Electronic Security in Healthcare Systems
In addition to complying with federal HIPAA and HITECH guidelines regarding the privacy of patient information, healthcare systems need to be vigilant in the way that they secure information and manage network security. Mowry and Oakes (n.d.) discuss the vulnerability of electronic health records to data breaches. They suggest that as many as 77 persons could view a patient’s record during a hospital stay. It is critical for information technology (IT) policies and procedures to ensure appropriate access by clinicians and to protect private information from inappropriate access. However, authentication procedures can be cumbersome and time consuming, thus reducing clinician performance efficiency. Electronic Security in Healthcare Systems
Physicians spend on average 7 minutes per patient encounter, with nearly 2 minutes of that time being devoted to managing logins and application navigation. Likewise, an average major healthcare provider must deal with more than 150 applications—most requiring different user names and passwords—making it difficult for caregivers to navigate and receive contextual information. Healthcare organizations must strike the right balance, in terms of simplifying access to core clinical datasets while maximizing the time providers can interact with patients without jeopardizing data integrity and security (Mowry & Oakes, n.d., para. 7).
This chapter explores use of information and processes for securing information in a health system computer network. Electronic Security in Healthcare Systems
Securing Network Information
Typically, a healthcare organization has computers linked together to facilitate communication and operations within and outside the facility. This is commonly referred to as a network . The linking of computers together and to the outside world creates the possibility of a breach of network security and exposes the information to unauthorized use. With the advent of smart devices, managing all of these risks has become a nightmare for some institutions’ security processes. In the past, stationary devices or computers resided within healthcare facilities. Today, smart devices travel in and out of healthcare organizations with patients, family members, and other visitors, as well as employees—both staff and healthcare providers alike. According to Sullivan ( 2012 ), “Even as they promise better health and easier care delivery, wireless medical devices (MDs) carry significant security risks. And the situation is only getting trickier as more and more MDs come with commercial operating systems that are both Internet-connected and susceptible to attack” (para. 1). Electronic Security in Healthcare Systems
The three main areas of secure network information are (1) confidentiality , (2) availability, and (3) integrity . An organization must follow a well-defined policy to ensure that private health information remains appropriately confidential. The confidentiality policy should clearly define which data are confidential and how those data should be handled. Employees also need to understand the procedures for releasing confidential information outside the organization or to others within the organization and know which procedures to follow if confidential information is accidentally or intentionally released without authorization. In addition, the organization’s confidentiality policy should contain consideration for elements as basic as the placement of monitors so that information cannot be read by passersby. Shoulder surfing , or watching over someone’s back as that person is working, is still a major way that confidentiality is compromised. Electronic Security in Healthcare Systems
Availability refers to network information being accessible when needed. This area of the policy tends to be much more technical in nature. An accessibility policy covers issues associated with protecting the key hardware elements of the computer network and the procedures to follow in case of a major electric outage or Internet outage. Food and drinks spilled onto keyboards of computer units, dropping or jarring hardware, and electrical surges or static charges are all examples of ways that the hardware elements of a computer network may be damaged. In the case of an electrical outage or a weather-related disaster, the network administrator must have clear plans for data backup, storage, and retrieval. There must also be clear procedures and alternative methods of ensuring that care delivery remains largely uninterrupted.
Another way organizations protect the availability of their networks is to institute an acceptable use policy. Elements covered in such policy could include which types of activities are acceptable on the corporate network. For example, are employees permitted to download music at work? Restricting downloads is a very common way for organizations to prevent viruses and other malicious code from entering their networks. The policy should also clearly define which activities are not acceptable and identify the consequences for violations. Electronic Security in Healthcare Systems
The last area of information security is integrity. Employees need to have confidence that the information they are reading is true. To accomplish this, organizations need clear policies to clarify how data are actually inputted, determine who has the authorization to change such data, and track how and when data are changed. All three of these areas use authorization and authentication to enforce the corporate policies. Access to networks can easily be grouped into areas of authorization (e.g., users can be grouped by job title). For example, anyone with the job title of “floor supervisor” might be authorized to change the hours worked by an employee, whereas an employee with the title of “patient care assistant” cannot make such changes.
Authentication of Users
Authentication of employees is also used by organizations in their security policies. The most common ways to authenticate rely on something the user knows, something the user has, or something the user is ( Figure 12-1 ). Electronic Security in Healthcare Systems
Figure 12-1 Ways to Authenticate Users
A. An ID badge, B. Examples of weak and strong passwords, C. A finger on a biometric scanner.
Something a user knows is a password . Most organizations today enforce a strong password policy, because free software available on the Internet can break a password from the dictionary very quickly. Strong password policies include using combinations of letters, numbers, and special characters, such as plus signs and ampersands. Some organizations are suggesting the use of passphrases to increase the strength of a password. See Box 12-1 for an overview of best practices to create strong passwords. Policies typically include the enforcement of changing passwords every 30 or 60 days. Passwords should never be written down in an obvious place, such as a sticky note attached to the monitor or under the keyboard. Electronic Security in Healthcare Systems
BOX 12-1 BEST PRACTICES FOR CREATING AND MANAGING PASSWORDS
· Review the specific system guidelines for users—most will have information on password parameters and allowable characters.
· Use a combination of letters, numbers, special characters (!, $, %, &, *) and upper- and lowercase.
· Longer passwords are harder to crack. Consider at least 8 characters if the system allows.
· Choose a password that is based on a phrase: Use portions or abbreviations of the words in the phrase, or use substitutions (e.g., $ for S, 4 for “for”) to create the password. Example phrase: “Lucy in the Sky with Diamonds” was released in 1967; example password: LUit$wdia67.
· Think carefully about the password and create something that is easy for you to remember.
· Change your password frequently, and do so immediately if you believe your system or email has been hacked.
· Consider using a password manager program to help you create strong passwords and store them securely Electronic Security in Healthcare Systems