CIOs find themselves under more pressure than ever to bolster hospital IT security, with needs ranging from consulting studies to encryption.
The HITECH Act has upped the penalties that health care providers face for data breaches involving protected health information (PHI). The HITECH Act reinforces HIPAA security and privacy provisions, which applies not only to covered entities but, now, business associates with access to PHI. The Department of Health and Human Services' Office for Civil Rights plans to conduct up to 150 audits in 2012 to check whether providers are meeting HIPAA obligations.
The government's electronic health record (EHR) adoption program, also spelled out in the HITECH Act, adds to the security burden. Meaningful use stage 1 calls for hospitals to conduct security risk assessments, while meaningful use stage 2 goes a step further, requiring encryption of data at rest to be considered in such a security risk assessment. (Use of encryption technology is still not required.)
Those security demands present health care VARs, integrators and service providers with an opportunity-rich environment. Indeed, channel companies report considerable interest in hospital IT security and purchasing activity in several areas.
But they also acknowledge a financial challenge. Some hospitals struggle to come up with the funds for security projects, so not everything on the to-do list gets done. Beyond budgets, a tendency to underestimate security threats, particularly among smaller facilities, also impedes security investment.
"Hospitals that recognize the threat are taking steps," said Jim D'Itri, a partner with the Computer Sciences Corp. (CSC) Healthcare Advisory Services division. "Unfortunately, there are a lot out there that don't really recognize the problem until it shows up on their doorstep."
Hospital IT security risk assessments in high demand
One security step hospitals now pursue involves getting a grip on their security posture and vulnerabilities. Jeff Bell, director of client services for CareTech Solutions, a Troy, Mich.-based IT solutions providers focusing on hospitals, said the biggest request he gets from customers is to conduct an information security risk assessment.
"Meaningful use is driving them to understand what they need to be doing," Bell said.
Meaningful use requires hospitals to undergo an assessment to receive the program's incentive payments. Bell pointed out that HIPAA also calls for a security review. While a meaningful use evaluation revolves around EHR, HIPAA involves a more comprehensive assessment, he added.
His advice to hospitals? Cover both bases.
"Do the full scope and make sure you're compliant with not only what meaningful use requires, but what HIPAA is requiring," Bell said.
Data access control a high hospital IT security priority
A comprehensive security assessment consists of several components. Generally, a security team will review a hospital's security policies and procedures, test and evaluate all applications and infrastructure, evaluate data flows and user practices, create a prioritized list of security gaps and recommend a series of measures for bolstering security.
The hospital IT security assessment and its recommendations will typically uncover additional needs. One area of particular concern among hospitals: Access control and authentication.
Armando Orta, senior director of information security and disaster recovery, Anthelio Healthcare Solutions Inc., cited access control as a big concern for hospitals. One common problem is the nurse station with a computer that is logged in and stays that way all day long.
"You don’t have control over who is actually making changes and accessing patient information," Orta said, adding that he has encountered numerous cases of unguarded access in the course of conducting onsite vulnerability assessments.
"The most rudimentary security control -- authentication and authorization -- proves the most challenging even for mature organizations," noted Ed Liebig, CSC practice director, Cyber Security and Privacy Consulting. He identified identity and access management (IAM), along with user provisioning, as a high priority among hospitals.
Jeff Belldirector of client services, CareTech Solutions
In many organizations, myriad dissimilar systems share an infrastructure, such as a local area network or wide area network (LAN/WAN) backbone servicing file share servers, operate alongside specialized imaging or medical systems that may be deployed independently of a network infrastructure and, therefore, may have built-in IAM capabilities.
In such an environment, Liebig said, "the challenge of administering access and use grows exponentially."
Another key difficulty with access control is that time-pressed medical personnel don’t want to repeatedly log in and out when dealing with several applications. Single sign-on (SSO) systems address this consideration, letting staffers log in once to access a hospital’s IT resources.
Orta said Anthelio is working with two hospitals on implementing SSO tools. But other health care facilities struggle to find the investment dollars to deploy SSO technology.
"It's very expensive in a hospital environment," Orta said. "A lot of times, there’s not a lot of funding available. That is a nut we have been trying to crack for a while now."
