Top 5 Security Technology Investments
Sizing Up Healthcare Priorities for 2012The Healthcare Information Security Today survey, conducted by HealthcareInfoSecurity, shows the top five planned technology investments are:
1. Audit logs or log management;
2. Mobile device encryption;
3. Data loss prevention, or DLP systems;
4. E-mail encryption;
5. Intrusion detection/misuse detection.
These technologies are a reflection of the survey's findings on top information security priorities for the year ahead. The survey shows improving regulatory compliance is the No. 1 information security priority, and all these technologies can help prevent HIPAA violations. Improving mobile device security ranks as the No. 3 priority, and preventing and detecting internal breaches ranks fifth (see: 2012 Security Priorities: An Analysis).
Mobile Workforce
Many of these top technology investments reflect a desire to control the risks involved with an increasingly mobile workforce while improving HIPAA compliance and helping to prevent breaches, says Christopher Paidhrin, security compliance officer at PeaceHealth Southwest Medical Center, in Vancouver, Wash.
"The more mobile the workforce becomes, the more healthcare becomes outpatient-centric, distributed and exposed, the greater the risks," he says. "These technologies address an aspect of information on the move. For example, mobile device and e-mail encryption address information in transit, and data loss prevention is another layer of information and risk containment. It's all about extending security controls to where the information is located."
As more organizations adopt comprehensive electronic health records, many are looking for ways to audit who is accessing patient data. This can help, for example, to detect records snoopers - those who look at information they're not authorized to see.
The survey shows that the most common way to track who accesses protected health information is by using audit functions within an application. Far fewer organizations use a separate audit log application or a DLP application. Because many hospitals have dozens of information systems that store patient data, they're investigating more practical ways to track who accesses data than relying on the audit functions of each individual application.
Protecting Unstructured Data
Identifying where all patient information resides is an important component of any effort to protect it. Data loss prevention applications, for example, can help with this effort.
Adventist Health System, which operates 37 hospitals, plans to tackle the challenge of managing unstructured data next year, says Sharon Finney, corporate data security officer. "Healthcare organizations have huge data stores of unstructured information, and with this explosion of mobile devices and collaboration tools, [unstructured data] is growing exponentially," she says. For example, researchers may place sensitive patient information in spreadsheets, making the data difficult to detect and protect.
"With healthcare getting more litigious by the day, being able to control and produce this unstructured information is more and more important," she says. So Adventist is investigating technologies to help with the task.
Encryption
Although encryption plays an important role in preventing breaches, Charles Christian, CIO at Good Samaritan Hospital in Vincennes, Ind., is puzzled by why e-mail encryption is still on the to-do list for many. He sees e-mail encryption as a vital component of any breach prevention strategy. "We've been encrypting e-mail for a long time," he notes.
But he acknowledges that encrypting mobile devices is an ongoing task for many organizations. Good Samaritan is continuing its efforts to encrypt certain mobile devices as well as enforce a policy prohibiting storing patient information on many devices, including laptops.
Another top technology investment for the year ahead at Good Samaritan is an ID management system, the CIO adds. Such a system will help the community hospital streamline the cumbersome process of providing role-based access to multiple information systems.