Healthcare facilities and hospitals are faced with unusual challenges when it comes to security, with their staffing and sheer volume of traffic rivaling any campus environment.
Whether the need is to restrict access to authorized personnel-only areas or to protect private patient information in electronic and paper formats, a multi-faceted approach to security in the healthcare industry is becoming ever more critical in meeting the evolving regulatory requirements around patient privacy.
Effective security requires a forward-looking approach to addressing both current and future physical and logical access requirements, along with a firm understanding of the changes in privacy standards and compliance regulations that are impacting today's healthcare institutions and their business partners.
New Privacy Standards Give HIPAA Muscle
One of the most important set of changes in privacy standards was brought about in the Health Information Technology for Economic and Clinical Health Act, or HITECH Act, which was signed into law as part of the American Recovery and Reinvestment Act of 2009 (ARRA).
The HITECH Act, which began being enforced in February, adds notification requirements for healthcare-related information security breaches; implements new data security standards for electronic health records; and expands security and privacy provisions beyond the Health Insurance Portability and Accountability Act (HIPAA).
While HIPAA addresses health information security and privacy issues, the HITECH Act extends the HIPAA security and privacy rules to non-HIPAA covered entities, holding them to the same privacy and security standards as covered entities. For example, under HITECH, healthcare providers, pharmacies, and other business associates of a covered entity (as defined in HIPAA), will be now subject to privacy and security provisions in HIPPA. This extends beyond the healthcare provider to include even the vendors of personal health records, according to the U.S. Department of Health and Human Services.
HITECH thus includes provisions that are designed to protect patient health information by calling for healthcare organizations, their business associates and service providers to fully disclose breaches, including a description of the incident, when it occurred, what was discovered, what types of information were involved, and a description of what was done to investigate and prevent future incidents.
Needless to say, the HITECH Act finally adds the muscle that HIPAA lacked. It will likely force healthcare providers, vendors and care givers to implement stronger access security to truly protect patient data and avoid multi-million dollar fines similar to those levied against many large corporations for noncompliance.
Physical, Logical Disconnect Hinders Compliance
For years, healthcare institutions have used a variety of methods to secure access to facilities and data stored on network computers. For many organizations, building access and IT security technology have traditionally been purchased and managed by different departments with different security policies, goals and objectives. As a result, healthcare staff have been forced to carry multiple access cards and remember multiple personal identification numbers (PINs) or multiple passwords to access various networks, applications and areas of a facility.
These practices have resulted in fragmented security systems that are cumbersome for employees, not to mention difficult and costly for the organization to maintain.
This typical environment poses a significant risk to healthcare organizations meeting security standards for HIPAA and HITECH requirements, elevating the need for security administrators to evaluate how their physical access control and data security technology will impact an institution's ability to achieve regulatory compliance. Healthcare security administrators are thus looking to implement a higher level of security that can leverage their existing investment and ensure a high level of adoption by hospital staff and employees within other regulated organizations.
Smart Cards Bridge Gap, Provide More Security
Portable and secure, smart cards are becoming an increasingly popular tool for safeguarding physical security and ensuring the privacy of sensitive electronic information in hospitals and other companies seeking heightened security. Contact or contactless smart card technologies provide an opportunity for security administrators to implement one badge that serves as a workplace ID, physical security access card and strong authentication token for network access.
For example, a single smart card could ensure secure doctor, nurse or staff access to the emergency room and networked computers, visual identification verification and even enable contactless purchases in the hospital cafeteria.
There are several different types of smart card technologies, each offering its own level of security and complexity. The easiest way for a healthcare organization to adopt this technology is for it to use the current physical access card that most employees already carry to enter a building or a secured area.
For two-factor authentication, a proximity card can be used in conjunction with desktop computer software and card reader for employee log-in to Windows. The employee is logged in to Windows after presenting the card to the desktop computer reader and entering a PIN. This process replaces the traditional Windows username and password process and provides convenient and secure log in.
For a higher level of security and additional capabilities, a contactless smart card can be used in place of a proximity card. Contactless smart cards utilize a more robust chip technology that transmits data through a secure encrypted tunnel.
