Here's how to protect your data in a network setting
Here’s how to protect your data in a network setting
Decentralizing minimizes the chance of break-ins
Data security systems have become so sophisticated they can be adapted to virtually any environment. But unlike banks and insurance companies, which have been guarding their data for decades, outpatient providers are relative newcomers to the possibilities of the technology.
That may be changing. Hospitals are quickly catching up with other industries. And now, freestanding ambulatory care centers (ACCs) are investigating the benefits of state-of-the-art technology, says James Ryland, senior data security analyst with ScrippsHealth in San Diego.
Hospitals and ACCs have a lot in common from a security standpoint. When joining provider networks, individual ACCs should attempt to integrate whatever security they already have in place with the network’s overall system. That’s because the same technology can protect a 1,000-bed medical center and a network of outpatient facilities, Ryland says.
New laws and industry guidelines are imposing higher privacy standards on providers. The issue hit a nerve last year when an irate U.S. congresswoman slapped an inpatient facility (St. Clare’s Hospital in New York) with a $10 million lawsuit. Details of a suicide attempt, which were documented in the legislator’s medical record, were made public.
More recently, authorities arrested 16 Maryland Department of Social Services employees for breaking into state medical records and selling confidential Medicaid information to health insurance salespeople.
Meanwhile, the federal Health Insurance Portability and Accountability Act of 1996, which was signed by President Clinton last August, imposes fines and penalties of up to $250,000 and 10 years in jail for stealing confidential patient information.
Providers are clearly placing more emphasis on patient-data security out of concern for privacy and confidentiality, says Dale N. Will, a technology expert with First Consulting Group, located in Long Beach, CA.
With so many patients moving in and out of outpatient centers daily, administrators are asking fundamental questions about protecting their patient data, he adds. According to security experts, integrated systems work best when you follow these five basic steps:
1. Decentralize the system.
A decentralized system spreads your risk, Ryland says, because no single office or individual in the network is responsible for overall data protection. This increases accountability, which reduces the chances of break-ins, Ryland adds.
It also minimizes the risk of data loss in a major system failure. The information isn’t stored in a central location but distributed throughout the network. Therefore, the larger the network, the more decentralized the system should be, he adds.
Decentralization also creates a division of labor. The director of contracting, for example, would be responsible only for contracting or actuarial-related data. The director of medical records would preside only over clinical information.
2. Track security flaws daily.
Evaluate weak spots, regardless of how small or insignificant, says Gary R. Gray, manager of data security at Group Health Cooperative of Puget Sound in Seattle. Most information software contains built-in security devices with internal alarms that alert a designated office or user of an unwarranted intrusion. The alarms typically work with the facility’s main security system and announce the breach either on a computer screen or by some other sounding method.
Some monitoring systems are so specific they can trace a single keystroke from any terminal in the network and record the incidence in a "journal." Batch these incidents and convert them into daily reports that can keep security managers abreast of slip-ups and suggest corrective measures, Ryland says.
3. Standardize the information protocol.
Adopting a standard format for transmitting and displaying information simplifies the process, says Will. The purpose is to get everyone working with the same set of rules. This tends to minimize computer language gaps among facilities and reduces the probability of a breach, Will adds.
Transmission protocols run the information using a common set of sending rules, which help computers recognize the information running through the system. Two common transmission protocols are TCP/IP and SPX/IPX. They are usually associated with the Unix and Novell network operating systems, respectively.
Health Level 7, a widely-used national format for packaging and presenting computerized data, also helps standardize the presentation. What each user in the network sees on the screen is consistent with everyone else. Health Level 7 was developed by the Washington, DC-based American National Standards Institute. (For more information on standards and protocols, see the source list, above.)
4. Create a policy statement for the organization.
Policy statements outline the goals of the network’s data protection program but also offer legal proof that the organization has clear-cut security measures in the event of litigation, Ryland notes.
In drafting a policy statement, avoid general "boiler-plate" definitions and designations for security measures, Ryland says. Be specific about procedures, and identify departments and individuals by name and the categories of data covered by the program.
The statement also should be universal. Each facility in the network has to have the same policy and adhere to it in the same manner. "[It] should be clear, straightforward, and understandable to everyone," Ryland says.
5. Keep changing the encryption and decryption tables.
Encryption and decryption tables are vital in a network setting where the information routinely flows in and out of separate facilities. They serve as coded obstacles that blur the information when unauthorized users try to intercept the signals.
Unfortunately, they aren’t always changed to prevent deciphering. But good security software makes changing these tables automatic. One of the best programs is found in Kerberos, an operating system developed by the Massachusetts Institute of Technology in Cambridge.
Changing the user-password and identification codes regularly and unexpectedly also is a good idea. In effect, all safeguards work best when humans oversee them, Ryland says. "By themselves they’re extremely fallible," Ryland says.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.