The Need for Information Security, Technical Innovation and Clinical Change. 1

The Need for Information Security, Technical Innovation and Clinical Change

ISM 3011– Information Systems Management

Abstract The Tri-County Life Care of the Treasure Coast (TLC) is a non-profit organization providing in-home health-care services throughout Florida's Indian River, Brevard, and northern St. Lucie Counties. TLC has been serving this community for over thirty years, but what truly makes us unique is our tradition of providing comprehensive health-care—whenever and wherever our patients need it. Tri-County Life Care, Inc. offers the highest quality and most reliable in home wellness care in the convenience and comfort of client home. (TLC) have been providing superior service to there clients and have help them in achieving their goals. Whatever your needs are, TLC home health team will design a plan that is specific to you and your situation. Whenever your health needs can be met at home, TLC staff is on-call 24 hours a day, 7 days a week. Owners and officers representing TLC are Chief Executive Officer - Eric Maar, Chief Financial Officer - Satchell Peterkin, Chief Technology Officer - Raquel Queen, and Chief Information Officer - Kerry Cosner. These individuals are committed to providing the clinical staff with the most technologically advanced tools available to effect patient care in the most advantageous way possible. This article will address some of the challenges faced by the Information Systems department and its’ relationship with the clinical field staff that support the needs of the patients in the communities the TLC serves. A few of those challenges involve the following: · Enhancing the privacy and security of the patient information stored on and transmitted by the laptop field devices used by the visiting clinical staff. · The need to upgrade and change the technology and software utilized by the clinical associates to increase productivity and ease of use without sacrificing security and privacy. Mobile computers are quickly emerging as the industry standard in technology for increasing the efficiency and productivity of a mobile clinical field staff. However, the portable nature of these devices poses an increase in the possibility of loss or theft. Consequent exposure of sensitive data can result in financial loss, legal ramifications, and damage to the agency’s brand and reputation. Field devices such as laptops and PDAs used in charting patient health-care records in their homes are at an elevated risk of loss and theft due to their portability (Thomas 2007). Some of the environmental factors that affect the decision outcome are the increasing amount of medical information susceptible to security breaches and the state and federal guidelines imposed by the Health Insurance Portability and Accountability Act (HIPAA) for security 1 and privacy 2 of protected health information as well as the new 2009 Health Information Technology for Economic and Clinical Health Act (HITECH)3 for breach notification as part of American Recovery and Reinvestment Act of 2009 (ARRA)4.
TLC’s current information systems policies are compliant with state and federal health-care guidelines and procedure states that: In the event of loss or theft of a portable device (laptop, PDA) all patients whose data had been stored on device must be notified of the incident as well as provided with two years of credit and Medicare monitoring and protection. In all instances where the data breach affects more than 500 people located within the same region, the notification must be published in the local newspapers as well as mailed to the affected individuals (HIPAA 2009). If a percentage of the mailed notifications are returned due to address change and the correct address cannot be determined, the notification must also be published on the company’s web site for up to a year. In order to protect the access to the patient data stored on the portable devices TLC utilizes dual factor authentication for device and application user names and passwords, which meets the minimum HIPAA state and federal administrative safeguards.
Taking these two mere facts into consideration, it begs two questions for our organization to deliberate:

