Category Archives: Data Security

Terry Hayes

Balancing act: Making data security a priority in daily nursing routines

By Terry Hayes  /  24 Mar 2016

Regardless of the hospital or specialty office, nurses are an essential piece of patient-centered healthcare delivery models. As a former pediatric nurse practitioner, I know firsthand the amount of responsibilities nurses juggle, all while maintaining the personal, bedside manner needed to ensure patients and their families feel comfortable and knowledgeable about treatment and care. Nurses are often the first and last point of contact to provide care for a patient, and a critical part of the clinical communication process, especially in the digital age.

Unfortunately, as healthcare data breaches surge and the need to prepare for HIPAA audits increases, nurses must also factor data security into their daily routines. Since 2010, the HHS Office for Civil Rights reported more than 1,400 breaches of unsecured protected health information affecting 500 or more individuals, and this number is expected to escalate. Given nursing’s dynamic role in communicating with team members across the care continuum (physicians, other nurses, patients, etc.), it’s important that nurses, as well as other healthcare professionals, are provided the right levels of secure connectivity to deliver quality care for patients efficiently.

Nurse must also understand the need for security in many of their day-to-day activities. Here are a few areas nurses must constantly keep in mind:

  • Within the care setting – Can the patient information be viewed (or heard) by anyone besides the patient? Are the connected medical devices in use secured? Could another care provider or visitor access the device if the nurse steps away momentarily? With the growing use of telemedicine, does the patient have the right set-up to participate in portals, video calls, etc.?
  • Outside of a care setting – Are documents sent to the correct printer and/or fax, and are those documents picked up quickly? Can non-authorized personnel easily access EHRs and other technologies? Are any BYOD technologies secure? Does the outside setting have appropriate procedures in place to assure patient confidentiality and, if so, is it monitored?
  • During a care transition – Do the appropriate care team providers have access to relevant information? Are any others that participate in care that should be considered? If so, what level of information should be shared with those providers? Are all communications channels, such as a voicemail or email system, fully secure and HIPAA-compliant?

While education is critically important to ensuring nurses understand how to keep patient information secure, it’s also important for hospitals and other providers to identify processes and technological solutions to improve security, meet HIPAA standards and protect the confidentiality and integrity of patient data. This is particularly true as nurses (along with the rest of the patient care team face) more pressures to meet the demands of value-based care.

Nurses: how do you make data security a priority in your day? What challenges have you run into while balancing efficient and personal patient care with security?

Terry Edwards

Insights from HIMSS16: Four key takeaways

By Terry Edwards  /  14 Mar 2016

Each year, thousands of health IT leaders come together over one week to network, collaborate and shine a spotlight on industry accomplishments, challenges and innovation at HIMSS. I’ve attended the show for the past ten years, and I’ve seen trends evolve over time – some fading quickly, others becoming a constant theme throughout the years – all representing the ever-advancing healthcare landscape.

This year, as I walked the HIMSS show floor and had conversations with other executives, physicians and vendors, I noticed the following:

  • The market is shifting beyond secure messaging – For three years I’ve been talking about the fact that secure messaging is an essential feature of an organizations clinical communications strategy, but it’s not sufficient in and of itself. We talked to more than one organization that experienced a failed secure messaging deployment. Having learned, those organizations and others are realizing that a secure comprehensive communication solution that can improve workflow is what is required. (It’s about time!)
  • Security continues to evolve as a top priority – Healthcare CIOs are viewing security as a major challenge, and one that must be addressed holistically. I spoke with one CIO who shared that one set of lost physician network credentials caused through a phishing scam required the reset of 20,000 user credentials – a major disruption to the entire organization. We also discussed the challenges for keeping information protected; it’s clear that more comprehensive security solutions are needed to avoid the disruptions and other setbacks caused by breaches. Healthcare security today must extend past the surface level and become integrated into workflow, communications, technology, etc.
  • Moving beyond Meaningful Use to optimization – For nearly a decade, Meaningful Use was king. Now that most providers have implemented EMRs, the conversation has shifted from fear of non-compliance to how we can do more with the EMR. More and more providers are looking for ways to optimize their EMR investment to leverage data, extend its usage and refine the technology so that it works more seamlessly within clinician workflow. Workflow plays such a critical role in care and physician coordination, and providers need platforms that are smart and holistic – ones consistent with reality.
  • Shifting viewpoints on the future of the industry – Depending on who you talk to, conversations around the state of the healthcare industry and its future, which were in no shortage over the course of the week, differ in tone. With many factors, such as regulations, driving change in the industry, it becomes easy to take on a negative mindset – physicians in particular become frustrated with balancing patient care, compliance, data and technology. One notable challenge is providers are having to figure out how to take responsibility for a whole episode of care when the patient’s full team of physicians may not all be in one system. However, innovation continues to lead the way, and this, too, was reflected in many positive conversations about the healthcare landscape today.

