and for ensuring that what one may think are mobile health innovations don't turn into privacy and security vulnerabilities:
- The No. 1 HIPAA privacy compliance issue with smartphones in a health care setting is their built-in cameras. To bolster compliance, limit or prohibit their use in your social media policy. Though public officials might ask to be photographed for public relations purposes, and though it may be tempting to snap photos of celebrity patients, many hospitals prohibit all photography inside their buildings.
- Encrypt all data sent to and from mobile devices.
- Many smartphone apps plug directly into feeds for social media sites, such as Twitter and Facebook. Though this makes communication quick and straightforward, facilities nonetheless should ban one-on-one communication about treatment between patients and staff members using social media.
"If you comply with those, if you understand what's going on there, [use of mobile health devices] is, in general, HIPAA compliant," Waegemann said.
Let us know what you think about the story; email Don Fluckinger, Features Writer.
This was first published in February 2011