• Can we do more to protect our patient’s data? o What more can be done to protect the data stored in and transmitted from the clinician’s laptop field device? We appear to be doing what is necessary by HIPAA technical and administrative standards but, there may be opportunities to put additional measures into effect that will benefit the patient as well as the overall agency’s interests • What is the risk if we do nothing more? o Immediate compliancy issues are being met by our current security strategy, but there are future standards placed on health-care organizations by the new HITECH Act that are more stringent than those currently imposed by HIPAA. These new regulations will be in effect in February 2010, but we should consider the advantages in implementing policies and procedures regarding these regulations before they become mandatory.
According to a national survey completed in September 2008, portable electronic data accounted for 37% of the data that is susceptible to a theft or breach in security (see Figure 1, for data regarding medical information susceptible to security breaches).
This was compared to similar susceptible risks in medical information recorded in paper files stored in medical records (40%) and in on-line data repositories (15%) as illustrated in Figure-1 (Surveys say: 2008).
In an attempt to further address this risk we will us a SWOT situational analysis to establish the need for strategic change by evaluating the strengths, weaknesses, opportunities, and threats in both the clinical and information systems departments in respect to the challenges previously mentioned. I will also evaluate the potential advantages we can gain agency wide by examining current and future innovation streams and considering a plan involving technological discontinuity.
Strengths:
The information systems department has enforced dual factor user authentication on all clinical charting devices that are portable from the confines of the agency. The devices chosen to house the clinical software client for the clinical field staff are the Fujitsu LifeBook eight inch touch screen laptop. When the users power on the device they are confronted with the standard Microsoft Windows authentication using a user-name, password and domain. Once Windows has accepted the proper combination of these three credentials it loads a standard user desktop that includes icons for their clinical software, Outlook email, and remote VPN connectivity to the agency domain. Each of these requires, at a minimum, a secondary set of user credentials separate from their initial Windows authentication. The strength of these credentials is increased by the thirty day change frequency of the password as well as the eight character minimum length that must contain a combination of letters, numbers and special characters. This form of dual factor authentication combined with change frequency and complexity keeps the agency compliant with one of the administrative guidelines imposed by the Health Insurance Portability and Accountability Act (HIPAA) that we must abide by as a health-care covered entity.
Weaknesses:
One of the few weaknesses in the above mentioned authentication process is that the length and complexity of the password often causes the clinician to write down the password each time it changes. They will refer back to their written not until they feel comfortable remembering the password. During that time the access process is at risk if the laptop is lost or stolen with the password clearly available on the device or in its secured carrying bag.
Opportunities:
There are many opportunities during the clinician’s visits to the agency to take advantage of times for education and re-education regarding privacy and security of patient information and the policies in place to safeguard it. These opportunities present themselves at new-hire orientation as well as intermittent times during the course of the year. We also have the opportunity to strengthen the protective measures without adding more to the clinician’s authentication process by adding new encryption software or advanced biometric authentication hardware.
Threats:
The most common threat is device theft for the purpose of identity theft and fraud, often resulting from insider theft. The second most common form of identity theft stems from the infection of the computer’s data by computer hacking and malware and virus attacks. The data below in Table-1 from the Identity Theft Resource Center (ITRC) shows that data breaches involving health and medical data has remained virtually unchanged from 2006 to 2008, unlike Government and Military data breaches which show a sharp decline during the same period (Data Breaches 2008). Declining health-care budgets have led to outdated IT security infrastructures and limited training resources for network support staff (see Table-1, for data breaches from 2006 to 2008).
Proposed solutions: · Add an extra layer of data protection:
An external appliance could be added to the login process of each device making the data on the device un-readable unless accompanied by the appliance and the proper user’s authentication credentials. (Utamico 2001) o Possible appliances: ▪ USB biometric fingerprint reader 5 ▪ USB data encryption smartcard and reader 6 · Encryption software could be added prior to the login process of each device, encrypting the data at the disc storage level making the data on the device un-readable unless accompanied by the appropriate user’s proper authentication credentials. Two types of encryption are currently available to user organizations: self-encrypting hard drives and software-based full-disk encryption. Together, these two techniques can provide a high level of protection by ensuring that there will be no loss of data can occur if a third party retrieves a mobile device. o The following are possible encryption software configuration solutions: ▪ Individual data file encryption ▪ Full data disk encryption
The following are comparable solution costs for 170 field devices: · USB biometric fingerprint reader solution: $6,460 - $9,180 o Hardware: $31 - $47 per device o Software: Included o Annual Maintenance Support: $7.00 per device · USB data encryption smartcard solution: $7,750 o Hardware: $34 per device o Software: Included o Security Card: $6 per device o Annual Maintenance Support: $5.00 per device · PGP Whole Disk Encryption Software: $6,500 o Proactively secure confidential data on both disks and removable media. o Hardware: None o Software: $27 application per device o Annual Maintenance Support: $11 per application
The following is the recommended resolution: · Data storage on portable devices should be encrypted using full disk and file encryption to fully comply with and, where possible, exceed HIPAA state and federal regulations and to ensure the maximum protection of our patient’s privacy. · Added advantages: o Encryption software is the more affordable solution. o Without the necessity for additional hardware we eliminate the possibility of technical malfunction, minimizing potential downtime and maximizing the clinical staff’s productivity with their mobile devices. As custodian of our patient’s health care records, TLC should take all measures possible to protect all patient data as it is entered, stored and transmitted by the clinician’s field device. Although the dual factor authentication process meets the minimum state and federal guidelines imposed by HIPAA and HITECH, TLC's own policy is to take any additional precautions to safeguard the patient’s privacy and, in so doing, protect the company’s long standing trust within the medical community it serves. Adding full disc encryption to each field device enables us to implement these additional protective measures in an affective, efficient and affordable way. With the encryption enabled the data is unable to be read in the event of loss or theft. Under HIPAA guidelines a covered entity such as the TLC is no longer required to notify the patients whose personal health-care information was stored on a lost or stolen device when the device is protected in this manner. The covered entity is also no longer required to provide credit reporting and monitoring to those same patients. When so much of proper health-care relies on the trust between the patient and their caregiver as well as the trust of their family and physician, this decision has been determined to be the most appropriate.
References

