Mobile Security In the Healthcare Industry

Document Sample
Mobile Security In the Healthcare Industry Powered By Docstoc
					Mobile Security
In the Healthcare Industry
As Dictated by the Health Insurance Portability
And Accountability Act of 1996 (HIPAA)


By Christine L. Hutchison

Senior Consultant with Johnston McLamb’s Mobile Computing Practice
INTRODUCTION                                                    person per incident for improper disclosures of health
Healthcare executives are dealing with a number of              information to $250,000 and 10 years in prison for
initiatives that are placing competing demands on their         intentional violations (on top of violators always being at
information technology resources. While mandates like the       risk for class action lawsuits), any entity who offers mobile
President’s push for electronic health records (EHRs) are       computing solutions in the healthcare industry must be
encouraging the healthcare industry to consider mobile          aware of the technical requirements put in place by
computing solutions, regulations like the Health Insurance      Congress.
Portability and Accountability Act (HIPAA) have placed
stringent—and somewhat ambiguous—data security                  Those technical requirements—which are used to control
constraints on the field.                                       access to computer systems and enable covered entities to
                                                                protect communications containing Protected Health
The EHR mandate does provide healthcare organizations           Information (PHI) transmitted over open networks for being
with incentive to consider mobile computing options. At         intercepted by any individual other than the intended
the same time, it has put a greater sense of urgency on the     recipient—are as follows:
need to protect data in the healthcare industry. President
George W. Bush’s April 2004 charge to build a system that       • Information systems housing PHI must be protected
would provide each U.S. citizen with access to his or her       from intrusion. When information flows over open
EHR from any location by 2014 has brought additional            networks, some form of encryption must be utilized. If
attention to the issue. His subsequent establishment of the     closed systems/networks are utilized, existing access
Nationwide Health Information Network (NHIM) is pushing         controls are considered sufficient and encryption is
the healthcare industry to look toward web-based systems.
                                                                • Each covered entity is responsible for ensuring that
At the same time that these EHR mandates are pushing            the data within its systems has not been changed or
healthcare organizations to consider mobile computing           erased in an unauthorized manner.
options, regulations like HIPAA have announced security
standards with which many organizations are grappling.          • Data corroboration (including the use of check sum,
The administrative, physical, and technical requirements        double-keying, message authentication, and digital
outlined in the HIPAA documentation are requiring               signature) may be used to ensure data integrity.
organizations to place extra attention on their existing data
security requirements, never mind those of new mobile           • Covered entities must also authenticate entities they
                                                                communicate with. Authentication consists of corrobo-
computing systems they may be considering.
                                                                rating that an entity is who it claims to be. Examples of
                                                                corroboration include: password systems, two- or three-
These competing demands should not turn healthcare              way handshakes, telephone callback, and token systems.
organizations away from considering mobile computing
implementations, though, because there are significant          • Covered entities must make documentation of their
benefi ts to be reaped from such efforts. For example,          HIPAA practices available to the government to
healthcare personnel such as doctors and nurses are             determine compliance.
constantly on the move. Whether they are moving from
room to room within the same building performing rounds         • In addition to policies and procedures and access
                                                                records, information technology documentation should
or are in transit from hospital to physician office, the
                                                                also include a written record of all configuration settings
healthcare workforce is by nature always on the go. As
                                                                on the components of the network because these
advancements in technology are made, keeping workers            components are complex, configurable, and always
productive and efficient becomes more obtainable and            changing.
realistic via the implementation of mobile computing
applications.                                                   • Documented risk analysis and risk management
                                                                programs are required. Covered entities must carefully
A BRIEF HISTORY OF HIPAA                                        consider the risks of their operations as they implement
The U.S. Congress enacted the Health Insurance Portability      systems to comply with the act. (This requirement of risk
and Accountability Act (HIPAA) in 1996. Title II (Preventing    analysis and risk management implies that the act’s
Healthcare Fraud and Abuse; Administrative Simplification;      security requirements are a minimum standard and places
Medical Liability Reform), in part, includes The Security       responsibility on covered entities to take all reasonable
Rule. The final rule on Security Standards was established      precautions necessary to prevent PHI from being used for
on February 20, 2003, and took effect on April 21, 2003,        non-health purposes.)
with a compliance requirement date of April 21, 2005.
                                                                In summary, these standards (1) ensure confidentiality,
                                                                integrity and availability of all created, received, maintained, or
There are three types of security standards required for
                                                                transmitted electronic protected health information, and (2)
compliance: administrative, physical, and technical. Since
                                                                protect against any reasonably anticipated security threats or
the penalty for HIPAA violations range from $100 per
Because     there    are   no    government-sanctioned       Office of Civil Rights, which is in charge of enforcing the
certifications available for Health Information Systems      law, states, “Our first approach to dealing with any
(HIS), no HIS can unequivocally claim HIPAA compliance.      complaint is to work for voluntary compliance.”
However, by implementing certain technologies and            However, the HHS has the authority to impose fines of
standards, integrated mobile applications can meet           $100 for each violation, up to a maximum of $25,000. The
HIPAA requirements.                                          HHS also has the power to pass a violation on to the
                                                             Justice Department, which can seek penalties up to
                                                             $250,000 and 10 years in jail.
Health care organizations have identified the                HIPAA acknowledges that improper disclosure of PHI
implementation of wireless local area networks (WLANs)       can and will happen. What HIPAA requires in these
as a major area for potential growth. Recent surveys         instances is the accounting of these occurrences.
indicate WLANs have only penetrated about 13% of the         Medical records are, of course, considered to be PHI.
healthcare industry, though.                                 Additionally, any information that contains any data that
                                                             can identify a person from demographic information and
Indicators show decision makers need and want to have        linked to any information about healthcare services
justifi cation for investing into this open mobile market.   received is also PHI. This is the type of information that
Within the market spaces utilizing WLANs, decision           needs to be guarded. So, PHI can be any of the following,
makers are looking to see which industries are incurring     but is not limited to:
the greatest benefi ts and what type of benefi ts are
being observed.                                              • Names

