Your Healthcare Security Rx

Written by Andrew Jaquith. Posted in Blog Post

A recent Wall Street Journal article highlighted the controversial debate around whether or not physicians should use email to communicate with their patients. The article has, no doubt, prompted discussions across the healthcare industry. In the piece, Dr. Joseph Kvedar, founder and director of the Center for Connected Health in Boston, describes how email can be a valuable tool for building rapport between doctors and their patients, while enabling clearer, more frequent communication. Kvedar admits that email presents a security challenge, but notes privacy can be adequately protected by encryption tools and secure messaging applications. Privacy concerns should not stand in the way of establishing greater trust with your patients. (We agree: our SaaS Email Encryption product works very nicely for exactly this purpose.)

Dr. Sam Bierstock, founder and president of health-care IT consulting group Champions in Healthcare, takes the opposite view. He argues that not only does “email communication eliminate the ability to interpret important signals,” but it introduces potential security and liability risks that are too high.

So who is right?

The truth is that healthcare industry regulations (HIPAA/HITECH) and resulting security challenges are constantly evolving. These present complex challenges for hospitals, insurers, life sciences firms and suppliers alike. Unfortunately, I know of no magic prescription (so to speak) that cures all security ailments related to email and infrastructure in clinical settings. Nor are there tried-and-true therapies that eliminate the security risks associated with new assistive technologies that are transforming hospitals and doctors’ offices, such as wireless tablets, web-based applications and e-prescribing systems.

That said, in working with our healthcare clients, the prognosis isn’t all that bleak. We’ve identified five best practices for increasing the security of Covered Entities’ clinical infrastructure and that of Business Associates.

  1. Top-down oversight. Senior management teams must set the tone for an informed, enterprise-wide perspective on security and risk oversight. This drives attitudes throughout the entire organization. Patients always come first. But security and privacy needs to run a very close second.
  2. Rigorous risk assessment and audit. Though it can be painful, healthcare organizations need to take a hard look at where they stand when it comes to their security practices. They should ask tough questions, and then audit their processes formally and in a rigorous fashion.
  3. Tiered vendor risk management. Healthcare organizations today rely on numerous partners and vendors. Each has access to different levels of information about patients and medical practices. In order to fully understand the organization’s risk posture, you must look at every single third-party vendor you do business with and identify what sensitive data is transmitted, stored and processed outside of your organization’s walls. Many of these companies will be considered Business Associates from a legal standpoint. Make sure you have formal Business Associated Agreements with them. (Note: Perimeter offers BAAs to its healthcare customers.)
  4. Design for defaults. Balancing security and productivity is especially important in clinical settings. In hospitals, access to critical systems without onerous security constraints can literally be a life-and-death matter. Strive to shape the working environment so that effective security policies are built into daily workflows. Using Citrix to create “glove box” type environments that don’t litter endpoint PCs with patient information is one example; hardware-based encryption for mobile devices is another. The key is that employees should be able to enjoy security as a side effect as they do their work, without needing much additional thought or effort.
  5. Implement the right tools to secure electronic protected health information (ePHI). Email encryption is a no-brainer. So, too are products that help secure mobile devices and applications. Security monitoring services that help prevent and detect potential security breaches are especially important.

By following these five practices, health care organizations maintain high levels of security without impeding productivity. They result in enhanced privacy for patients by safeguarding ePHI.

If you’re interested in learning more about the latest healthcare security regulations and their impact on hospitals and their business associates, check out our on-demand webinar Your Prescription for Meeting Health Care’s New Security Challenges here.

Tags: , , , ,

Trackback from your site.

Andrew Jaquith

Andrew Jaquith is the Chief Technology Officer of Perimeter E-Security. Before Perimeter, he was a senior analyst with Forrester Research and Yankee Group.

Leave a comment