More blog posts in Intel Healthcare ITWhere is this place located?
1 2 Previous Next

Intel Healthcare IT

18 Posts authored by: David Houlding

Healthcare IT is moving away from the top down, “command and control” model of 10 years ago. Back then, IT provisioned all devices and the mobile device environment was more homogeneous, strongly managed and secured, to a much more diverse heterogeneous environment including BYOD, often with less manageability and security. In this new diverse and rapidly changing environment, a strong and effective detection and response capability becomes much more important. We can compare the new environment and this security model to an immune system where when a pathogen appears it is detected by the body and an immune response starts to eliminate the pathogen and put out antibodies to prevent a future recurrence.

 

In this analogy a pathogen in healthcare IT security could be a new type of malware or phishing attack, or some risky healthcare worker action such as attempting to copy unencrypted patient records onto a USB key, or attempting on impulse a post of sensitive healthcare data to social media. SIEM, DLP and global threat intelligence capabilities are just a few great examples of security detection controls. An effective immune response in healthcare IT security needs to be holistic and multi-layered in the sense of incorporating several administrative, physical and technical controls complementing each other for effective risk mitigation. Administrative controls may include updates to policy, risk assessments, effective training, audit and compliance, and security incident management controls. Physical controls may include locks and other physical access and tamper proofing controls for data, assets and facilities. Technical controls may include anti-malware, IPS, whitelisting, encryption, anti-theft and many others.

 

Of this mix of safeguards, and with key healthcare trends such as BYOD, social media, mobile healthcare and others increasingly empowering healthcare workers with more tools and options to get their work done, the human factor and effective training is becoming incredibly important. Recent HIMSS research shows if solutions or security are lacking usability, healthcare workers use these tools and options to get their job done in workarounds that add non-compliance issues and additional risk.

 

Compounding this challenge, recent HHS OCR audit findings shows that many healthcare organizations lack effective training. To be effective training must move beyond the “once a year scroll to the bottom and click accept model” to a much more continuous, bite-sized, gamified, engaging form, and enable the healthcare worker to apply and solidify their knowledge as a part of their daily job. Penetration testing needs to include the human factor to help detect vulnerabilities in end user behavior that can then be remedied. Some innovators such as Wombat Security Technologies have emerged with capabilities in this area. Security safeguards such as DLP also offer special value in helping educate healthcare workers on the job in “teachable moments” where at the point where they attempt an action that is out of compliance with policy the DLP control can inform them and educate them on safer alternatives.

 

What kinds of trends and risks, and detection and response safeguards, are you seeing in your healthcare organization?

When security technologies are introduced together with usability improvements in healthcare solutions they have a much greater chance of being approved and winning acceptance by healthcare workers. This is in contrast to introducing security technologies into healthcare organizations without usability improvements which at best have no usability impact, and may in fact have negative usability impact.

 

In my last blog, Improving Healthcare Solution Usability with Single Sign-On, I describe how too many layers of login is one of the most cumbersome usability challenges that compels healthcare workers to do risky workarounds out of compliance with privacy and security policy. Single Sign On (SSO) solutions provide a solution that can greatly reduce the number of sets of credentials as well as the number of actual logins required by healthcare workers during their day, providing major usability benefits. When such a solution is combined with more usable forms of multi-factor authentication such as wireless proximity cards (RFID, NFC or other) it can greatly improve both security and usability. In this type of solution once the healthcare worker has logged into a device they can start up multiple apps within their session without having to re-authenticate to each app. As more healthcare apps are integrated with such a SSO solution the number of separate credentials needed for the healthcare worker can be reduced, eventually to a single set of credentials required to login to the SSO solution.

 

Many SSO solutions also enable healthcare organizations to implement policy where the first login of the day requires 2 factors, perhaps the proximity card and a password, but thereafter as long as the clinician authenticates at another point in the network with their proximity card within a configurable amount of time defined by policy, eg 2 hours, then the proximity card alone is sufficient to authenticate and no password is required. This effectively enables the clinician to move between devices throughout the day with a simple tap of their proximity card.

 

SSO may also provide patient context sharing where different healthcare apps running in the same session track the same patient automatically so a clinician that searches and finds a patient in the Electronic Health Record (EHR) system can then switch over to a Picture Archiving and Communication System (PACS) and it has already automatically found the same patient, freeing the clinician from having to search for the patient again in each application. Such patient context capability may be based on the Clinical Context Object Workgroup (CCOW) standard. Clearly another major usability benefit that also mitigates risk of a clinician accidentally looking at different patients across different apps.