To address the cost burden, hospitals can take a scalable and incremental approach to single sign-on. Orta said one option is to set the foundation based on a manual authentication process: entering a username and password. A more sophisticated method -- use of an RSA SecurID for token-based authentication, for example -- may be added later.
DLP, encryption technology helpful but costly
Channel executives also cited data loss prevention (DLP) technology as an important security category. DLP software helps organizations identify and track sensitive information.
Orta said DLP has generated a lot of buzz in the industry and interest among hospitals. He said Anthelio is currently evaluating DLP technology for its health care customers. "This is another one of those tools that is very helpful to have, but it is also comes at a cost."
Hospitals, however, can typically implement DLP in a scalable fashion. For example, Orta said, customers can buy a main DLP console and perhaps one of several modules that perform different functions. A hospital could purchase an initial DLP component that identifies the location of patient information and other types of critical data. The next component may be one that performs access control checks. "You can then continue to buy other components as you can afford it," Orta explained.
Encryption technology also ranks among the more prevalent hospital IT security initiatives, resellers and integrators reported.
Todd O'Bert, president and CEO at Productive Corp., a software reseller with a security specialty, said hospitals are spending on encryption technology amid the threat of financial penalties for exposing PHI. He said facilities pursue encryption across devices, folders and removable media.
"Credit card companies are right at the top of the list with hospitals and patient data," O'Bert said of the demand for encryption. "And I think patient data is even more sensitive because of the emotional connection to that data."
Hospitals, O'Bert said, are encrypting laptop drives, removable media and specialized tablets and input devices. He said hospitals will next move on to encrypt mobile devices of the Android and iOS variety.
Liebig said encryption projects are often linked to regulatory drivers. One of the more recent examples comes from the proposed rules for meaningful use stage 2. As noted above, the language calls for hospital IT security risk assessments to include the encryption of data at rest.
Bell said this inclusion acknowledges that many breaches could have been prevented if devices had been encrypted. In another regulatory driver, Bell noted that the HITECH Act's breach notification rules provide an exception for organizations that properly encrypt media.
"They want to take advantage of the safe harbor," Bell said of providers.
Vendor management programs vital to hospital IT security
Hospitals also seek security help when it comes to consolidating security logs and bolstering the security of custom software applications, VARs and integrators report. While those efforts focus on internal security issues, at least one security thrust looks beyond a hospital’s immediate environment. Hospitals are looking to improve their monitoring of HIPAA business associates, which have lately emerged as a troubling source of security breaches.
Orta recommended that hospitals establish a vendor management program to keep tabs on business associates. Such a program will look into whether the appropriate documentation -- non-disclosure and non-compete agreements, for instance -- is in place.
In addition, hospitals should take care to review vendor access to their networks. During audits, Orta has found eight-year old vendor access accounts that have never been used. He recommends setting up policies that establish time limits for vendor accounts. An account that expires in 180 days can help hospitals determine whether a vendor really needs network access.
At the end of the day, keep the bottom line in mind
While hospital IT security needs vary, channel companies responding to that demand must keep budgets in mind.
"Every hospital is under financial pressure," Bell said. "You really have to make the point...that the risks that they face and the potential cost of those risks are greater than the expense that they have to make to reduce those risks."
Hospitals will typically include some security items within their IT budgets. O'Bert said endpoint security has been in the budget for a long time, starting with antivirus software. Budgets may cover much of the base infrastructure security, but projects such as encryption raise more funding questions, he noted.
"Is it going to be additional money from the endpoint budget, is it new-found money, or is it tied to an initiative like HIPAA compliance?" O'Bert asked.
A shortage of human resources may also hinder hospitals.
D'Itri said small, rural facilities generally have limited personnel who fully understand hospital IT security issues and threats. Those organizations tend to "underestimate the risk until an intrusion occurs, are generally unsure of what is needed to safeguard systems and information, or have some awareness but decide that the risk does not justify the cost of a solution."
Hospitals, regardless of size, have ample need for IT security help. The task for VARs and integrators is not only to understand hospital vulnerabilities but to convince customers that risk mitigation is worth the price.
John Moore is a Syracuse, N.Y.-based freelance writer covering health IT, managed services and cloud computing. Let us know what you think about the story; email firstname.lastname@example.org or contact @SearchHealthIT on Twitter.