HealthCare - Secure?

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was enacted by the U.S. Congress in 1996. How serious have we taken the HIPAA regulations, and just basic IT security best practice?

Let me tell you about some of my recent experiences with a healthcare organization here in Wisconsin. Upon arrival to the hospital, I noticed good physical security, parking lot cameras, controlled entry, and was impressed. Walking in the door and down the hall, that impression quickly changed to shock. I immediately noticed wireless access points hanging from the hall ceilings about 30 feet apart all the way to our destination. What is more shocking is the fact someone did a really good job with the label maker. I saw the IP address, MAC, and other important information – labeled on each access point. Interesting I thought. Perhaps would be best to put these items above the ceiling tile.

We arrived to our destination, and we had to sit down with registration and check in. The employee at the registration desk was typing away on the computer and asked us to wait a few minutes, she is just finishing up another patient. Ok, I’m not in a big hurry, it is 6am, so we can sit here and wait. Keep in mind she is sitting so that I am facing her right hand side, and the computer is to my right facing her. I can not only read everything on the monitor, the paperwork on the desk right in front of us is very readable. So I am thinking to myself, that is clearly a HIPAA violation. I am reading all this patient information. Upon her completion and getting to us, I mentioned this to her, and to my surprise she got up and got me a brochure on HIPAA and told me that they have a privacy policy. Ok, policy but no practice?

One more story, we had a follow up visit to the doctor’s office, part of this same organization, and waiting to check in the nurse sitting at the reception desk is talking to a patient on the phone. What was shocking was that she is confirming information with the patient on the phone – name, SSN, DOB, address, doctor, last visit, and talking about a prescription and symptoms and so forth. I learned a great deal about the patient just standing there listening. I am thinking to myself, why not take this call or make this call from a private office and not in the lobby with 12-15 patients sitting in the waiting room listening to the same stuff I am. I followed up that same day with a letter to the privacy officer and to date, have not gotten a reply. Is this unique to this organization? Probably not.

Security, privacy and controls are essential to HealthCare more today than just a few years ago. Electronic medical records, patient access to their records, online prescriptions and the list goes on, puts these organizations at a clear crossroads. Security has to take a high priority in these organizations, and additional resources.

I have had the distinct pleasure to see Cencio Solutions Corporation (www.cenciocorp.com) in action on data leak monitoring, forensics and response to events. My opinion is that every HealthCare organization needs to be a customer to this group. There is an immediate need to monitor patient records, data movement, and usage. In addition, in the even something does happen – how will you respond? Forensic Services is an essential component to any enterprise security framework, and having this group available to you is key. A holistic approach to security includes a comprehensive framework that includes several categories, some of them being privacy, data protection, and a response team. Develop your framework, communicate it and test against it. Remember - you are responsible for your security.

Good luck!