 

Just as important as easy login is minimizing risk of a live session being hijacked once the authenticated healthcare worker moves away from the device with the open live session. This can be done by setting an inactivity timeout to a low number of minutes, which in practice is workable from a usability standpoint since a simple tap of the wireless proximity card gets the healthcare worker back into their session. In the future technologies such as facial recognition may also enable the device to detect when the healthcare worker moves away, closing the session automatically and further reducing the window of opportunity for session hijacking.

 

Biometrics holds promise in further freeing the healthcare worker from having a wireless proximity card. This is especially compelling in healthcare where not having to touch anything can be a significant healthcare improvement since healthcare workers need to keep sterile hands. To achieve this improvement biometrics need to be both highly reliable and resilient to spoofing. For example viable facial recognition would need to have negligibly low false accept and false reject rates, and would have to be able to detect if a face in front of a device was a picture or a real person. Several strategies are emerging for this including multiple cameras able to detect depth, and facial recognition strategies that require some motion such as blinking to ensure the subject is not a static picture. The reality in healthcare is many healthcare workers, such as doctors working in multiple healthcare organizations, need separate credentials for each organization, and in a worst case a separate proximity card for each facility. As more healthcare organizations implement biometrics this has potential to reduce the number of tokens such as proximity cards required by a given healthcare worker. Furthermore, strategic initiatives such as National Strategy for Trusted Identities in Cyberspace (NSTIC) have the potential to separate Identity Providers from Service Providers where healthcare workers have one set of credentials to authenticate with the Identity Provider and could then access multiple Service Providers such as healthcare organizations without having to be issued a separate set of credentials from each healthcare organization.

 

Another technology that holds major promise is virtualization with “follow me session” where a healthcare worker that has logged into a given device to start up a secure session, started up healthcare apps within their session, and located a given patient medical record, may then move to another device, login and get access to the same session without having to start the apps and search for that patient again. This becomes particularly compelling as the number and types of devices healthcare workers use increases and their use cases require them to move between the devices seamlessly. This capability can also be especially beneficial where healthcare workers must use many shared workstations throughout their day and switching of devices is frequent even within a given patient encounter. Along with this type of compute model one can do centralized patching and management, leading to major security, manageability and operational efficiency benefits. Where virtualized healthcare clients running on mobile devices have the ability for secure local storage of limited healthcare data, for example just records for the patients a healthcare worker will see that day, they enable healthcare workers to be productive even in areas lacking network coverage or performance, such as rural areas or patient homes. This improved availability is particularly important has healthcare becomes more decentralized.

 

What kinds of solutions that combine usability and security improvements are you seeing in your healthcare organization?

 

The benefits of analytics in healthcare are compelling, and big data is fueling this with increasing quantity and quality of patient data with potential to enable major improvements in evidence based medicine, ultimately enabling greatly improved quality of care.

 

Combining this with cloud computing enables healthcare to rapidly realize benefits with less initial capital investment, more of a pay-as-you-go financial approach, and much greater agility, amongst other benefits. However, privacy and security are major concerns and an impediment to many healthcare organizations realizing these benefits. Further, legal and regulatory compliance challenges abound, from national to state level regulations, and across verticals and different types of data.

 

I had the privilege of moderating and participating on a workshop panel filmed at HIMSS 2013 in New Orleans with a group of leading experts:

 

Nicole Martinez, Director of Nursing Informatics, Robert Wood Johnson University

Brian Balow, Partner, Dickinson Wright PLLC

Dr Khaled el Emam, CEO, Privacy Analytics

Kim Singletary, Director of Technical Solutions Marketing, McAfee

 

See highlights of our workshop panel at the video above.

 

We discuss frontline healthcare workers real experience with analytics, the compelling benefits, common challenges, and practical solutions encountered in implementation. We also discuss the regulatory and legal landscape, and practical strategies for compliance.

 

A multi-layered approach to security emerges in our discussion as a best practice to mitigate risk, and we discuss several key security safeguards including risk based de-identification, tokenization, encryption and various administrative security controls including policy, effective training, audit and compliance, and contracts and plans with Business Associates.

 

We also discuss results from a recent HIMSS global research survey of frontline healthcare workers, highlighting challenges with IT department responsiveness and flexibility, the usability of solutions and security, and how usability is much more than a “nice to have”, having real impacts on compliance and risk where healthcare workers are compelled to use workarounds.

