- Healthcare data security cannot be overlooked when a provider or covered entity decides that it is time to move to a new facility.
This is especially true as connected devices and systems are becoming the norm, and everything from an organization’s air conditioning system to its security system could be connected to the internet.
One overlooked endpoint could potentially lead to a data security incident, and even end up compromising patient PHI.
That is why Dallas-based Key-Whitman Eye Center wanted to ensure that it had all of its bases covered when it moved to a new medical facility.
The eye center had previously been working with MedNetwoRx for its healthcare IT services, according to Key-Whitman CFO Amber Grubb, and was confident that all information would be transferred securely.
“We gave MedNetwoRx the directive to make it as electronically secure and private as we could for all our information,” she told HealthITSecurity.com. “We felt real comfortable with how we do the connection with MedNetwoRx already there, and we needed to make sure in this move that we had that same security occurring for our connections.”
MedNetwoRx also ensured that the security system was properly set up at the new building, she added. Along with security cameras and properly secured doors, she said that how individuals could have building access was essential. Employees, vendors, and even patients would all have different needs when it came to access, and it was important to have the right architectural planning in place.
There are many important bits and pieces involved in a transition process of this kind, according to MedNetwoRx CEO Mark Johnson. Security is obviously a part of that, as it plays a role in everything that’s done with patient information, whether it’s on paper or in electronic form.
“There’s a convergence of all the stuff that was formerly sort of stand-alone that’s now married to technology,” Johnson explained. “It’s accessible technology in some way shape or form. From a security perspective, it’s a big deal in making sure that that’s taken into consideration.”
Considerations when moving to a new facility
While privacy and security are important areas for healthcare organizations when moving to a new location, Johnson stated that there are numerous areas that must be carefully monitored in the process.
“[Key-Whitman] got us involved pretty early, and we made a bunch of changes as it relates to the actual floor plan of the building going up to make sure that there were places to have all these devices and connectivity,” he said. “We made changes in terms of what rooms the switches and other devices were going to be in, and making sure that as we went from the first floor to the second floor, that was contemplated to tie the two floors together from an infrastructure perspective.”
MedNetwoRx Director of Strategic Initiatives Brett Chambers added that a lot of the planning and additional assistance started with preparing for the physical move from a logistical perspective. Essentially, what to do and what not to do.
“We were deciding on some standards in terms of who’s going to move what, and who is accountable for what components of their infrastructure as things are physically transitioning from A to B,” Chambers said. “It’s a holistic accountability approach.”
Physical safeguard considerations were important, he explained, as well as network security considerations.
“There are a couple of things you don’t do, and one is that you don’t implement security partially,” Chambers maintained. “It’s an ‘all in’ or you don’t need to do it type thing.”
Anything from protected glass to security surveillance cameras might be considered, as well as limited building access and monitoring who is allowed inside the building.
Johnson agreed, and said that the physical move of workstations and other objects in an organization are not always considered in this situation.
“[Work stations] may or may not have patient information on them, and it’s important to make sure that they’re accounted for,” he explained. “I’m not sure everybody understands that’s maybe the weak link in some move situations.”
Keeping data security a top priority
In terms of information security, Johnson explained that there are various levels to ensure that sensitive data stays out of unauthorized individuals’ hands.
The connectivity is through VPN tunnels, and there is a guest wireless versus the wireless associated with the practice communication, he said. Key-Whitman is using enterprise-based wireless components and anything having to do with patient information is encrypted as it moves through the system.
The segregation inside of the enterprise class wireless network component is key, Chambers added, and it helps maintain availability of each class of network. This also ensures that individuals who are not part of the organization cannot interfere with those who are part Key-Whitman and need to do work.
“We have even a third layer of segregation in there that controls static devices that don’t leave the clinic,” Chambers said. “Each rides on kind of a separate network, or separate logical network, that helps us maintain wireless availability and things like that.”
There are a lot of components and careful planning and consideration that go into ensuring that integrity is maintained during logistical moves, he added.
“There is accountability in the planning of integration of network components. Any upgrades we had to do were carefully thought out and planned well ahead of time to ease the burden of the transition.”
Grubb reiterated the importance of finding a trusted third-party to ease in the transition. Conducting a “virtual walk through” is also something that healthcare providers need to consider, to ensure that nothing is overlooked in the moving process.
On the IT side, this is a step that could be essential to a project manager, she added, and was a job that MedNetwoRx handled very well.
While the transition was not flawless, she maintained that the thorough two-way communication was key, and that MedNetwoRx created a comprehensive architectural plan that kept information secure.