Ensuring patient privacy in a networked world

Networks providing electronic access to medical records allow for greater collaboration among the various players involved in patient care, including hospitals, general practitioners, insurance carriers and suppliers. While patients have much to gain through such efforts, ensuring patient privacy is also critical.

Graham Titterington, principal analyst at Ovum, told ZDNet Asia in an e-mail interview that information could leak in various ways.

"An incident may be caused by a network security failure in the institution, or by someone impersonating a legitimate user through the theft of that user's ID and password, or by someone accessing a terminal that is logged in and left unattended, or by data being exposed by employee misconduct, either deliberate or accidental."

Titterington said the immediate risk to the institution from losing patient data is damage to its reputation, and it will face potential prosecution by the victims.

"If the data relates to the institution rather than to a patient, there are the same risks as any other business faces through sensitive data loss," he said.

Jason Pearce, Asia-Pacific director of sales engineering at EMC's subsidiary RSA, said consequences of healthcare data breaches can be significant.

"Sensitive information can be used by employers, health insurers and other entities to discriminate," Pearce said in an e-mail interview. "Additionally, thieves can use purloined information to obtain medical treatment and prescription drugs and to file false medical claims."

Titterington noted that even before considering specific measures such as firewalls and anti-malware precautions, ensuring good general security system is a must.

"[Having] strong user authentication and access control is essential, but remember that a long password doesn't equate to good security as it is difficult to use and users revert to bad practice to make their life easier, such as writing it down in a prominent place," he said.

Titterington added that access control has to be easy to use, too.

"Access control that shuts a terminal when the user leaves, but allows rapid login when that person returns to the terminal or moves to another terminal, is ideal," he said. "This can be achieved by [deploying] a smart card or a proximity token, preferably also serving as a building access token and a coffee machine token so the user will want to carry it all the time."

Biometrics is also useful, but current biometric technology is not fully proven, Titterington said.

Instilling good procedure
Pearce suggested some best practices the healthcare value chain could take to prevent data loss.

"Not all data is of equal importance from a security perspective. The first step is to determine which data is most sensitive--or at highest risk," he advised.

The organization must understand its business structure, examine its various departments and lines of business, and identify both regulatory and non-regulatory security drivers for each department," he said. "It should then prioritize its data by grouping information into various 'classes'--from the most restricted and sensitive, to the least sensitive.

Next, policies--rules for appropriate handling of data--must be set, including which employees and applications are authorized to access the data, and how, when and from where.

Pearce also advised these organizations to know where their sensitive data resides.

"Through the data discovery process, a company can create a map of its critical and sensitive data, which serves as a foundation for its security policy and control strategy," he explained. "But in order to be effective, data discovery must be embraced as a continuous process and not just a one-time event, as neither the organization's data nor the use of it is static."

As risks can be found both inside and outside these institutions, the organizations should also understand the origin and nature of their risks, said Pearce.

"Lapses in business processes and innocent mistakes on the part of users, are actually more common than a malicious attack from outside an institution," he said.

"Creating a risk model that takes into account all the potential ways data might be compromised or stolen, provides the context to implement an appropriate control strategy."

According to Pearce, centralizing the administration of security policies ensures that security rules are enforced consistently at control points and makes proactive monitoring of user actions--that could result in a security violation--easier to automate.

"In addition, centralization helps ensure that users consistently follow appropriate usage rules for sensitive data to avoid unintentional leakage," he said.

Proper audit trail
Ovum's Titterington said: "Unfortunately, accidents will happen and some employees are not as conscientious as they should be. So, all accesses to sensitive data should be logged and audited so that misuse can be detected and investigated."

Pearce stressed that security audits must constantly be improved upon.

"Business is not static--neither are the security mechanisms that protect it," he said. "You need real-time tracking and correlation of security events in order to respond quickly to change."

He said SIEM (security information and event management) systems enable a player in the healthcare chain to analyze and report on security logs and real-time events across the organization.

"To enable proper auditing of your data security infrastructure, you need an SIEM system that automatically collects, manages and analyzes the event logs produced by each of the security systems, networking devices, operating systems, applications and storage platforms deployed throughout your enterprise," he explained. "These logs monitor your systems and keep a record of security events, information access and user activities both in real-time and for forensic analysis."

This way, the organizations can quickly respond to incidents as they occur and remediate potential losses, Pearce said. "Such proactive log management provides the foundation for a comprehensive auditing strategy."