Patient data security – preparing healthcare IT systems for HIPAA compliance
Hospitals are being ordered to go HIPAA compliant by October 1st, 2015. We spoke to Soonr’s Sam Liu and EnterpriseDB’s Pierre Fricke about the data security implications of preparing applications for HIPAA compliance.
As healthcare systems reluctantly prepare to go digital ahead of the planned introduction of WHO’s ICD-10, the IT challenges remain daunting. Physicians and medical groups alike remain sceptical that the required electronic patient records (EHRs) and digital revenue cycle systems will be ready in time for the October 1 deadline. And still IT must find a way trudge forward for the sake of healthcare innovation.
“IT has long played a critical role in achieving HIPAA compliance for healthcare applications within the physical data centres and will do so in the cloud as well as organisations shift their IT strategies,” says Pierre Fricke, VP of Products and Services at EnterpriseDB. The JBoss veteran believes what will now change is the organisation that will provide the computing infrastructure.
“When physical data centres support HIPAA-compliant applications, IT is generally responsible for the security of the data center, including firewalls, governance and access, and security of the underlying hardware, operating systems, and data tiers of applications. In that context, IT must ensure the data is encrypted as it moves around the network. IT is also responsible for securing data while it’s being stored. Securing data includes creating the procedures and policies, including auditing information, that ensures compliance.”
IT’s changing responsibility in healthcare
Fricke explained to us that the role of IT will change significantly as a result of HIPAA requirements. “When healthcare applications move to a public cloud, responsibility for the computing infrastructure generally shifts to the cloud provider,” continues the acclaimed IT author and former director of product marketing at Red Hat. “IT’s responsibility will shift from providing the secure infrastructure to ensuring that the cloud provider’s infrastructure meets requirements of HIPAA compliance. For example, Amazon Web Services provides the security for its computing infrastructure, including specific technical solutions for encryption and access controls, while the database must ensure security of the data under management.”
At the same time, more and more medical data is cropping up on everyday hardware like tablets and wearables, says Sam Liu, VP at cloud storage provider Soonr. “As the healthcare industry grows increasingly digital, facilities such as hospitals are piloting tools from tablets for patient records to smart glasses for better precision during surgery,” says Liu.
“In a range of different healthcare settings, you’re starting to see patient files accessed on mobile devices and stored in the cloud to keep information more organised and easily accessible, which is designed to enable better efficiency and communication across care providers and staff. Also, hospital equipment service manuals and records can be kept in the cloud and linked from a QR code on the equipment itself – eliminating errors and reducing paper waste.”
Q&A with Sam Liu (Soonr) and Pierre Fricke (EnterpriseDB)
JAXenter: What kind of security concerns are healthcare IT professionals facing at the moment?
Sam Liu (Soonr): The most obvious healthcare data security risks concern breaches. Recent attacks at Premera Blue Cross and Anthem have brought a lot of focus to this issue, making it more crucial than ever for any business handling health information to be up to date on HIPAA compliance and security measures. Encryption of data in storage is as important as while in transit or session. It’s surprising the number of companies that implement strong access security measures, but fail to encrypt the data while stored.
Does the encryption of data cover all security risks – or are there other security measures to be considered?
Pierre Fricke (EnterpriseDB): The HIPAA / HITECH standard defines certain critical security requirements, however, best practices for security should go much further to protect businesses, particularly healthcare and financial data. Security is as much or more about policy as it is about technology. An enterprise can deploy the best security technology but if the practices and policies in place leave the “front or back door” wide open to attack, that’s a huge issue.
Encryption and policies to use encryption are critical, but other areas such as physical security, user and group access and authorisation technology and policy, and training of personnel are also critical. Companies may be audited for compliance only once a year, but they should treat every day as a critical test of their security and governance technologies and practices.
It seems that trust is the biggest issue when it comes to storing patient data. What measures can hospitals and healthcare businesses offer to ensure data stays secure?
Sam Liu: Beyond standard security practices around access control and encryption, a good first step toward patient and facility data security is to implement a secure file-sharing solution that also offers data leak prevention and remote data wipe capabilities to ensure any sensitive information can be cleared as well as restored should a mobile device be lost or stolen.
As much as technology can help prevent security breaches, human error and poor processes can be an even bigger source of problems. Look beyond simply the technology, but at the checks and balances to ensure data is secure and private.
Can we assume that database encryption for HIPAA compliance will be a trend in the next months? And how is EnterpriseDB helping teams adapting for HIPAA?
Pierre Fricke (EnterpriseDB): Compliance with HIPAA and other regulations such as PCI DSS for credit card processing is a major issue because more and more businesses are adopting the cloud for its flexibility and low cost and security, which as anyone reading the news knows is always a concern. Encryption technology will continue to evolve as organisations with sensitive data look to the cloud for more and more of their workloads.
EnterpriseDB integrates performance, security and manageability enhancements into the open source database Postgres for cloud and on-premises deployment. Expanded encryption for data while it’s in storage means organisations with HIPAA requirements can deploy applications on EDB’s Postgres Plus Cloud Database and take advantage of a flexible, enterprise-class low cost database.