The 2003 NOP World Technology study reveals the most         • Geographic information, including street address,
                                                               city, county, precinct and all digits of the ZIP code
significant result of mobilization is the ability to be
                                                               except the first three
connected to work, on average, over 3.5 more hours per
day. Healthcare workers surveyed also incurred the           • Dates (except year) directly related to the patient
largest amount of time and money savings and also saw          including birth date, admission date, discharge
the largest increase in productivity and efficiency across     date, and date of death
all industries.
                                                             • Telephone numbers
The healthcare industry’s number-one implementation of
                                                             • Fax numbers
mobility solutions involves workflow. The main benefits
from mobilization are 1) improving patient care; 2)          • Electronic mail addresses
reducing transaction costs; 3) increasing healthcare
quality; and 4) enhancing teaching and research.             • Social Security numbers
Research also shows that nurses reap the benefits of
mobilization the most since nurses have a higher             • Medical record numbers
percentage of access to WLANs than doctors (19%
                                                             • Health plan beneficiary numbers
compared to 7%).
                                                             • Account numbers
So, although only 13% of healthcare institutions
currently deploy WLANs, the healthcare industry is           • Certificate/license numbers
reaping and has the potential to reap the highest
percentage of the benefits. By providing education about     • Vehicle identifiers and serial numbers including
the enormity of the benefits of mobilization and               license plate numbers
alleviating concerns about security, the healthcare
                                                             • Device identifiers and serial numbers
industry has the potential to be the largest beneficiaries
from a mobilized workforce.                                  • Web universal resource locators (URLs)

