Hospital WLAN Security
Nice short article in Healthcare Informatics on WLAN security. Written by Bob Hedglen at UPMC, he details the risks and provides a nice summary of the requirements:
use of data encryption, authentication of every device and user,
verification of ongoing policy enforcement and security incident
reporting. The system had to complement the WLAN engine from Cisco, San
Jose, Calif., to manage and support dynamic communication between our
more than 500 existing access points and the many more we expected to
have. We needed a vendor-neutral system to monitor our environment and
protect our network and data.
UPMC chose the vendor AirDefense
for a WLAN network appliance. The new WLAN switches from Aruba,
Trapaze, Symbol and now Cisco (via their AireSpace acquisition) include
most if not all the features of a separate WLAN security appliance. As
Bill describes, UPMC already had 500 accesspoints, so a network
appliance was the best fit for them.
HIPAA Security Rules Apply to Medical Devices
Earlier today there was the CMS' teleconference on HIPAA enforcement
(you know, your name in the papers, fines, lots of quality time with lawyers). It was a great session with
lots of good reference info and guidance. (You can download the
presentation here.) All that talk about enforcement got me to thinking…
HIPAA privacy and security regulations
apply to any system or device in a hospital with electronic patient
identifiable information (ePHI), including many medical devices. According to a recent HIMSS/Phoenix Health Systems survey,
only 43% of providers (up from 18% in January 2005) have achieved
Security compliance. Surprisingly, the largest hospitals (over 400
beds) had the lowest compliance (34%). Another data point is the
apparent
lack of hospital adoption of the Manufacturer's Disclosure Statement for Medical Device Security, which is a tool created to help assess the vulnerability and risks associated with ePHI transmitted or maintained by
medical devices.
There are many reasons for this potential oversight. The most obvious
is the typical organizational separation of hospital device guys
(Biomedical Engineering) and the computer guys (IT). This separation is
compounded by the lack of experience IT has with medical devices (IT is
usually responsible for HIPAA Security and calls the shots). And unlike
HIT vendors who know the HIPAA implications of their products in their
sleep (especially the Security provisions), most medical device vendors
are waaay behind the curve.
What to do? At minimum, there are two key tools that you should utilize: the ECRI HIPAA Compliance Guide and the Manufacturer's Disclosure Statement.
If your hospital has not used these tools, or something equivalent,
then it is likely that if (when?) there is a complaint that includes a
medical device you will gain first hand knowledge of HIPAA enforcement.
For a compendium of information on medical devices and HIPAA, see Important Reference Web Links under the Resources tab at the top of this page.
UPDATE: Matthew Holt of The Health Care Blog
links to this post and relates some amusing anecdotes (as long as it's
not your hospital/product) about medical devices infected with
malicious code (scroll down to “Devices and Security”).
UPDATE: HIMSS just sent out a press release noting that,
“a large percentage of covered healthcare organizations have yet to
achieve many HIPAA basics, according to the results of the U.S.
Healthcare Industry HIPAA Survey, sponsored by the Healthcare
Information and Management Systems Society (HIMSS) and Phoenix Health
Systems.”
national initiative to achieve standardized, secure healthcare transactions and
high patient privacy levels that will improve the quality and cost-effectiveness
of our healthcare delivery system. One
must ask — if security threats, federal penalties, and prospects for
significantly reducing healthcare errors, costs and other inefficiencies are not
sufficient incentives – what are.”
Great question.
Most Consumers Believe EMRs Can Improve Care
It seems a critical stakeholder in EMR adoption, patients, has drunk the Kool-Aid. Accenture surveyed (press release) 519 health care consumers (aren't we all health care consumers?) over
the Internet who had seen a general practitioner or medical specialist
in the past 10 years. No other respondent demographics are provided. In
a summary of findings, consumers believe that EMR adoption can:
- improve the quality of care (93 percent of respondents),
- reduce the number of treatment errors in hospitals (92 percent of respondents),
- lower health care costs overall (75 percent of respondents), and
- reduce the amount of time patients spend waiting in doctors’ offices and emergency rooms (78 percent of respondents).
There were also questions about the frequency of emergency room visits while away from home (75%), and fears of being rendered unconscious
in an accident and unable to report vital information to emergency
personnel (65%). A majority (52%) is even willing to pay $5 monthly to
store their medical records in electronic form.
Benefits seem to outweigh fears, as 54% expressed concerns about
privacy and security; 55% felt electronic records would be more secure
than paper.
aware of the potential benefits of electronic medical records, and we
believe this shift creates opportunities for health providers and
health plans to take steps toward implementing electronic medical
record systems,” said Lewis Redd, a partner in Accenture’s Health &
Life Sciences practice. “This awareness is relatively new, and we see
the potential for an environment where consumers will begin to exert
more influence over the speed at which these systems are adopted across
the health care arena.”
Just coincidentally, this is good news for Accenture, who stands to make millions helping hospitals implement EMRs.
