Security is a journey, not a destination.
I'm not sure when I first heard this adage, but it never had been more apparent than following Touchstone Behavioral Health's (TBH) initial deployment of a hosted electronic medical record (EMR) system for our highly mobile staff. Due diligence led us to a HIPAA-compliant application with role-based accessibility. We spent months honing policies, fine-tuning procedures, and implementing advanced technologies to secure both our network and individual computers. Training and awareness programs educated users about viruses and worms. Phase one concluded as a major success: We effectively gathered and reviewed confidential client information, securely transferring it to and from our remote data center while providing services out in the community. Although our data “in transit” were protected, we realized that work still needed to be done with our data “at rest—information stored on local hard drives and removable media.
Creating a secure infrastructure
TBH provides evidence-based outpatient services to Medicaid-eligible children in Arizona. Our model is to meet clients and their families wherever they are most comfortable. Although we support five clinical locations across the state, the majority of our encounters are in homes, schools, or other community locales.
We chose an EMR system from Credible Behavioral Healthcare Software, and it meets all of our primary application requirements: ease of use, intake-to-billing integration, and hierarchical role-based security with full reporting to support our “anywhere, anytime” care philosophy. This software-as-a-service (SaaS) solution enforces strong password authentication and encrypts bidirectional data transmission between us and the vendor's hosted data center.
Between May and June 2007, TBH obtained, configured, and deployed approximately 120 Dell Latitude laptops in preparation for the EMR launch on July 1. To provide enterprise-level security for all of our computers, with minimal end-user impact, we chose Symantec Endpoint Protection, which offers an integrated personal firewall, advanced antivirus and antispam engines, and a “behavior-based zero-day threat mitigation” application (Traditional antivirus solutions look for specific blocks of code or “signatures” within potential “malware” [change the signature and the code slips through]. Behavior-based systems examine the code's intent and block unexpected activities from executing). Combined with our existing traditional network defenses (intrusion detection and prevention, firewalls, application patching, content filtering, and e-mail encryption) and the EMR vendor's secure Web-enabled capabilities, we confidently transitioned from a paper-based system into an exciting new era leveraging technology to support our care model.
In January 2008, we began our review of phase one, and the results were very gratifying:
User acceptance was nearly universal (Some always will be more resistant to change than others).
Workflows were streamlined, eliminating redundant steps in the documentation and billing process.
Contract compliance was improved as TBH's business rules were encapsulated within the EMR to provide proper account coding.
Per-provider billing was improved by approximately 5%, despite the new system's learning curve and a change of our major regional behavioral health authority midway through the six-month transition.
More importantly, we successfully initiated a culture of data security, merging technology, policy, and user awareness to minimize our risk of a data breach.
This analysis also focused on where data reside within our systems, and how they are protected. We reexamined role assignments within the EMR system to ensure that each provider had access only to information necessary to complete his/her assignments, and that strong password authentication was functioning properly. We reviewed our database audit capabilities, as well as our internal network security policies and procedures. Finally, we looked at our users, the equipment they carry into the field, and the data they need to provide services. We concluded that the biggest remaining vulnerability was with physical devices (laptops, flash drives, CD-ROMs) and the information stored locally.
Protecting locally stored data
Major data loses regularly make headlines. News reports frequently discuss stolen or misplaced devices, such as missing hard drives at a national research lab, a stolen VA database administrator's laptop, and backup tapes lost during shipment to an off-site location. High-profile breaches are common, but thousands more losses every year never are reported in the general press. Devices are stolen from cars and homes, and computers are left in coffee shops, hotel lobbies, taxis, and airports.
Nominal security policies requiring strong passwords and an enforced lockout period after a few failed log-in attempts are enough to discourage the casual “finder” (It's easy enough to sell the device for a few dollars or simply reformat the drive for personal use). Our real concern are dedicated data thieves, those technically savvy enough to bypass our first line of defense and access the device's contents. To these individuals (and, increasingly, criminal organizations), the real prize is not the device but the information it contains. Thus, phase two of our technology evolution was to further secure sensitive data, regardless of their location.