John C. Lincoln Health Network has firsthand experience with the security threat posed by removable media, like mass storage devices. In 2003, says Rob Israel, chief information officer, the two-hospital system in Phoenix "got slammed with the Slammer Worm virus." The virus was brought into the health system's computer network from a school paper on a floppy disk.
While John C. Lincoln recovered from the incident, it drew attention to the security risks of portable devices. When a laptop goes missing, that is fairly easy to detect, and a hospital generally knows what files were stored on it; but staff may not even be aware that a person is using a flash drive for personal use, says Israel. "There is no visibility to it."
In light of the new stricter HIPAA regulations, which require healthcare providers to track disclosures; report security breaches that affect 500 or more patients to all of their patients, a local media outlet, and the Department of Health and Human Services Secretary; and pay fines as high as $1.5 million, it's imperative that healthcare organizations find solutions to secure patient information in this new age of portable and wireless devices. "The new regulations on breach reporting—which became effective in September 2009—only increase the risks, as has the increased enforcement under ARRA," says Elizabeth Warren, a healthcare attorney with Nashville-based law firm Bass, Berry & Sims PLC.
Even though HHS will delay enforcement of breach reporting for 180 days, organizations are still required to track and report breaches, and they could still face enforcement actions under state law, says Warren.
Organizations should complete an inventory of the types of removable media being used, determine what information is stored on these devices, destroy any information they no longer need, and encrypt the devices where feasible, Warren says.
The challenge for staff is keeping up with the myriad of policies, says Israel. That's why John C. Lincoln automated its policies. It implemented a device management solution from Lumension, a Scottsdale, AZ-based security software vendor. Employees must now fill out a form if they want to plug devices into the health system's network, and if they don't have proper authorization, the devices will be blocked. For example, a physician who frequently reviews radiology images may have permission to download information or images to a thumb drive, Israel explains, whereas another physician may only have keyboard access. Israel can grant access rights to a specific computer or defined user group and set different permission levels like "read-only" or "scheduled" access.
One of the key challenges of implementing the system was effectively communicating to staff members and physicians that it was not meant to interrupt work flow, but to ensure that sensitive information was properly secured, Israel says.
"You can't communicate enough," says Israel, adding that "because of the communication policy, the image of IT has improved."
And now that his IT staffers are no longer bogged down removing malware from the system's 2,000-plus machines, they have more time to focus on projects near and dear to clinicians' hearts, like making the remote desktop view more user friendly, Israel says.