THE REAL IMPACT OF HIPAA ON MOBILE                           • Internet protocol (IP) address numbers
                                                             • Biometric identifiers including finger and voice
In the three years since HIPAA compliance has been
mandated, 19,420 grievances have been lodged. The
most common infractions are that personal medical
                                                             • Full face photographic images and any comparable
information has been wrongly revealed or ineffectively         images
protected and— as a result—improper release
authorization was obtained. Winston Wilkinson, who           • Any other unique identifying number, characteristic
heads the Department of Health and Human Services              or code, except as permitted
PHI is routinely stored in computer networks, put into       application is web-based.
email communications, entered into mobile devices,
written down on paper, and distributed over the phone or     802.11 security is a popular WLAN standard. By
fax. Each and every institution that handles or comes in     incorporating 802.1x, and IEEE 802.11 security standard,
contact with any type of this information is responsible     wireless devices are required to authenticate with access
for its security and is required to limit and control to     points before accessing the 801.11 network. Cisco’s
whom any type of PHI is distributed. As a mobile solution    lightweight extensible authentication protocol (LEAP) is
provider, it is important that any systems created and       based on the 802.1x standard and provides mutual
deployed protect this type of information and can            authentication based on password challenge-response.
withstand any scrutiny from HIPAA.                           LEAP also addresses the wired equivalent privacy (WEP)
                                                             key reuse weakness by exchanging dynamic keys.
SECURITY MODEL TRANSLATES TO MOBILE                          Bluetooth security is becoming more popular as more
Although the HIPAA Privacy Rule took effect in April         and more Bluetooth-capable devices and accessories are
2003, misconceptions about the rule remain since there       being released. Bluetooth links devices within about 30
is no one governmental agency that can verify any            feet of each other. The Bluetooth protocol includes user
computer system as being “‘HIPAA compliant.” Meeting         authentication,     communication     encryption,    new
the safeguards outlined in the HIPAA Privacy Rule,           encryption key per session, link level security with 128-
though, can typically be accomplished by using many of       bit encryption, “trusted” connections and “discoverable”
the same security measures that are used to secure data      settings. Many VPN clients can run over Bluetooth.
in organizations’ existing wired systems.
                                                             Infrared (IR) security requires devices to communicate
                                                             with 4 feet or less of the beaming device. The recipient is
WLANs’ security risks include the concerns of protecting
                                                             prompted for accepted when incoming transmission are
data, authenticating users, and shielding against
                                                             attempted. This puts control of incoming data in the
intruders and viruses. These risks are the same risks any
                                                             hands of the user.
other wired computer platform would incur. However—
because WLANs integrate handheld devices—there are a
                                                             System threats and risks are very similar for both wired
few added risks and challenges. Handheld devices are
                                                             and wireless applications, but WLANs add technological
often treated as personal devices and are more easily
                                                             risks like interference. The 2.4 GHz frequency is the main
lost or stolen. Also, because handhelds connect to a
                                                             frequency for items like Bluetooth, cordless phone
network so frequently, extensive wireless security is
                                                             systems, and baby monitors. 802.11b and 802.11g
                                                             networks all share these same radio frequencies.
Current technologies used to secure wired networks like      Wireless systems are now at risk from inadvertent
VPN, SSL, LDAP, etc. can all be extended to WLANs,           eavesdropping by users of these types of devices. The IT
wide area networks (WANs), and personal area networks        industry needs to have solutions to secure protected
(PANs). WLANs use cell phone technology to replace           health information.
telephone wires. WANs use Wi-Fi (802.11b) to replace
                                                             “Wired equivalent privacy (WEP) looks to protect the
Ethernet cables. PANs use Bluetooth® technology to link
                                                             authorized users from eavesdropping by making the
devices in close proximity and replace USB cables.
                                                             wireless link as secure as the replaced wired link,”
Virtual private network (VPN) solution provides secure       explains Frost & Sullivan Research Analyst Arjun
access to intranet and extranet resources. VPN works         Chokkappan. “WEP uses symmetric encryption
well in WANs, local area networks (LANs), and WLANs,         techniques and stream ciphering that can be embedded
so expanding existing VPN security to mobile devices is      in the hardware components.”
very cost efficient. Internet protocol security (IPSec),
                                                             INFORMED MOBILE COMPUTING PLAN
VPN, and point-to-point tunneling protocol (PPTP) VPN
                                                             Fully leveraging the existing infrastructure to address
