On Guard: A Tale of Two Security Settings
Imaging information is becoming increasingly mobile: For evidence, look no further than the FDA’s recent approval of an app for the iPod, iPhone, and iPad that allows diagnostic use of MRI, CT, PET, and SPECT exams. With increased connectivity, however, comes an increase in vulnerability. Under pressure to protect all patient health information or face significant regulatory backlash, how are facilities tending the technical security of medical-image data?
R. Todd Thomas, CIO of Austin Radiological Association (ARA) in Texas, says, “In the event of a breach involving 500 or more individuals, you have to publish it online and contact the patients involved. We hope we’re never caught in that kind of situation.”Preventing security breaches that involve patient health information—whether they occur as a result of equipment theft, viruses, hacking, or other causes—requires continuous vigilance, Thomas notes. “We’re constantly evaluating where users are logging in from, so if it’s somewhere we don’t recognize, we can find out why,” he says. “Our alerts happen in real time, but we can also query historical data.”
Jerry Walters, director of information security for OhioHealth Information Services in Columbus, takes a similar approach: “We track who comes into the system, how often they come in, and where they come in from,” he says. “We have logs to keep that audit-trail information for us.”
Although he notes that it is becoming increasingly important to support mobile access, Walters says that OhioHealth Information Services currently limits access to apps on mobile devices. The organization has developed an app for the iOS and Android OS that allows physicians to check clinical results and offers other very basic functions; it’s also working on streamlining Blackberry access.
For tablets and remote computers, OhioHealth Information Services offers users remote access to a virtual version of their desktops. ARA takes a similar approach: “On the iPad, we provide access to applications through Citrix®, so there’s nothing we install,” Thomas says. “All the technology we authorize for purchase has a remote wiping capability, so we instruct users to let us know if they ever lose it.”EncryptionEncryption is a primary line of defense against data breaches, and both ARA and OhioHealth Information Services employ it for personal computers. Full database encryption, however, remains elusive for ARA. Thomas reports, “We don’t encrypt our database because of lack of support from third-party vendors. If we could guarantee we’d still get support on our applications from them, that would be different.”
Taking the extra precaution of encrypting a database would be meaningless, however, if the most basic defense against intrusion—authentication—is not taken seriously. Enforcing complex passwords, though, is difficult when using Windows®.
“How Microsoft® enforces complex passwords does not create very complex passwords at all,” he says. “It’s up to the user to create a stronger password than what Windows allows. We’ve looked at some two-factor authentication solutions, but it’s always a balance between the end users’ need to have it easy to use and our need to have it work well with our applications. The two don’t always mesh well.”
At OhioHealth Information Services, each imaging file is encrypted prior to storage, and encryption for desktops and laptops adds “a layer of protection, if the images and applications don’t encrypt on their own,” Walters says. He adds, however, that the organization has faced challenges similar to ARA’s in attempting to get multiple third-party apps to play nicely with one another: “There are a lot of different technologies that come into play, getting all the data together on who’s logging in where, so we’re investing in some new technology to consolidate the logs and do event correlation,” he says.
Both organizations employ intruder-prevention tools, as well as antivirus software—updated regularly, of course, to protect against emerging vulnerabilities. For further protection, OhioHealth Information Services in the process of implementing an app whitelisting program that prevents users from downloading unrecognized programs. “It looks at all the programs on your computer, and if it finds one it doesn’t recognize, it won’t let it run,” Walters says. “It takes a bit of management, so we’re rolling it out slowly, but we have it in place at one of our hospitals, and it works pretty well.”USB ThreatOne threat mentioned by both Walters and Thomas is the portable USB drive. At ARA, Thomas says, “We do a lot in-house to limit who is permitted to copy to USB drives,” thereby mitigating both the risk that patient health information will be lost and that malware from outside systems will be introduced.
At OhioHealth Information Services, “It’s been almost accepted by a lot of different areas as a medium for transporting images. Someone has an MRI exam done on a patient and brings it to the radiologist on a thumb drive, and the physician has to be able to load it,” Walters says.
His team addressed this issue by making USB drives read-only devices, so that nothing can be placed on them without being encrypted. “If anyone finds that drive, he or she won’t be able to read the patient health information,” he says. The organization’s antivirus software is programmed to scan portable drives for potential threats, he adds.
Walters says that his most pressing ongoing concern is the physical security of the devices in the health system. “Because we’re spread out over so many campuses, it can be challenging to keep track of all the machines and report where they are at any given time,” he says. “Tracking inventory and making sure that records are accurate is one of the most important things I do.”
From the practice perspective, Thomas says, his biggest challenge is staying abreast of regulatory changes—and educating the rest of the practice on how best to respond. “We keep a pretty close watch on the regulations, but they can become difficult to implement because you’re educating a group practice on why you now need a new technology—because the government has mandated this or that change,” he says. “What does the government mean? How do our attorneys interpret that? What’s the best approach to mitigating a specific risk?” Answering those questions, he concludes, “is more challenging than anything.”Cat Vasko is associate editor of RadInformatics.com and editor of ImagingBiz.com.