University of Utah Health Care learned about the cost of inadequate health care data security the hard way. When an unencrypted backup tape was stolen from the car of a data storage contractor in June 2008, more than 2 million patient records were compromised and Utah Health Care had to spend millions of dollars to investigate the breach and notify the people affected.
The Salt Lake City research and teaching hospital system won't make that mistake again. "Anything that leaves the building is encrypted," said John Fagg, the system's manager of storage services.
Utah Health Care is not alone. Hospitals everywhere are securing the perimeter. Encryption is their main tool, but it's not the only one: The use of thin clients to keep sensitive data off workers' desktops is catching on.
The push for better health care data security has been spurred by the general public -- health care consumers in particular. Beginning with the Health Insurance Portability and Accountability Act's (HIPAA) privacy rules that took effect in 2003, and continuing through the Health Information Technology for Economic and Clinical Health (HITECH) Act in the 2009 economic stimulus package, tolerance for the inadequate defense and careless handling of data has never been lower.
Encryption is a key to HITECH Act compliance, which mandates that patients be notified if the security of their records is compromised -- but not if the lost or stolen data is encrypted. At Utah Health Care, data is encrypted on a NetApp Inc. DataFort (formerly Decru) appliance as it is being written to tape before being transported off-site.
At Memorial Health System Inc. in South Bend, Ind., HIPAA-compliant encrypted backup tapes are taken from the institution's primary data center to its own vaulting facility by its own employees. When it comes to destroying data, Memorial Health similarly leaves nothing to chance -- the organization destroys PC hard drives in its own crusher.
Endpoint security system can reduce end-user vulnerabilities
Backup tapes are not the only point of vulnerability. Community Health Partnership Inc. in Eau Claire, Wis., is implementing tight end-user security and permissions through Microsoft's Windows 7 on its new laptops.
"[S]ome end users might think it's punishment, [but we're] doing what's right," said Keith Grey, Community Health's IT technical services manager and security officer.
Community Health also relies on the ZixMail service from Zix Corp. to encrypt email messages. "It's hard to know how judges will interpret the law, so we have to go with best practices from industry leaders. The message is to encrypt everything," Grey said.
Moreover, because the organization's laptop users will be on wireless networks, Community Health is securing those with a wireless secure endpoint security system from Aruba Networks Inc.
With all those efforts to deliver a secure mobile computing experience, Grey must also be concerned about laptops that leave the premises. "Our biggest concern is when an end user takes a device out of our network," he said. To that end, he's implementing Windows 7's BitLocker technology, which encrypts laptop hard drives.
"It's hard for us. We have to have a healthy balance -- to be as secure as possible but still able to do business," Grey said.
Thin client technology is in
By issuing laptops and securing them, Community Health is taking on a health care data security challenge that other hospitals are avoiding altogether: Those institutions are deploying thin client devices on which sensitive data is never stored.
At Utah Health Care, for example, desktop users store data on server-based disk arrays, not their desktop.
Meanwhile, having used Citrix Systems Inc. thin client technology for several years, the Metro Health system in Wyoming, Mich., developed its own thin client technology it calls remote desktop product (RDP). "It's a unique back-end access technology," said Aivars Apsite, technology manager at Metro Health. "No data is stored locally. You log into a thin client and then connect to a session. It's a unique approach to HIPAA and security."
Laptops with encrypted hard drives are being used by some personnel, even though no data is being stored locally. Other users are given Wyse Technology Inc. thin clients, which don't have hard drives. Users of either kind of laptop can access the system via a browser interface and two-factor authentication.
Hospitals also are implementing encryption on virtual private networks (VPN). St. Luke's Cataract & Laser Institute in Tarpon Springs, Fla., implements 128-bit encryption on its VPN so that email users have an encrypted link to the organization's email servers, according to Angelo Infanti, who oversees IT at St. Luke's.
In addition, St. Luke's uses Citrix thin client technology on many PCs. As a result, Infanti does not encrypt PC hard drives, although he is considering biometric security, such as fingerprint scanning, for the client systems.
Good behavior key to health care data security
Endpoint security is as much a matter of behavior as technology, according to Robert Klingseis, director of information services at Community Hospital of Long Beach in California.
"It's a case of continually educating staff in appropriate procedures, to be continually reinforcing," Klingseis said. "If you walk away from a terminal, you're not leaving patient data on the terminal; if you're working on something, you're not showing others things they don't need to see."
It's a case of continually educating staff in appropriate procedures, to be continually reinforcing.
Community Hospital is replacing distributed PCs known as workstations on wheels with thin clients that use Windows 7 and VMware Inc.'s View 4 desktop virtualization technology. When doctors and clinicians access a thin client, they use their identification badge and a security code to log on. If they walk away from the terminal, it logs them off. They can then log on from a different thin client elsewhere. Laptops will not be allowed to access patient data, according to Klingseis.
The new emphasis on health care data security takes some getting used to, given the open and collegial atmosphere that has traditionally prevailed at many hospitals. The stiff new requirements led Metro Health to hire a full-time security and privacy officer and to conduct comprehensive penetration testing in order to comply with the HITECH Act.
"Some vendors have a hard time understanding that open server shares must be locked down because of HIPAA requirements and the HITECH Act," Apsite said, adding, "One thing that's unique to health care is how trusting we have been in the past."
Stan Gibson is a contributing writer based in Boston. Let us know what you think about the story; email [email protected].