Data breaches skyrocket in 2008. (DATA SECURITY)(Statistical data). March-April 2009 v43 i2 p15(1)Information Management Journal 43, 2. p. 15(1). Retrieved October 10, 2009, from Computer Database via Gale: http://find.galegroup.com/gtx/start.do?prodId=CDB
HIPAA violation costs CVS $2.25 million.(PRIVACY)(Health Insurance Portability and Accountability Act of 1996)(CVS Caremark Corp.). May-June 2009 v43 i3 p15(1)Information Management Journal, 43, 3. p.15(1). Retrieved October 11, 2009, from Computer Database via Gale: http://find.galegroup.com/gtx/start.do?prodId=CDB
Surveys say: HIPAA affects health care IT decisions. (2008, September 3). Healthcare Risk Management, Retrieved September 21, 2009, from CINAHL Plus with Full Text database: http://search.ebscohost.com/login.aspx?direct=true&db=rzh&AN= 2010019296&site=ehost-live
Thomas, G., & Botha, R A (Fall 2007). Secure mobile device use in healthcare guidance from HIPAA and ISO17799.(Author abstract). Information Systems Management, 24, 4. p.333(10). Retrieved October 11, 2009, from Computer Database via Gale: http://find.galegroup.com/gtx/start.do?prodId=CDB
Utimaco Safeware releases biometric technology-based authentication system. May 10, 2001 pNATelecomworldwire, p.NA. Retrieved October 1, 2009, from Computer Database via Gale: http://find.galegroup.com/itx/start.do?prodId=CDB Web Sites Referenced 1. HIPAA Security Guidelines: http://www.cms.hhs.gov/SecurityStandard/Downloads/SecurityGuidanceforRemoteUseFinal122806rev.pdf
2. Understanding HIPAA Privacy: http://hhs.gov/ocr/privacy/hipaa/understanding/index.html
3. Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification Act: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities /breachnotificationifr.html
4. American Recovery and Reinvestment Act of 2009 (ARRA): http://www.hhs.gov/news/press/2009pres/09/20090917a.html
5. Utimaco Safeware releases biometric technology-based authentication system: http://find.galegroup.com/itx/start.do?prodId=CDB
6. One-Time Passwords: Security Analysis Using SmartCard Authentication. A. Yazici and C. Sener (Eds.): ISCIS 2003, LNCS 2869, pp 794 – 801, 2003. Retrieved September 17, 2009 from: http://www.springerlink.com/content/f5u1p913j5u82abm/fulltext.pdf?page=1

Figure 1

[pic] Table 1
[pic]