 

Based on this research we pose and discuss the pertinent question: “If we are going to secure our data in the cloud, which cloud is the data in?” We discuss how this research shows that the use of workarounds by healthcare workers can drive sensitive healthcare data into “side clouds” outside of the control of the healthcare organization, where it is at increased risk of confidentiality / breach, integrity, and potential trans-border data flow issues.

 

Last but not least, we discuss how usable hardware based security solutions can enable strong and usable security that avoid compelling healthcare workers to use workarounds, thereby improve compliance and reduce risk, and ultimately help ensure sensitive healthcare data stays in clouds where it is supposed to be, within the control and effective security of the healthcare organization.

 

What kinds of benefits, risks and practical solutions are you seeing with healthcare analytics in the cloud?

In a 2013 HIMSS global security survey of 674 frontline healthcare workers (Workarounds in Healthcare, a Risky Trend), too many layers of login was cited by 36 percent as a key driver compelling the use of risky workarounds, which are out of compliance with policy, to get their jobs done. An example of a workaround could be a file transfer app on a personal device used to transfer sensitive healthcare data unencrypted.

 

Single Sign-On (SSO) is a natural solution to this, reducing the total number of logins required for healthcare workers to do their job “the right way,” in compliance with policy, avoiding compelling them to resort to risky workarounds. However, as more healthcare systems are integrated behind a single sign-on solution, the risk and specifically the business impact of a compromised set of credentials increases. For this reason single-sign on is often combined with stronger multi-factor authentication.

 

A key take-away from the HIMSS survey is that usability is more than a “nice to have,” directly impacting non-compliance and risk. BYOD, social media, apps and other trends are empowering healthcare workers with more tools than ever before, and this research shows that if IT departments, solutions or security gets in the way, healthcare workers can and do use workarounds to get their job done.

 

Usability issues with multi-factor authentication, and specifically separate hardware tokens are well known. People lose them, break them, don’t like them (especially if they need multiple of them), and separate hardware tokens are often associated with increased TCO (Total Cost of Ownership) due to support and provisioning costs. Intel® Identity Protection Technology provides a strong 2-factor authentication solution without a separate hardware token, thereby avoiding the usability, support and TCO issues with separate hardware tokens.

 

The “what you have” in this case is the Intel® IPT capable mobile device that gets provisioned by the healthcare worker as a secure terminal for accessing healthcare solutions and sensitive patient information. Here’s how this works: in the event that the healthcare worker’s username/password credentials are compromised, and an impersonator tries to use these stolen or lost credentials to access the healthcare solution, the login will fail and they will be blocked since they don’t have the Intel® IPT capable mobile device that was previously provisioned by the healthcare worker as a secure terminal.

 

Combining SSO with Intel® IPT combines both the usability benefits of a reduced number of logins, as well as the usability benefits of a multi-factor solution that does not require a separate hardware token, for a stronger and more usable healthcare security solution.

 

What issues are you seeing with too many layers of login in your healthcare organization, and are you looking at single sign on solutions with multi-factor authentication?

Evernote says security has been breached by hackers. Dropbox password breach highlights cloud security weaknesses. These recent headlines are just two in a long list of examples of popular apps being compromised, putting sensitive data stored in their respective clouds at risk.

 

In an earlier blog, What cloud is your healthcare data in?, I explored the impacts of healthcare workers using apps with sensitive healthcare data, and the often undesirable side effect of moving the sensitive data into “side clouds” that are relatively insecure and add significant privacy and security risk.

 

A recent HIMSS global security survey of 674 frontline healthcare workers, Workarounds in Healthcare, a Risky Trend, HIMSS media, March 2013, shows that when solutions are unusable, security is cumbersome, or IT departments too slow or too restrictive in enabling new technologies, healthcare workers use workarounds. This survey revealed that this happens every day (22%) or sometimes (30%).

 

Personal apps for file transfer, note sharing, communications or other purposes where identified by 20 percent of healthcare workers as key tools to do workarounds. When sensitive healthcare data is used in workarounds this adds risk from a confidentiality / breach standpoint, as well as an integrity (completeness / accuracy) standpoint since the patient record often does not get updated with data moving in these workaround “side channels.”

 

To mitigate this risk we need a multi-pronged strategy including improving the usability of healthcare solutions and security to avoid compelling healthcare workers to use workarounds. IT departments in healthcare organizations need to be responsive and avoid being overly restrictive in enabling new technologies, or face being bypassed by healthcare workers in their use of workarounds. Administrative controls need to be bolstered, including policy, risk assessment (and proactively addressing deficiencies) and effective security training.

