Over the last year, IT has begun to permeate into the healthcare industry at a rate never seen before. Confluence of IT and healthcare is not a new phenomenon with digital imaging of X-rays being a well-known practise. Lately, in an attempt to build world-class hospitals, leading hospitals in the country have started relying heavily on IT to put in place world-class process that sets them apart. This includes projects that revolutionize patient and staff record keeping in hospitals.
For instance, a leading hospital in India has put in place an eICU that can monitor the patient's progress 24x7 and a CRM solution, which helps to reach the right doctor at the right time. Hospitals have also been able to link surgeries through the Internet. Coupled with the growing number of mergers between surgeries these systems ensure that patients have a greater chance of seeing a doctor when they need.
Linked surgeries have put tremendous pressure on administrative systems. Patients want appointments today, not next week! Doctors need fast access to patient notes in order to make decisions. If all the records are not available the wrong treatment may be prescribed or, worse still, the doctor might be unable to decide on the cause of the symptoms.
Even hospitals with well established record management systems find it difficult to retrieve outpatient notes in a short timescale. Local surgeries, therefore, have little or no chance without IT. The general public knows that they can walk into a bank or a store and have their information called up by customer services. They are increasingly becoming ITES savvy. They expect the hospitals to be able to provide access to their records wherever and whenever they need treatment.
Protecting patient records
This raises two different but complimentary issues; the protection of patient records and the ready access to those same records for healthcare professionals.
Protecting patient records is simple only in theory. It involves restricting the access and preventing the records leaving the surgery. In a modern environment, where people are always on the move, treatment can be required anywhere and these records need to be accessible at the point of care. This goal of 24x7 accessibility can only be achieved if there is trust between the patient and the healthcare centre. Since these records are transferred using technology, that trust has to extend to the security aspects of the technology that enables it.
Healthcare workers no longer carry large stacks of paper records with them. This information is stored today in devices such as laptops, PDAs, Smartphones and now more and more people are loading information onto USB keys and even onto MP3 players which now have a capacity comparable to that of high-end laptops! These devices are valuable and hence pose the threat of theft and assault for access to the device. As technology has advanced, the size of the devices has gradually reduced. They are easier to lose or leave in a taxi or a train. Of course, once the device is out of the control of the healthcare worker, the records are at risk.
The law sets down certain obligations for individuals who handle personal data to check breach of privacy and security. As technology has become more pervasive, laws have been adapted to deal with it. We live in a dangerous world where personal data is extremely valuable.
Banks regularly report that gangs of criminals are using stolen information to obtain credit cards. Governments worry about organised criminals and terrorists using stolen identities to obtain passports. Access to healthcare records could enable drugs to be obtained unlawfully or lead to the patient being blackmailed.
Considering the criticality of personal information, security emerges as a key concern. In general, people entrusted with such information do try to live upto expectations. They don't go and lose others people information by deliberately leaving devices where they can be stolen. But accidents and negligence cannot be ruled out.
Technology for protecting data
This is where we need to look at what technology can be used to protect data. The easiest way to protect data is by automatically encrypting it. This prevents anyone without the right password or PIN from accessing the information. It is no different from using a credit card. Chip and pin, an encryption and digital identity approach, has been brought in by the credit card industry to reduce fraud. Without the PIN number, the card will not be accepted by the credit card provider. In the world of IT security this is referred to as two factor authentication, something you know and something you have.
In practise, whenever a record is copied to a computing device, it is automatically encrypted, without any user interference. Access to any record would mean entering the password or PIN whenever the record is actually opened. This means that there can be no possibility of records just sitting, unprotected, on the device. A thief who has stolen or a person finding a device would be unable to access the information, even if the device had been left turned on. The device might have fallen into the wrong hands, but not the information.
By enforcing the encryption during the copying of data, it can be shown that the technology can provide sufficient trust. The use of a password or PIN does not require the user of the device to learn a new way of doing things. As has been shown, it is the same as using a credit card. The users are familiar with accessing computers through passwords and this is no different from that.
Protection of patient data on mobile devices is not and should not be seen as an onerous process. IT needs to keep it simple, yet provide user-friendly tools to ensure that its users understand the process and its criticality.
Here are a few simple and basic security rules to ensure all your data only gets to be seen by the intended recipient.
1. Put a policy in place that …
2. Always strive for encrypting personal data and other sensitive information.
3. Use software solutions that enforce automatic and mandatory encryption in real time without any user interference.
4. Use efficient authentication for all access to personal data or any other sensitive information irrespective to device type.
5. Teach users about simple device security.
a. Don't leave devices in cars.
b. Never hang bags on the back of chairs in public places.
c. Laptop bags are beacons for thieves, try using other ways of carry devices.
d. Always keep in a room safe when staying in a hotel.
6. If using regular passwords force passwords to be changed regularly.
7. Only allow company information to be stored on devices regulated by the security policy. Carry out regular checks on devices
8. Providing efficient security is an ongoing process. Therefore perform regular security revisions to ensure that the security policy is obeyed.
These rules should be used as part of an organisations approach to protecting data on computers and mobile devices. It requires little effort to apply these rules and they are simple for users to implement. Remember that complex security approaches are often self-defeating.
If you don't secure the data now, it may be too late tomorrow. Once it has been stolen, it's too late to think about "what we should have done better".
Doctors, nurses, medical technicians, secretaries, receptionists, dentists - are just a few of those who will be interacting and using electronic data on a range of devices. Their workload is large, their time is short and this is where they are vulnerable. Putting in place a solution to ensure that their data is encrypted is not just ensuring security of critical data but also about responsibility towards those whom we service.
(The author is Vice President - Asia Pacific & Africa of Pointsec Mobile Technologies).