- As technology has continued to evolve, healthcare data security has also needed to change in order to keep pace and keep sensitive information secured.
That is why Illinois-based Riverside Healthcare has adopted security in layers, ensuring that the right solutions are chosen for the applicable technology.
Riverside Chief Security Officer Erik Devine told HealthITSecurity.com that this is especially useful in mobile device security. For example, Riverside has three different vendors to assist with mobile device management (MDM) solutions.
Depending on the type of mobile device, such as if it’s corporate-owned, personally owned, or is a shared device, the necessary MDM option can be applied, according to Devine. They all have different strengths and strategies based on their software.
“It's been interesting because we have a lot of physicians that are in out, who are either employed or we have the non-employed physicians who come in for a short period of time. They all want their mobility,” Devine explained. “We try to use segregation on the networks to get them what they need through either advanced firewalls, through Fortinet, or we try to put some endpoints on there through AirWatch VMware if we're allowed to.”
Devine added that individuals must sign an agreement that states they will be held liable, and that Riverside has inside access to their devices on the enterprise side. Any personal software is not touched, he explained.
One of the top challenges with mobile device security is knowing exactly where your sensitive data is at all times.
“I think you have to really look at the data that you have and really classify the data, not from a risk rating, but ask what type of data is it? How is that data being used? Who's using it? It's a combination of that type of data that may present a different security challenge or give you a different technology to secure that data,” Devine said.
This is also why it is important to be confident that your chosen vendor is using the right security practices for that sensitive information. Business associate agreements will also be critical in this scenario.
“That becomes a challenge because you can't protect what you don't know,” Devine maintained. “So how do you do that? Do you do third party audits? Do you ask for auditing information? That becomes then a question of integrity, and a question of asking for personal information you never did before.”
EMR security is another top issue that healthcare organizations need to be mindful of, according to Devine. There can be a lot of chaos, which is why covered entities must keep data integrity as they move information from one system to another. As data is transferred, it is also essential to ensure that old systems and new systems are secured.
For example, a healthcare organization might think it doesn’t have to worry about old operating systems or storage options. However, Devine cautions that in health data security, old systems are still important.
“You still have to make sure those vulnerabilities are patched effectively,” he said. “And that brings up the next point of patch management and keeping systems up to date.”
Devine added that healthcare organizations tend to be slowly adapting to patch management, but they really need to keep those systems up 365 days per year.
Working toward HIPAA compliance
Riverside strives to at least have a third-party audit once per year, according to Devine, as part of its HIPAA compliance goals. The audit is intensive on access controls, policy analysis, operations, and technologies, he added.
“We try to do that once a year,” Devine reiterated. “Find the findings, fix the findings, and we try to stay up on that. The chief compliance officer is really heavily into HIPAA and tries to review any type of contracting and any type of where data could be.”
He also stated that it’s important to know how the patient is being secured from one point to the next throughout the entire continuum.
Another key component to Riverside’s approach to HIPAA compliance is that should any challenges arise, there is a compliance committee that reports to an audit committee. The audit committee includes board members and some senior management. From there, the board of directors is notified and can be given an overarching view of what is happening.
“We try to get up to the board of directors and say, ‘Here is your 100,000 foot view, here's all the bodies or the players that are involved, here's what we're doing, and here's how we feel like we mitigate these issues with privacy concerning the patient and privacy concerning the data.’”
Employee training is also critical for healthcare organizations, whether they’re working to stay HIPAA compliant, working through an EHR migration, or even in daily operations.
“Training becomes a factor of not just knowing what to do but really trying to build a relationship with that employee and giving them the empowerment,” Devine said. “Telling them, ‘Listen, you are a part of me. You are one of 4,000 employees who I rely on to let me know what's going on because I simply cannot see everything.’ It’s just impossible.”
It can be beneficial to build that employee relationship so it's not just training them in what to do, but it's also about whom to call, how to report it, what it looks like, he added. Showing staff members real examples can help them learn better.
Riverside tries to keep its employees empowered as much as possible, according to Devine. Constant training will also ensure that each individual has an awareness for what the latest threats might be.
Understanding that healthcare data breaches can happen to any facility
One of the key takeaways from the large-scale data breaches that happened in 2015 is that it can happen to anybody, Devine cautioned. Regardless of size or industry, an organization can find itself the victim of a cyberattack.
The C-suite especially must understand that any healthcare facility could be hit with a data breach.
“If they don't take that away then you have to drive that into their head that it can happen to anybody, no matter how big or how small,” he maintained. “To a hacker you're just an IP address. Once they get into your data, then you're gold to them they don't care who you are. They won. That's a big win if you can get the administration to understand that.”
No company is going to be 100 percent secure, especially with more end points becoming connected to the internet.
“The only way you can do that is unplug you from the internet and keep everything internal and lock the doors,” Devine explained. “And at that point, you're shutting down your business.”
There is going to be risk, he acknowledged, but covered entities need to do the best they can and show through policy, through technology, and through training that they are doing the best that they can.