Protecting Your Data Within The Healthcare Sector

To build world-class hospitals, leading hospitals in the country are relying heavily on IT to put in place world-class processes, says Sascha Beyer

Over the last year, IT has begun to permeate into the healthcare industry at a rate never seen before. Confluence of IT and healthcare is not a new phenomenon with digital imaging of X-rays being a well-known practise. Lately, in an attempt to build world-class hospitals, leading hospitals in the country have started relying heavily on IT to put in place world-class processes that sets them apart. These include projects that revolutionise patient and staff record keeping in hospitals.

For instance, a leading hospital in India has put in place an e-ICU that can monitor patient's progress 24x7 and a CRM (Customer Relationship Management) solution, which helps to reach the right doctor at the right time. Hospitals have also been able to link surgeries through the internet. Coupled with growing number of mergers between surgeries, these systems ensure that patients have a greater chance of seeing a doctor when they need.

Linked surgeries have put tremendous pressure on administrative systems. Patients want appointments today, not next week! Doctors need fast access to patient notes in order to make decisions. If all the records are not available, a wrong treatment may be prescribed, or worse still, the doctor might be unable to decide on the cause of symptoms.

Even hospitals with well-established record management systems find it difficult to retrieve out-patient notes in a short time span. Local surgeries, therefore, have little or no chance without IT. General public knows that they can walk into a bank or a store and have their information called up by customer services. They are increasingly becoming ITeS savvy. They expect hospitals to provide access to their records wherever and whenever they need treatment.

This raises two different but complimentary issues: protection of patient records and ready access to these same records for healthcare professionals. Protecting patient records is simple only in theory. In a modern environment, where people are always on the move, treatment can be required anywhere and these records need to be accessible at the point of care.

This goal of 24x7 accessibility can only be achieved if there is trust between patient and healthcare centre. Since these records are transferred using technology, that trust has to extend to the security aspects of technology that enables it.

Healthcare workers no longer carry large stacks of paper records with them. Today, this information is stored in devices such as laptops, PDAs, smartphones; and now more and more people are loading information onto USB keys and even onto MP3 players, which now have a capacity comparable to that of high-end laptops! These devices are valuable and hence pose the threat of theft and assault for access to the device. As technology has advanced, the size of devices has gradually reduced. They are easier to lose while travelling etc. And once the device is lost by the healthcare worker, records are at risk.

The law sets down certain obligations for individuals who handle personal data to check breach of privacy and security. As technology has become more pervasive, laws have been adapted to deal with it. We live in a dangerous world where personal data is extremely valuable. There has been a significant rise in the number of crimes based on identity theft.

Banks regularly report about gangs of criminals using stolen information to obtain credit cards. Governments worry about organised criminals and terrorists using stolen identities to obtain passports. Access to healthcare records could enable drugs to be obtained unlawfully or lead to the patient being blackmailed.

Considering the criticality of personal information, security emerges as a key concern. In general, people entrusted with such information do try to live up to expectations. They don't go and lose other people's information by deliberately leaving devices where they can be stolen. But accidents and negligence cannot be ruled out.

This is where we need to look at what technology can be used to protect data. The easiest way to protect data is by automatically encrypting it. This prevents anyone without the right password or PIN from accessing the information. It is no different from using a credit card.

Chip and pin, an encryption and digital identity approach, has been brought in by the credit card industry to reduce fraud. Without PIN number, the card will not be accepted by the credit card provider. In the world of IT security this is referred to as two factor authentication, something you know and something you have.

In practise, whenever a record is copied to a computing device, it is automatically encrypted, without any user interference. Access to any record would mean entering the password or PIN whenever the record is actually opened. This means that there can be no possibility of records just sitting, unprotected, on the device.

A thief who has stolen or a person finding a device would be unable to access the information, even if the device had been left turned on. The device might have fallen into the wrong hands, but not the information.

By enforcing encryption during copying of data, it can be shown that technology can provide sufficient trust. The use of a password or PIN does not require the user of the device to learn a new way of doing things. As has been stated, it is the same as using a credit card. Users are familiar with accessing computers through passwords and this is no different from that.

Protection of patient data on mobile devices is not and should not be seen as an onerous process. IT needs to keep it simple, yet provide user-friendly tools to ensure that its users understand the process and its criticality.

Here are a few simple and basic security rules to ensure all your data only gets to be seen by the intended recipient:

1. Put a policy in place that always strives for encrypting personal data and other sensitive information.

2. Use software solutions that enforce automatic and mandatory encryption in real time without any user interference.

3. Use efficient authentication for all access to personal data or any other sensitive information irrespective to device type.

4. Teach users about simple device security.

5. Don't leave devices in cars.

6. Never hang bags on the back of chairs in public places.

7. Laptop bags are beacons for thieves, try using other ways of carrying devices.

8. Always keep devise safely in the room when staying in a hotel.

9. Change passwords regularly.

10. Store only company information in devices regulated by the security policy. Carry out regular checks on devices.

11. Providing efficient security is an ongoing process. Therefore perform regular security revisions to ensure that the security policy is obeyed.

These rules should be used as part of organisations' approach for protecting data on computers and mobile devices. It requires little effort to apply these rules and they are simple for users to implement. Remember that complex security approaches are often self-defeating.

If you don't secure the data now, it may be too late tomorrow. Once it has been stolen, it's too late to think about "what we should have done better".

Doctors, nurses, medical technicians, secretaries, receptionists, dentists are just a few of those who will be interacting and using electronic data on a range of devices. Their workload is large, time is short and this is where they are vulnerable.

Putting in place a solution to ensure that their data is encrypted is not just ensuring security of critical data but also about responsibility towards those whom we service.

The writer is Vice President, Asia Pacific & Africa, Pointsec Mobile Technologies