 

What kinds of apps are your healthcare workers using, and where do you see the risks?

 

In my last blog, What Types of Workarounds Are Your Healthcare Workers Using?, I explored the types of tools healthcare workers are using to circumvent solutions or security that gets in the way, driving non-compliance issues and additional privacy and security risk. An example of a workaround could be copying unencrypted patient records onto a personal USB key in order to transfer them.

 

A global survey of frontline healthcare workers completed January 2013 by HIMSS and Intel, with 674 respondents, reveals that more than half of respondents use workarounds either every day, or sometimes. In this blog we look at results from the survey that highlight to what extent healthcare workers are aware of the risks associated with using workarounds, why they are doing workarounds anyway, and why workers may not be adequately aware of risks.

 

In order to gauge awareness of risks associated with workarounds we asked in the survey, “Do you think people using workarounds are aware of the associated privacy and security risks?” Almost evenly split, 36 percent indicated yes while 35 percent indicated no, and another 20 percent indicated they don’t know. Clearly there is much work to be done in increasing awareness of risks associated with workarounds, a basic first step to mitigating this type of risk. To dig a little deeper we surveyed respondents with two further questions on why those that are aware of risks use workarounds anyway, and where things may be breaking down for those that aren’t aware of risks.

 

To understand why healthcare workers that are aware of risks use workarounds anyway, we asked, “If people are aware of risks, why do you think they use workarounds anyway?" Of the major categories of response to this question, 53 percent indicated frustration with currently system, 53 percent that workarounds make their job easier, 38 percent indicated risks were insignificant, and 29 percent indicated that improving the quality, improving efficiency, and reducing the cost of patient care takes priority over security. These results suggest that current healthcare solutions are in many cases viewed as more difficult to use that workarounds. Many healthcare workers are also clearly making a decision to do workarounds that improve healthcare while waiving the associated risks as insignificant or lower priority.

 

To explore why some healthcare workers lack awareness of risks, we asked, “If people are not aware of risks, why might they not be aware?" Forty-five percent indicated lack of oversight or enforcement of policy, 43 percent indicated lack of effective security awareness training, and 19 percent indicated lack of privacy and security policy. It seems that while most organizations have a policy, often it is not adequately enforced, and security awareness training is in many cases ineffective.

 

Stay tuned for the finale of this blog series next week with the release of a HIMSS/Intel whitepaper on this recent security survey. We’ll also be releasing these survey results and the HIMSS /Intel whitepaper at a workshop at HIMSS 2013. If you will be at HIMSS13 in New Orleans, join us for this complementary workshop panel to explore these concepts further. RSVP and reserve your spot.

 

HIMSS_2013_Banner.jpg

Healthcare workers are increasingly being empowered with many powerful technologies, from BYOD, to social media, texting, and even personal email and USB sticks that have been around for a while. These tools provide new options to healthcare workers to get their jobs done.

 

Download a new white paper on risky security workarounds

 

Where healthcare solutions or security get in the way, or IT departments are perceived as being slow or overly restrictive, healthcare workers often use these options in workarounds that achieve the immediate goal, perhaps transferring a patient record unencrypted to a co-worker using a file transfer app on a personal device, but often add significant risk from a privacy and security standpoint.

 

A global survey of frontline healthcare workers completed January 2013 by HIMSS and Intel, with 674 respondents, reveals that more than half of respondents use workarounds either every day (22%), or sometimes (30%). In a recent blog series, we shared some early highlights of this survey including what is driving the use of workarounds, what specific types of workarounds are being used, and where privacy and security is challenged.

 

Download the white paper with many more details on the results of this survey and what they mean. Learn practical strategies for how to mitigate risks associated with workarounds, within a holistic, multi-layered approach:

1. Improving usability of solutions and security,

2. Improving responsiveness and agility of your IT department,

3. Choosing the right device, compute model and communication method for your tasks,

4. Improving the effectiveness of your administrative controls including policy, enforcement and effective training.

 

What questions do you have?

In my last blog, What is Driving the Use of Risky Workarounds in Healthcare?, I explored the reasons why frontline healthcare workers are using workarounds that are out of compliance with policy, drive increased privacy and security risk, and can result in compromises to the confidentiality (breach) and integrity of patient records. An example of a workaround could be a healthcare worker taking a photo of a patient on a personal device and emailing this using their personal email to a co-worker.

