By Sarma Pisapati, Chief Technologist for eHealth
It is no surprise that security is of paramount importance with respect to protected health information and electronic patient information. With that securely in mind, I’d like to offer some thoughts on best practices for IT security in the healthcare world. While these certainly are not a complete and definitive statement on the topic, they do represent food for thought.
The Institute for Security and Open Methodologies (ISECOM) defines security as "a form of protection where a separation is created between the assets and the threat." In healthcare, we call the assets, or information, of concern Protected Health Information (PHI) and Personal Identification Information (PII).
In electronic health systems, sensitive information is subject to threats both as stored information and as it moves from point to point. Health Information Exchange (HIE) systems are particularly vulnerable. (See our posts, “Health Information Exchange: Raison d'être:” Part 1 and Part 2.
Security best practices entails “Defense-in-depth,” a strategic approach loosely borrowed from the military. At a minimum this entails a multi-tier model. Think of concentric circles of security.
It starts with the security of the physical systems hosting the HIE solutions. For example, access to the systems is granted by a two-factor personnel identity protocol, badge and security code. In addition, surveillance cameras, infrared detectors, etc., are highly secured to prevent accidental power downs and unauthorized access. To further protect the systems and their operation, a strict and robust disaster tolerance strategy is employed.
Moving up the tiers, network access is protected with defenses including Intrusion Detection and Prevention Systems (IDS and IPS), as well as applications for Anti-spam, Anti-virus, and Denial-of-Service (DoS) attack. Via a further layer, all user requests are routed to front-end protection topology ensuring the requests are threat-free.
Infrastructure is segmented and multi-tiered with network firewalls hardening access to applications and data, and keeping sensitive information deep in the protected tier. Application appliances that detect attacks due to XML vulnerabilities are also in place. Moreover, mandated standards are strictly implemented so that the interoperability and data agreements work together securely.
Application and information access is controlled by standard authentication and authorization. Data is encrypted while at rest and when in motion. Apart from the standard authentication technologies such as LDAP, Kerberos, and certificates, systems are modernized by implementing Security Assertion Markup Language (SAML) technologies for federated computing. HIEs implement the standard role-based access control (RBAC) authorization technology for patient information.
Security best practices include appropriate policies complying with retention and destruction of data. And HIEs implement patient privacy using consent management.
Currently, experts feel that opt-out would ease the meaningful use and flow of information among care organizations. However, the system would allow for more granular authorization with an advanced consent management service.
The clinical information dataset used for system tests is complete and de-identified per HIPAA regulations.
Governance is essential for successful security. Security governance ontology is based on people, processes and products (Technology & Services). Governance must address all three:
- People: Both end-users and the system supporting staff are constantly educated on security advances, threats, risks, and associated penalties.
- Processes: Periodic analyses of logs and audits, etc. are regularly conducted and process updates are conducted to prevent any damage to the system.
- Technologies: Components that cover authentication, authorization, audit, and encryption are continuously updated to incorporate advances in security.
Lastly, the security officer and his/her professional team conduct periodic reviews of the systems to enforce strict policies and to safeguard systems and patient information. They are fully aware of HIPPA and HITECT compliance and are prepared with rigorous standard procedures and reporting requirements to prevent any data breaches.
If you want to read more about health information technology and security, check out the additional resources below. And also, please leave me a comment if you’d like to suggest some other Healthcare IT best practices for protecting health information.