Give your security system a thorough review
Give your security system a thorough review
Internal users are the biggest risk
You don't leave the hospital's doors open at night without security guards, but do you leave your information system vulnerable to unauthorized use?
Recent studies show that hospitals and other health care organizations need to implement stronger security controls. (For more information on one study, see cover story.)
In fact, the risk of unauthorized users breaching the data at your facility depends on your organization's environment, says Dale W. Miller, director of consulting services of Irongate Inc. in San Rafael, CA. "In some organizations, it's fairly easy for people to look up information on the system."
Although outside access through Internet and network connections is becoming more of an issue, the biggest threat to security is still from the inside, he contends.
"The biggest areas of risk are internal users, the people who already have legitimate access to the system and either access information that they don't have a need to know in order to do their job or leave the system vulnerable so that other people can have access to it," explains Sandra R. Fuller, MA, RA, vice president of practice leadership for the American Health Information Management Association in Chicago.
Easy access for anyone?
"It's not that the system is inherently insecure, but [facilities that have] security practices of leaving terminals logged on or downloading free or public software that may be corrupted aren't good," adds Fuller.
Unfortunately, easy access to unauthorized information for internal users usually means easier access for outside users as well, Millers says.
Several companies have protocols that can help assess the risk of an information system. For example, the Computer-Based Patient Record Institute in Bethesda, MD, offers a comprehensive checklist of security features on its Web site at http://www.cpri.org.
On a smaller scale, here are some suggestions on what to look for in a risk assessment, beginning with some technical points:
1. Are computer displays located so that the screen cannot be seen by an unauthorized person? "Some of the newer flat panel screens are easier to position because they are thinner," notes Miller.
2. Do you have an automatic time-out feature that blanks the screen when it is not in use?
3. Does each staff member have an individual ID and password? IDs that are shared among several people often become known by quite a few others, says Miller.
4. Do staff only have access only to information for patients under their jurisdiction?
5. Do you use secure patient identifiers?
6. Are terminated employees immediately denied access to the system?
7. Do you audit user access? Some systems allow you to track what information people are accessing, Miller says. "They create a file that indicates which records people have looked at and when they have looked at them. You can at least identify the fact that the person is logged into the system, and they have looked at specific screens."
Miller cautions health information managers about using audit logs. Audit logs generate a lot of information. "It can be difficult to sort out what's legitimate and what isn't. Good software that will help you analyze those logs is important."
Don't forget to protect the logs themselves against unauthorized change. For example, someone could look up information, then go in and modify the log file to remove the record of the access.
Here are some questions to ask about Internet access, according to Miller and Fuller:
· Do you prohibit transmission of patient identifiable information via the Internet?
· Do you use encryption?
· Have you installed appropriate firewalls between the Internet and the organization's network and systems?
· Do you know all of the Internet connections on your system? "When you connect machines to your network and provide workers with a modem connection, you might not even know they're connected to the Internet or that they've set that up on their machine." Adds Miller.
Also examine these policy issues:
· Does your hospital have a clear information security policy?
· Do you have training programs for staff?
· Are workers aware of the consequences for bad or inappropriate behavior?
If you talk to security vendors about the features of their systems, remember that vendors provide different security capabilities in different combinations, Miller says. They also offer different features for different versions of their software. "Newer versions may have more security capabilities available."
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.