 

A global survey of frontline healthcare workers completed January 2013 by HIMSS and Intel, with 674 respondents, reveals that more than half of respondents use workarounds either every day, or sometimes. In this blog we look at what types of tools healthcare workers are using for workarounds.

In this survey, we asked frontline healthcare workers globally what types of workarounds help deliver better care more quickly. Here’s what they said:

 

  • 59 percent indicated they use personal smartphones for workarounds, 50 percent personal tablets, and 39 percent personal laptops
  • Text messaging was used by 40 percent of respondents
  • Personal email is being used by 32 percent of healthcare workers in workarounds that help them get their job done
  • 21 percent of respondents indicated they are reverting to paper based workarounds where technology solutions or security get in the way

 

Many other respondents indicated personal apps (20%), personal USB keys (19%), photos using personal devices (17%), social media (12%), video using personal devices (8%) and several other types of workarounds

 

So what should you do about this? A proactive approach to enabling BYOD (Bring Your Own Device) is recommended, enabling the use of personal devices in ways that are in compliance with privacy and security. However, these results clearly show that personal devices may also be used in workarounds that are not compliant with privacy and security policy and drive significant additional risk of security incidents such as breaches.

 

Healthcare organizations are encouraged to explicitly treat the use of workarounds in their policy, procedures, and risk assessments. For the highest priority risks that need to be mitigated, this information on what types of workarounds are being used by healthcare workers is critical to make informed decisions on what types of safeguards to use to mitigate the associated risks. Some of these safeguards may be technical or physical. Effective training is also an increasingly important administrative safeguard to mitigate risks of workarounds, and is sure to grow further in importance as healthcare workers are increasingly being empowered by BYOD, social media, and many powerful new tools.

 

What types of workarounds do you see in your healthcare organization?

 

Stay tuned for more information in my weekly blog series. Next week we’ll start to take a look at further results from the survey that measure healthcare worker awareness of risks and why they use workarounds anyway.

 

We’ll be releasing these survey results in a whitepaper at a workshop at HIMSS 2013 on March 6. If you will be in New Orleans, join us for the workshop panel to explore this concept further. RSVP and reserve your spot.

 

HIMSS_2013_Banner.jpg

 

In my last blog, I discussed the extent to which healthcare workers are doing workarounds to get their jobs done, using personal smartphones, tablets, laptops, USB keys, apps, email, texting, social media and others. Workarounds are out of compliance with policy and drive increased risk to confidentiality which can lead to breach, as well as risk to the integrity of the patient record since data in such workarounds often doesn’t get updated in the patient record.

 

An example of a workaround could be a healthcare worker texting sensitive healthcare data to a co-worker. A global survey of frontline healthcare workers completed this past January by HIMSS and Intel, with 674 respondents, revealed that more than half of respondents use workarounds either every day, or sometimes.

 

Why is this occurring? To measure drivers compelling healthcare workers to use workarounds, we posed the following question in the recent survey: “What factors motivate the use of workarounds in your organization?” Here’s what came back:

 

-45 percent of healthcare workers responding to the survey indicated that they use workarounds because they are simply easier to use. They indicated room for improvement in the usability of healthcare solutions and security around them.

 

-40 percent indicated their IT departments were too slow to enable new technologies.

 

-22 percent indicated the list of approved apps is too restricted, suggesting that if healthcare IT departments are perceived as being too slow in enabling new technologies, or too restrictive with approved technologies, then healthcare workers can bypass them with workarounds that are increasingly available to them.

 

-36 percent indicated that there are too many layers of login required, pointing to the need for single sign on technologies, and authentication methods that are more user friendly such as those using proximity tokens and biometrics.

 

-24 percent of healthcare workers responding to the survey indicated that workarounds help deliver better care, suggesting a decision by healthcare workers to waive the risks of workarounds in light of the benefits of improved care.

 

Many other drivers were measured in the survey including web browser and thin client challenges with network availability / performance, 2-factor authentication, slow encryption, and so forth.

 

What factors do you see in your healthcare organization compelling the use of workarounds?

 

Stay tuned for more information in my weekly blog series. Next week we’ll look at the specific methods being used by healthcare worker to do workarounds.

 

We’ll be releasing these survey results in a whitepaper at HIMSS 2013. If you will be at HIMSS13 in New Orleans, join us for a workshop panel to explore this concept further. RSVP and reserve your spot.

 

HIMSS_2013_Banner.jpg

In my last blog, I mentioned a global survey of frontline healthcare workers completed January 2013 by HIMSS and Intel on what motivates the use of workarounds, what types of workarounds are being used, and where there may be challenges in privacy and security.