Healthcare will continue to build on what we have today, optimizing our existing technology to address broader issues, and do so much more comprehensively – raising new trends and challenges just in time for HIMSS 2017. See you there!

Save the date: HIMSS 2017, February 19-23 in Orlando, Florida

Don Dally

The outdated browser: breeding ground for cybercrime

By Don Dally, chief technology officer at PerfectServe  /  10 Mar 2016

Is your health system’s browser up to date? Too many organizations don’t know the answer to that question and are unaware of the consequences for using unsupported browsers. Or, if they do know the answer, they aren’t in a position to act on it.

Now is the time to check if your workstations are using the latest browser version available. Earlier this year, Microsoft announced that it was discontinuing support for Internet Explorer versions 8, 9 and 10. The discontinuation of this support may affect more people than you think. The loss of this support means Microsoft will no longer provide vital security patches for these browser versions, increasing vulnerabilities that go unattended, and leaving healthcare organizations wide open for attacks. This should come as no surprise to healthcare stakeholders, who’ve seen cyberattacks increase in recent years, especially in the healthcare industry. Hackers will find a way to exploit these vulnerabilities. It’s not a matter or IF, but WHEN.

There are two main reasons why outdated browsers linger:

  1. A clinical application doesn’t support modern browsers—Many healthcare providers are running older versions of browsers because they use a legacy application from a vendor that will not work on more contemporary browser versions. In basic terms, the application is holding them back.
  2. The provider organization is not updating the browser—If, for whatever reason, the provider is not updating its browser, it requires vendors to spend an inordinate amount of time and effort making sure their applications will work across the various (often outdated) browser versions used by their customers.

Browser upgrades are a two way street: providers must make sure they are using the most up-to-date browser version for vital security updates while vendors must make sure that their applications and solutions can support contemporary and future browser versions so they are not holding their users back.

How to keep current

Although browser choice can be an overlooked decision, it’s important that both vendors and providers stay on top of the latest versions. Here are some steps to help providers and/or vendors break the cycle of using outdated browsers:

  • Vendors should be held accountable for keeping pace with browser evolution
  • If you have a legacy application that requires an older browser, keep the browser on the workstation current and use virtualization to serve up an older browser for the legacy app
  • Ensure your organization has procedures in place to keep your browsers updated and properly patched

If you’re not sure whether you are using the most up-to-date browser, check here to see the newest version of your browser that’s available. We all have to step up to the plate and stay current. It is no longer an issue of convenience; it is a matter of patient privacy.

Terry Hayes

HIPAA regulation: The myths around integrating compliance and patient care

By Terry Hayes  /  25 Feb 2016

Keeping healthcare information flowing to the right people, at the right time, creates the potential for more effective patient care and population health management. However, a greater number of moving parts also means greater risk. With personal health data moving more frequently through an increasing variety of digital channels, the complexity of communicating in a secure manner as mandated by HIPAA regulations is more important than ever, as is the risk to the confidentiality and integrity of patient data.

Within the healthcare industry, HIPAA is known to be intricate and difficult to navigate on the path to compliance. I’ve found that many physicians and allied healthcare professionals don’t have a solid understanding of HIPAA in terms of what’s required and how it can help to actually improve patient care. We’ve debunked a few of the most common myths:

HIPAA stands in the way of patient care – HIPAA has three core areas: confidentiality, integrity and availability. These regulations are intended to mesh with and provide a foundation for the kind of proper, efficient exchange of information that grounds new models of collaborative care. To improve clinical communication and patient care, healthcare organizations should assess how their members communicate and build compliance into the model in ways that enhance workflow. By finding secure ways to encourage and streamline the flow of information, healthcare organizations can align the need for HIPAA compliance with the trend toward greater collaboration and the goal of better patient care.

