Information Theft: How to Prevent It

What do hospital administrators and their CIOs fear above all else? It may be information theft, especially if that information includes sensitive patient data. Nothing grabs the attention as completely as learning that a laptop laden with patient data has slipped out the door. With preparation, though, such an event may be prevented, and if it is not—because no system is perfect—then its impact can be minimized. That was the message of George Bowers, MBA, in What Keeps CIOs Awake at Night: Information Theft, which he presented on May 16, 2008, at the Society for Imaging Informatics in Medicine’s annual meeting in Seattle. Bowers, principal at Health Care Information Consultants, LLC, Baltimore, is the former CIO of American Radiology Services and the former vice president for information services and CIO at the University of Maryland Medical Center. As Bowers summarizes HIPAA regulations, “Covered entities must maintain reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of their electronic protected health information against any reasonably anticipated risks.” Reminding his audience that in that single sentence there is room for all kinds of interpretation, he says, “What is reasonable, and to what extent are protections adequate?”

“One thing we have learned is that if it is not bolted down, it can develop legs and it can walk.” —George Bowers, MBA

Today’s hospital has to worry that more information devices than ever can walk away with patient data on them: laptops, PDAs, keychain flash drives, and even smart cell phones. “We also have potentially malicious intent on the part of employees or outsiders who may want to crack systems and get data,” Bowers says. A Case Study To illustrate how severe the data-theft issue is, Bowers uses the example of a 100-bed rural hospital (which he does not name) where a laptop containing patients’ birth dates, names, and Social Security numbers was found missing from the emergency department two years ago. The laptop, used in the triage area for preliminary registration of patients, contained an abbreviated version of the master patient index going back to 1989, Bowers explains. When the hospital learned that data had disappeared that might be used in patient identity theft, administrators responded by contacting the state hospital association, law enforcement, and the hospital’s insurance company. Then, the administrators searched out other hospitals that had encountered data theft and looked for models of how to respond. These steps took a couple of weeks, Bowers says. Two more weeks passed while the hospital identified all the patients with stolen data and found current addresses for them. Next, the hospital hired a security firm to work with the patients to avoid identity theft and sent letters to all the patients notifying them of the situation. “Then it hit the papers. They got a lot of press, and they realized they needed to tighten up their security procedures to make sure it wouldn’t happen again,” Bowers explains. The first step in the hospital’s action plan was to review all laptops for protected health information and eliminate it. Over half the laptops were physically locked down to fixed or mobile workstations, Bowers says. The hospital also initiated an organization-wide employee education program to identify risks and take steps to mitigate them. The second step was to set up an interdisciplinary team to perform root-cause analysis and to detect latent system failures, as required by the Joint Commission. This step illuminated errors and weaknesses. The data on the missing laptop, for instance, could have been made invisible, Bowers says, but it hadn’t been. The laptop with sensitive information was in a high-traffic area, highly visible and tempting. The security cameras that the hospital had in place either were not working or were turned in the wrong direction to spot the theft. As part of security planning long before the theft, the hospital had created a security-variance system to highlight unusual activity, but it wasn’t being used. When it came to latent system failures, the hospital determined that it lacked an integrated IT security program with provisions for regular review and update. There was also a lack of accountability. When the laptop was stolen, who was accountable? “Whose problem is this: the CIO’s or the department head’s? This was something they’d never encountered,” Bowers says. Setting Up a Team Having looked at what happened, how it happened, and why, the hospital set up an information-security analysis team (ISAT) to lessen the chance of another data loss. “This was a standing team to review and update security,” Bowers says. The ISAT reviewed laptop policies (for example, whether it was necessary to have protected data on a specific laptop) and implemented encryption on all laptops. The team also put in place a master security-management system—basically, a software system that required all peripheral items, such as laptops, to call home on a regular basis, Bowers says. He notes that this is fairly common software that requires peripherals to log into a central server and report that nothing has happened. The ISAT also made sure that security cameras were working and were pointed at the areas needing surveillance. The ISAT created an amended security variance reporting system and made sure that all employees were educated in how to use it. Through its actions in response to the laptop theft, the hospital was able to retain its community reputation. It was also able to turn an adverse event into an opportunity to improve its security protocols, Bowers notes. He adds, however, that the event—the simple theft of a single laptop—caused the hospital serious financial harm. Just hiring the security team to work with patients (whose records comprised nearly a 20-year span of the emergency department’s protected data) cost the hospital in the neighborhood of $500,000. The cost for the whole episode added up to more than $600,000. “For a small hospital with revenues of less than $100 million per year, this was a very big hit,” Bowers says. Lessons Learned Based on the experience of the rural hospital in his case study, Bowers drew up a list of recommendations.

• Understand where sensitive data are being stored and take action. Maintain sensitive data in a centralized database with restricted access.
• Eliminate local copies of sensitive data files.
• Encrypt laptops.
• Install centralized management software.
• Evaluate physical security and lock down portable devices.
• Keep sensitive data away from high-traffic areas and ensure adequate surveillance.
• Make sure that policies and procedures are up to date and reinforce them with staff education. Make sure that staff members are aware of sensitive data.
• Ensure that surveillance systems are adequate and are being monitored. Monitor all unauthorized or suspicious access. It is extremely important, Bowers adds, to treat all security exceptions “urgently until proven otherwise.”

He urges hospital administrators and CIOs to “be proactive; have a plan. Don’t wait for a theft before you do all of this. You can do a lot with policies and procedures, equipment, and facilities ahead of time.” By “changing the culture in a group to make security much more important,” tremendous savings can be realized and CIOs will sleep better, Bowers notes. After all, as Bowers says, if the case-study hospital had been better prepared and had followed strict security protocols, all it would have lost when the theft occurred was one laptop.