 

One of the most interesting questions from the survey asked healthcare workers was, “How commonly do 'workarounds' happen in your organization, which may involve the use of alternative tools such as personal device/apps or social media that may be out of compliance with policy?”.

 

The results found that 22 percent of healthcare workers indicated they use workarounds every day, and 30 percent indicated using workarounds sometimes. Combined these represent more than half of 674 global healthcare worker respondents that acknowledge using workarounds, risking the confidentiality and integrity of sensitive healthcare data. Workarounds may include personal smartphones, tablets, laptops, USB keys, apps, email, texting, social media and others. The interesting thing about these types of risks is that they can happen even with thin client/VDI solutions, and even the most secure platform including corporate provisioned devices can be impacted if the healthcare worker has personal devices on them, is able to install apps, can use social media, do text messaging and so forth.

 

A key take-away of this result is that the use of workarounds is currently real, serious, and should be included in risk assessments done by healthcare organizations. These types of risks are also poised to grow as healthcare workers are increasingly empowered with more exciting and powerful personal devices, apps, social media and tools they can and do use to improve healthcare, but in many cases inadvertently also add privacy and security risk.

 

Stay tuned for more information in my weekly blog series. Next week we’ll look at the specific motivations and drivers that are compelling healthcare workers to use workarounds, ranging from healthcare solutions that are unusable, to IT departments that are too slow to enable new technologies and apps, to cumbersome security controls that are impeding healthcare workers.

 

Are you currently including risks of workarounds used by healthcare workers in your risk assessments?

 

If you will be at HIMSS13 in New Orleans, join us for a workshop panel to explore this concept further. RSVP and reserve your spot.

 

HIMSS_2013_Banner.jpg

We spend a lot of time and attention analyzing vulnerabilities with specific endpoint devices or cloud platforms, which is warranted, but often not the most significant source of privacy and security risk.

 

Healthcare workers are being increasingly empowered with tools from bring your own device (BYOD) personal smartphones, tablets, laptops, to personal apps for file transfer, note sharing and other tasks, to social media, texting, personal email, USB keys and so on. When healthcare solutions, or the security around them, are perceived by healthcare workers as unusable or cumbersome, they can and do use workarounds that can drive additional risk.

 

One specific example is moving unencrypted patient information using a file transfer service accessed using an app running on a personal device. In this case the sensitive healthcare data is moving through the data transfer cloud associated with the file transfer app. This moves the protected healthcare data into a “side channel”, separate from the EHR, out of the control of the healthcare organization. This in turn adds risk to confidentiality of breaches, as well as risk to the integrity or completeness of the patient record since data moving in side channels like this, out of band with the official repository eg EHR (Electronic Health Record) solution, often does not result in updates to the patient record.

 

Over time the patient record can become incomplete or dated. In a best case this can result in suboptimal healthcare, and in a worst case become a patient safety concern.  This vulnerability can exist even with a secure endpoint device and secure cloud behind it, and even if a thin / VDI client is used, since it only requires the user to have the ability to install and use the file transfer app.

 

Cloud Security Slide.jpg

 

In January 2013, HIMSS surveyed frontline healthcare workers globally on what motivates the use of workarounds, what types of workarounds are being used, and where there may be challenges in privacy and security such as lack of policy, enforcement, or ineffective training. This survey greatly exceeded expected response rate with more than triple the target number of responses, or 674 total respondents. Here’s some quick bites of information about the respondents:

 

  • 77% of respondents were in North America
  • 11% in Europe
  • 4.5% Middle East
  • 46% of respondents were working in hospitals
  • 27% in multi-hospital systems or integrated delivery systems
  • 7% in ambulatory care facilities
  • 66% of respondents were in large organizations with more than 500 employees
  • 23% in medium sized organizations with 50-500 employees
  • 10% in small organizations with less than 50 employees

 

The largest categories of roles of respondents were nurses at 14 percent, doctors/PAs/nurse practitioners at 13 percent, administrative directors/managers at 11 percent, and several other healthcare frontline worker roles across provider, payer, life sciences and pharma sectors of healthcare.

 

What did they have to say? Stay tuned for more information in my weekly blog series leading up to HIMSS13 on the drivers motivating use of workarounds by healthcare workers, what specific workarounds they are using, and where privacy and security is breaking down.

 

What risks are you seeing in your healthcare organization with sensitive healthcare data moving from endpoint devices into unsecured clouds?

 

If you will be at HIMSS13 in New Orleans, join us for a workshop panel to explore this concept further. RSVP and reserve your spot.