In addition to providing two-factor authentication, the increased security and greater memory capacity of contactless smart cards enables them to be used for secure print release, cashless vending or other applications. The secure print release functionality is especially applicable in a healthcare environment since a contactless card must be presented at the printer in order for a job to begin printing. With HIPAA driving additional scrutiny relating to patient privacy and secure processes, this solution ensures sensitive information is delivered to authorized personnel only.
Organizations with the most stringent security requirements often consider contact smart card technology. With contact smart cards, digital certificates are loaded to the contact module and the data is authenticated utilizing Public Key Infrastructure (PKI). In addition to being used as an identity card, contact smart cards can be used to authenticate a user to a VPN or WLAN, or to digitally sign a document or to encrypt a hard drive, folder, file or E-mail.
While more costly than contactless smart cards, highly regulated industries, such as oil and gas and the federal government have adopted PKI and contact smart card technologies to meet the rigorous demands of numerous regulatory standards.
Key Cards Ease Access of Authorized Individuals
In today's increasingly risk-conscious organizations, smart card technology in its various forms is fast becoming a basic, non-negotiable part of the IT security infrastructure. Properly implemented, this technology can fortify both data security and physical access control, while making it far easier for healthcare professionals to access the information they need.
The availability of smart card technology is making it possible for hospital campuses and facilities to leverage their existing physical access control infrastructure, while adding new data security functionality at a reasonable cost. The convenience of using a single card for physical and data security has many organizations re-examining the value of merging currently independent systems to achieve solutions that are robust, easily managed and that optimize the organization's existing infrastructure.
When balancing the benefits of access management solutions against the costs of reputational damage, security breaches and non-compliance, utilizing smart card technology can offer exceptional value by maximizing security investments while facilitating compliance to current and future healthcare industry-related regulations.
Greg Sarrail is director business development at HID Global, and Sheila K. Stromberg is director of end user strategies at HID Global. For more information on the company, visit www.hidglobal.com.
Data Breaches Declined 32% in 2009
In 2009, there were 498 breaches, which is less than the 657 reported in 2008 but more than the 446 in 2007, according to the 2009 Identity Theft Resource Center Breach Report. Despite the apparent overall reduction in incidents last year, the study claims it is difficult to determine if the number of breaches is increasing or decreasing.
The report's main highlights include:
- Paper breaches accounted for nearly 26 percent of known breaches (an increase of 46 percent compared to 2008).
- Malicious attacks surpassed human error for the first time in three years.
- Out of 498 breaches, only six reported that there were either encryption or other strong security features protecting the exposed data.
U.S. universities experienced 58 breaches in 2009, with the University of California, Berkeley reporting the greatest number of records being compromised: 160,000. Thirty three hospitals had breaches, the largest of which involved Jackson Memorial Hospital.
Approximately 200,000 records from that institution were compromised. K-12 schools experienced 20 breaches last year.
The report notes, however, that in more than 52 percent of the breaches publicly reported, no statement of the number of records exposed was given. Therefore, it is unknown how many total records may have been exposed due to breaches in 2009.
2010 Hospital Data Breaches
As of April 13, the following hospitals have reported they have experienced computer network breaches this year:
- Boulder Community Hospital (Colo.)
- Children's Medical Center of Dallas (Texas)
- City of Hope National Medical Center (Calif.)
- Griffin Hospital (Conn.)
- Holy Cross Hospital (Fla.)
- John Muir Health (Calif.)
- Lucille Packard Children's Hospital (Calif.)
- Methodist Hospital, Texas Medical Center (Texas)
- Millbrook Medical Center (Md.)
- Montefiore Medical Center (N.Y.)
- North Carolina Baptist Hospital (N.C.)
- North Ridge Medical Center (Fla.)
- Providence Hospital (Mich.)
- St. Francis Hospital (Okla.)
- University of California, San Francisco (Calif.)
- University of Texas Medical Branch, Galveston (Texas)
- University of Texas Southwestern Medical Center (Texas)
- University of Washington Medical Center (Wash.)
- Wake Forest University Baptist Medical Center (N.C.)
Source: Identity Theft Resource Center