offer strong security with authentication, encryption, and
                                                             HIPAA-related security concerns is one of the most
data integrity checks. IPSec is supported by most
                                                             effective ways to begin the process of implementing a
Microsoft servers and CISCO gateways. PPTP is
                                                             mobile computing solution within a healthcare setting.
compatible with all devices and networks, including
                                                             Johnston McLamb’s Mobile Computing practice
802.11 and 3G wireless.
                                                             promotes this approach and follows an Informed Mobile
Secure sockets layer (SSL) is found in almost every web      Computing Plan (IMCP) methodology when working with
browser and is the most popular wireless protocol. Many      clients facing these challenges. This IMCP is a five-phase
handhelds on the market today feature SSL 2.0, SSL 3.0       process that includes Business Intelligence, Business
and 128-bit encryption. SSL VPN takes advantage of this      Planning, Product/ Service Evaluation, Implementation,
built protocol built into web browsers. They work over       and Support and Maintenance.
almost any network require no additional software as the
In order to generate an appropriate and effective mobile                          transfer and potentially take part in revisiting some of
solution, it is of key importance that the company                                the earlier phases in order to enhance the solution to
providing the solution knows the client’s business and                            meet additional client requirements.
industry regulations and that the client receiving the
solution understands all available options. All of the                            The ultimate goal of Johnston McLamb’s Informed
IMCP phases work together to achieve these goals and                              Mobility Computing Plan is to ensure that our clients
to help both parties fully understand workflow                                    have a complete understanding of the mobile
requirements, industry standards and regulations, and                             computing options available to them. Additionally
implementation options.                                                           within the healthcare arena, data security becomes a
                                                                                  key part of the discussion during each phase of the
• Phase 1 (Business Intelligence) is the phase where                              IMCP.
  Johnston McLamb’s experienced consultants obtain
  on-site knowledge of the business processes per-                                SUMMARY
  formed on a daily basis.                                                        The healthcare industry is positioned to reap a
                                                                                  significant number of benefits and rewards from
• Phase 2 (Business Planning) is where Johnston                                   mobilizing its workforce. The move by NHIM
  McLamb provides recommendations for mobile                                      (Nationwide Health Information Network) to require
  solutions. Each potential solution is evaluated on a                            Electronic Health Records (EHR) to be accessible by
  number of factors, including its flexibility, its risk                          every person in the United States from any location if
  and complexity, its turnover time, its cost, and the                            forcing the healthcare industry to act now.
  potential return of investment it could generate.
                                                                                  By providing decision makers with accurate and timely
• Phase 3 (Product/Service Evaluation) is the phase                               information to dispel any security concerns they may
  where Johnston McLamb provides analysis and                                     have about mobilization and utilizing the guidelines set
  recommendations regarding the selection of                                      by HIPAA, the healthcare industry can implement
  devices, service providers, and networking setup.                               mobile solutions that will increase efficiency and
                                                                                  productivity while reducing costs and errors. Johnston
• Phase 4 (Implementation) is where Johnston
                                                                                  McLamb’s Informed Mobile Computing Plan is designed
  McLamb’s technical professionals design, develop,
                                                                                  to aid decision makers by defining their business
  and deploy the hardware and software solutions
                                                                                  processes and needs, analyzing and recommending
  chosen by the client.
                                                                                  appropriate—and      secure—mobile     solutions,   and
                                                                                  implementing a solution that move an organization
• Phase 5 (Support and Maintenance) is the phase
                                                                                  toward achieving the workflow improvements so clearly
  where Johnston McLamb’s consultants remain avail-
                                                                                  tied to mobile computing.
  able to the client to provide training and knowledge


Christine L. Hutchison is a Senior Consultant with Johnston McLamb’s Mobile Computing Practice. She has done
Oracle PL/SQL and Java programming for more than 10 years. She currently specializes in front-end/GUI
development, specifically within the mobile computing market.

                       4840 Westfields Boulevard, Suite 200 | Chantilly, VA 20151 | P: 703.502.0901 | F: 703.502.0905