 

HIMSS_2013_Banner.jpg

Breaches resulting from lost or stolen electronic medical record (EMR) servers or backups are usually less likely than breaches from loss or theft of mobile devices. However, searching on “server” or “backup” in Health and Human Services published data on Breaches 500 or More Individuals shows that these types of breaches have occurred many times in recent years.

 

When these types of breaches do occur they often have a much higher business impact than breaches resulting from loss or theft of a mobile device. This is because server or backup breaches often involve records for all of the patients in the EMR, rather than a small subset of patient records stored on a mobile device, for example for patients a healthcare worker will visit on a particular day. The Ponemon 2011 Cost of a Data Breach Study shows that the average total cost of a breach in 2011 was $5.5 million USD. Clearly a staggering cost for any healthcare organization.

 

These types of risks can be effectively mitigated using encryption on EMR databases and backups. However, activating encryption on databases adds significant additional computational overhead that can noticeably degrade performance of the EMR, the healthcare worker user experience and productivity, and ultimately the quality of patient care. Accelerating encryption on databases running on Xeon processors using Intel AES-NI (Advanced Encryption Standard – New Instructions) can offload most of the additional encryption and decryption overhead, enabling strong encryption security to avoid breaches, while also preserving performance and enabling a great healthcare user experience, productivity, and improved quality of patient care.

 

For more about encryption performance of InterSystems Cache database and the benefits of Intel AES-NI, including the use of new Multi-Buffer capability for interleaved encryption of multiple data blocks, see the whitepaper High Performance Encryption for Electronic Health Record Databases.

 

To find out more about encryption overhead and the benefits of Intel AES-NI in an Epic Systems Corporation Reporting Solution using an Oracle database see the whitepaper Encrypt Healthcare Data with Performance Using Intel® Xeon® Processors.

 

What questions do you have?

 

Healthcare and Life Sciences are currently challenged with multiple major trends including EHR, HIE, BYOD IT (Bring Your Own Device – Information Technology), Big Data IT, social media, advanced threats, and increasingly complex regulations. These promise compelling benefits, but also bring significant privacy and security risk. Concurrently, breaches have reached alarming levels of frequency and business impact. Healthcare trends including BYOD and social medial are empowering healthcare workers with more tools than ever before to deliver great patient healthcare, but these tools also bring non-compliance issues and additional risk.


That's why you should take 20 minutes and check out this concise, on-demand webinar, Data Security in Healthcare: A Foundational Approach


This webinar from Intel and Dell SecureWorks discusses practical strategies and best practices as a foundational approach to use privacy and security as an enabler to embrace healthcare trends safely, realizing the benefits while minimizing risk of security incidents such as breaches. The importance of delivering strong security while enabling a great healthcare worker user experience is key to user acceptance of security, compliance, and avoiding healthcare workers being compelling to use alternatives that bring additional risk.


Future technical security safeguards will increasingly be implemented as services and software that are vertically integrated with hardware assisted security for both stronger security and an improved user experience. Key technical safeguards are discussed including encryption, 2-factor authentication, anti-malware, IDS / IPS, IAM, anti-theft / remote lock and wipe, and DLP. This hardware assisted security, that is security hardware embedded in client and server processors, will serve to accelerate, harden, improve usability and reduce the cost of security solutions for healthcare. Administrative tools including policy, procedures, risk assessments, training and audit and compliance are also discussed as key safeguards within a holistic approach to ensure robust privacy and security.


Where are you seeing challenges with your healthcare workers user experience with security, and what kinds of alternative BYOD, social media or other tools are they using that drive non-compliance issues and additional risk?

Healthcare workers are being empowered by several key trends. BYOD (Bring Your Own Device), also known as consumer IT, is widely believed to be the future of IT. Social media and social networking are also empowering healthcare workers with new ways to collaborate. These trends deliver powerful tools include personal smartphones and tablets with a myriad of powerful apps, several social media platforms and tools, file transfer services, personal email, USB sticks, and many others.

 

Read new whitepaper on health IT security, user experience and risk


While powerful tools, these alternatives also bring many privacy and security risks, and may not be in compliance with the privacy and security policy of the healthcare organization. If security safeguards deployed on healthcare systems, such as slow encryption or cumbersome 2-factor authentication, impede healthcare workers and their ability to deliver great patient care, then healthcare workers may be compelled to use one or more of these alternatives, which may in turn lead to non-compliance issues and additional risk. Securing healthcare systems with safeguards that are strong but also enable a great user experience is increasingly important going forward, as powerful but risky alternatives grow. Security must be performant, robust, usable and cost effective for end user acceptance, improved compliance and lower risk.