Compliance can’t pave the way of meaningful use – Organizations hold the responsibility for assessing and adopting the technologies that best serve their overall goals and structure, while being compliant with HIPAA – which creates a challenge that leads many to believe meaningful use can’t be obtained. The flexibility this responsibility provides to healthcare organizations is essential to achieving HIPAA’s third core tenet: availability of information. The ability to store and transmit data securely means that it can be shared among all those on the care team—keeping the right people informed in a timely manner. Security compliance actually encourages the exchange of information that can bring greater efficiencies and better outcomes in the healthcare model.

HIPAA’s complexity leaves no room for improvement in security strategies – Despite the emphasis on communication and security, the solutions most organizations rely on are fragmented. Instead, organizations should look into comprehensive strategies that incorporate all pieces of patient health information. According to a recent survey conducted by Harris Poll and commissioned by PerfectServe that examined causes for healthcare communications breakdowns, 13% of healthcare professionals admit that to facilitate patient care, they have sent patient health information through unsecure text or voice messages with their personal smartphone in the past year. In addition, 21% acknowledge having received unsecure communications from colleagues via the same manner.

In a world of rapidly expanding communication methods and applications, it’s easy to become misguided by these myths, keeping physicians and healthcare professional from seeing HIPAA’s true capabilities. It’s important to understand these intricacies as organizations review and work to improve their risk management strategies, and ultimately embrace more collaborative care models and technologies that make care more accessible and efficient.

Don Dally

Education minimizes the impact of healthcare hackers

By Don Dally  /  28 Jan 2016

Security continues to be top of mind for healthcare professionals, and according to a Health IT Outcomes survey, PHI security is the top 2016 priority for more than 42% of healthcare executives. The risk of being hacked today is increasing exponentially due to the huge surge in devices and data being used and shared.

Over the last few years, healthcare systems have been targeted by various security threats. In 2015, major health insurers Anthem, Premera and Excellus headlined a long list of hacked healthcare organizations in the United States. These three organizations alone resulted in the leak of more than 100 million patient records, and the Anthem breach by itself more than doubled the number of people affected by breaches in the health industry since 2009.

Hackers in the healthcare system are like bacteria, mutating quickly to change the way they attack. In order to stay a step ahead and protect critical PHI, healthcare organizations must stay on top of what’s happening, try to predict hackers’ next moves and understand how and where PHI is shared. Healthcare providers will need to be more proactive about potential hacks and take security threats more seriously by:

  • Educating physicians on the value of security: Many physicians experience a slowdown in their daily processes when security is added to their systems – taking time away from their patient visits. Security can also be expensive to add for healthcare organizations. While antivirus solutions have become reasonably inexpensive, other necessary solutions like data loss prevention (DLP) and encryption can cost significant amounts not only to purchase, but to implement and support. Organizations need not only to balance security controls to ensure they don’t impede physicians’ efficiency, but they also need to work with physicians to help them understand that value of security outweighs both of the aforementioned concerns. A data breach not only means that protected patient health information is exposed, but also threatens the reputation of the provider organization.
  • Understanding how vendors store and transmit patient data: So much patient information lives in external, third-party organizations. However, IT security is a complex issue, and that complexity – along with the overwhelming number of vendors in the space – can be off-putting to clinicians. Providers have an obligation to their patients to understand and ensure that these organizations are taking measures to protect that critical information. Periodically, providers must compare each healthcare organization’s benefits, and also look at how each vendor stacks up when it comes to security procedures by asking questions like, “When was your last risk assessment?”, “How do you encrypt data when it is stored?” or “What data do you share with third-parties?” Providers have an obligation to themselves, and more importantly, to their patients to thoroughly vet every vendor they share their PHI with.
  • Understanding recent updates to privacy and security rules: Despite recent breaches, many providers still don’t understand the privacy and security regulations. Too many physicians I meet have lingering confusion about HIPAA, as well as standard security protocols. Privacy and security laws and regulations are constantly updated to account for the ever-changing risk landscape and protect consumer privacy. Physicians must be up-to-date on these healthcare regulations to not only prevent a hack, but to ensure that patient information remains protected.

More physician education needs to take place related to the intricacies of the healthcare system and the responsibilities and security procedures of healthcare organizations. In 2016, I trust that providers will look at more ways to partner with physicians and improve their efforts around the issue. Security is invaluable and needs to be managed more carefully as everyone’s personal data is on the line.