« PC Blade Daily Links 2007-02-15 | Main | PC Blade Daily Links 2007-02-16 »

Healthcare Data Security: Encryption Is Not Enough

Thursday, February 15th, 2007 Filed in Centralized Computing, Network Security, Healthcare Technology, Security, Laptops
 

“Johns Hopkins disclosed this week that it has lost the personal data on roughly 52,000 employees and 83,000 patients.” (Made4Biz, Feb. 9th)

The recent incident at Johns Hopkins has lent fuel to the fire surrounding healthcare IT and data security. While no malicious intent has been discovered, the loss of the tapes containing personal information further demonstrates how quickly and easily records can be lost if proper IT solutions aren’t in place. For some time, industry insiders have been calling for encrypted patient data transfers and stronger security for Internet transactions involving patient information. However, what happened at Johns Hopkins has once again proven that data is vulnerable whether it’s being transferred or not:

“…it’s much more likely that someone would obtain the data while it’s ‘at rest’ on a computer hard drive or server. A typical scenario would be a document residing on a hospital’s server somewhere that contains PHI; the hospital encrypts the data, emails it via the internet to the patient’s physician, who decrypts it and reads it, where it sits decrypted in his Outlook inbox. That data is much more likely to be improperly accessed while on the hospital’s server or on the physician’s computer than it is while being transmitted over the internet.” (HIPAA Blog)

This scenario shows the two ways in which data becomes vulnerable to theft or tampering — either physically, when someone steals a laptop or hard drive, or digitally, when someone intercepts a transmission or hacks into a database. Keeping patient data in a secure, centralized location addresses both issues: information stays off easy-to-steal devices, and IT administrators can easily enforce security processes and policies across the enterprise.

“Like businesses, medical centers should also put an absolute stop to storing sensitive data on laptop computers. And all patient data should be encrypted, no exceptions. Medical offices almost always deal with large volumes of Social Security numbers and should be especially careful about how this data is stored … HIPAA security regulations include strict rules concerning data safeguards but there isn’t enough enforcement to ensure that the complicated protections are really in place.” (Credit Bloggers)

Establishing security measures for data in transit can be one part of the equation, but removing data from laptops, PCs, tapes, and other hardware is another obvious and necessary measure. By storing electronic data in a consolidated data center and providing connection via PC Blades, you can control access to the data, ensure that it can’t be downloaded or corrupted from onsite or remote devices, and protect against theft or unintended employee mistakes.

Click here for more information on data security in the healthcare industry.

Share This


Discussion

What do you think? Leave a comment. Alternatively, write a post on your own weblog; this blog accepts trackbacks.

Leave a Reply