Intel provides hardware assisted security that improves security solutions by accelerating them, hardening them, making them more usable, and/or reducing cost. McAfee provides several security solutions for healthcare that are tightly vertically integrated with Intel hardware assisted security to provide strong security solutions with a  great user experience, enabling improved healthcare worker compliance and lower risk to the healthcare organization. These security solutions enable healthcare to safely embrace trends such as migration to EHRs (Electronic Health Records), HIE (Health Information Exchange), mHealth (Mobile Health), and Personalized Health and Personalized Medicine, benefitting from them while minimizing risk of security incidents such as breaches.


Read more in the whitepaper Healthcare Security: User Experience, Compliance and Risk about the importance of healthcare user experience with security, how it can impact compliance and risk, and innovative integrated solutions from McAfee and Intel that deliver strong security with a great user experience.


For more information about what you will learn when you read the whitepaper, and to hear some examples of health IT security workarounds to watch out for, take a look at the video below and listen to the podcast I did with Raj Samani, vice president and chief technology officer, EMEA, at McAfee.


What questions do you have?

 

 

Podcast Slide.jpg

Risk assessments are often driven by regulations such as HIPAA Security Rule, incentives such as Meaningful Use (see Core Objective 15) or compliance with standards such as ISO 27001 for Information Security Management Systems. Risk assessments can also be a valuable tool to allocate limited budget to reduce the most business risk, as discussed in my previous blog on Maximizing the Value of Risk Management in Healthcare. Risk assessments identify highest priority risks, in terms of likelihood and business impact, and safeguards required to mitigate these risks. However, just doing risk assessments doesn’t improve the organizations security posture. Actually reducing risks, and improving security posture, requires addressing privacy and security deficiencies identified in the risks assessment, by implementing administrative, physical and technical safeguards.


However, in practice there are many things that can get in the way of successfully improving the security posture of a healthcare organization, as shown by the survey results below sourced from the HIMSS Industry Solution Webinar titled “Embrace Healthcare Change Safely: Practical Strategies for Security Risk Management,” currently available free on demand.

David_Graphic_Biggest Obstacle In Implementing Security.jpg

Healthcare is driven by the key goals of improving the quality and reducing the cost of patient care. This translates into cost reduction pressure, and limited budget for privacy and security as a top of mind fundamental obstacle to implementing security. Making the best use of limited resources is key to reducing the most business risk, and risk assessments done well and regularly (at least annually) can meet this need well by guiding allocation to reduce the most business risk, and in a measured way that avoids over-securing in some areas, under-securing in others, weakest links and significant residual risk.


Lack of available staff with the necessary expertise to do privacy and security is identified by these survey results as the second greatest obstacle to implementing security. Engaging external professional services for privacy and security, and risk assessment is a practical best practice to overcome this obstacle. Hiring or making existing staff available to participate in privacy and security initiatives together with external professional services can help better guide these initiatives, and build this key expertise within healthcare organizations longer term.


Gaining executive buy-in by reporting regularly on compliance and risk management are critically important in the success of privacy and security initiatives. ROI (Return On Investment) analysis for highest priority risks identified in risk assessments can also help influence positive decisions from executives and financial stakeholders. Having the right audit framework around risk management can help overcome obstacles associated with security initiatives stalling in implementation due to higher priority initiatives. For example, establishing a process that requires an IT Manager tasked with implementing a security control to formally signoff on implementation, or waive risk associated with not implementing a security control can help move such initiatives up in priority on task lists. Of course, there are the usual project management best practices that apply to implementing security, including assigning owners and dates, and managing through to final implementation of security safeguards.


For robust privacy and security it is critically important that implemented safeguards continue to be effective. Monitoring existing controls for effectiveness is essential. This includes user acceptance, since if users don’t accept security, or seek alternatives that circumvent or disable security (and there are many eg from consumerization/BYOD), this can lead to ineffective security, non-compliance issues, and significant residual risk. See my previous blog on Healthcare User Experience, Compliance and Risk for more on this, and how vertically integrated security solutions that make use of Intel hardware assisted security can provide technical security safeguards that are performant, robust, usable and cost effective.


What challenges do you see with implementing security within your organization?

Learn more about improving your healthcare organization's security posture in this concise interactive narrated presentation

IntelScreenshot.jpg

1 2 Previous Next