Health IT Execs' Top Worries: Security, BYOD, Cloud

Health Data Security: Tips And Tools

Seven senior IT executives who participated in a focus group conducted by analyst group HIMSS Analytics cited data security concerns -- especially those related to the growing use of personal mobile devices -- as among their top challenges. Other pressing issues included the growth in data storage needs and health information exchange.

Although the focus group was small, what the participants said reflected the IT infrastructure priorities of the industry, as represented in a recent survey by the Health Information Management and Systems Society (HIMSS), according to a report on the focus group.

The IT executives lamented their loss of control over device management in a "bring your own device" (BYOD) environment. As one participant noted, "you can't lock down [providers'] personal e-mail."

[ Want more on BYOD in healthcare? Read Halamka Knows Perils And Promise Of Healthcare BYOD. ]

Another participant pointed out that with the proliferation of personal smartphones and iPads in hospitals, "data is exchanged insecurely whether you like it or not," regardless of how many security controls are put in place. Providers tend to find workarounds that can jeopardize data security, several people said.

According to a December 2012 HIMSS survey on mobile devices, 75% of hospitals are using "remote wipe" capabilities to eliminate data on lost or stolen devices. Also, many facilities are using mobile devices to access data but not to store it, noted Jennifer Horowitz, senior research director of HIMSS Analytics, in an interview.

"For the most part, organizations are viewing these devices as access tools and not necessarily as storage tools. They don't want the data [to reside] on the device," she said.

The focus group participants pointed out that the use of wireless networks makes it difficult, if not impossible, to prevent employee use of the Internet for personal reasons. Although some hospitals tried to restrict access to websites such as Amazon, Facebook and Twitter, they found that employees figured out how to reach those sites by using their institution's guest network.

When clinicians are working, rather than playing, they might encounter "drop zones" in their wireless networks where the signals to mobile devices fade out. Participants reported using a variety of solutions to address this problem, including "virtual desktops" that let users who experience a dropped signal pick up where they left off when wireless access is restored. One participant said his institution used a microwave network to transmit and receive data in places where cellular signals are blocked.

Data storage was cited as another problem, mainly because of the spread of data-hungry picture archiving and communications systems (PACS). Among the issues were "the ability to store an ever-increasing number of data-intensive images, challenges in exchanging images created by remote clinicians, and securing images taken with a mobile imaging machine," according to the report.

One participant said his organization had trouble linking to remote sites because the only solution available was "painfully slow." Yet he did not mention the possibility of using a cloud service to store data and applications.

In general, the participants "were approaching the use of cloud computing with caution," the report said. Some executives said they were comfortable with the use of a private cloud hosted by their primary health IT vendor. But they were still more likely to store administrative data in the cloud than clinical data containing personal health information.

One major obstacle to using the cloud, Horowitz pointed out, is the difficulty that providers have had in obtaining business associate agreements (BAAs) from cloud vendors. Under the latest HIPAA rules, providers are required to have BAAs with cloud computing firms. If they don't, they could get in trouble with the government, and they also run the risk of being sued if there is a security breach involving personal health information.

"If hospitals put their information out there in the cloud, and anybody else has access to or control over it, hospitals need to feel secure that the appropriate security mechanisms are put into place," Horowitz said.

Although Microsoft and Box recently announced that they have HIPAA-compliant BAAs, some other public cloud vendors apparently don't. It is unclear, however, why any technology vendor that hosts a private cloud service designed primarily for hospitals or physician practices would not sign a BAA.

Lisa Gallagher, VP of technology solutions for HIMSS, told InformationWeek that in the recent past, "some cloud vendors were reluctant to sign BAAs." But the new HIPAA Omnibus Rule makes it clear that all providers must have such agreements in place with cloud providers. "So, now cloud providers must sign BAAs when their services include receiving and storing PHI [personal health information]."