A Security Case Study: Home HealthEncryption Plays a Critical Role for Mobile Workforce
After conducting a three-pronged risk assessment, the company recently completed implementing a series of strategies to mitigate risks. These include:
- Encrypting all desktops, laptops and tablets;
- Limiting the amount of data stored on devices;
- Using a data loss prevention application to help control the use of mobile media and monitor e-mail; and
- Requiring two-factor authentication for certain users.
Next on the agenda are the implementations of a log management system and a security incident and event management program.
Risk AssessmentAmedisys used the Health Information Trust Alliance's Common Security Framework to help guide its assessments, which were conducted with the help of a consultant. "I was new to healthcare, and I wanted to make sure I was doing all that was needed for compliance with all regulations, including the new HITECH Act," Sah says.
The company conducted a legal compliance gap assessment, an assessment of all aspects of security and a technical assessment. "We developed and implemented a comprehensive information security program," says Patrick Thompson, executive vice president of administration and CIO. "It included a governance structure involving appropriate stakeholders, publication of comprehensive information security and HIPAA privacy policies and the implementation of needed technical and non-technical safeguards and controls."
The assessments, Thompson says, helped Amedisys to determine that "the data loss risk from the loss or theft of devices presented the greatest risk." That led to the use of whole disk encryption on 20,000 devices, including desktops, laptops and tablets.
Encryption is "the only way to really provide any level of assurance that when a device is lost or stolen, someone [inappropriate] doesn't get access to the data," Sah says. And that's important, given that the majority of major health information breaches reported to federal authorities have involved the loss or theft of devices or media. Under the HITECH breach notification rule, the loss or theft of a device containing patient information that was properly encrypted does not have to be reported as a breach.
In certain cases, the company also is encrypting server drives, especially for servers used in non-production environments, where a negative impact on performance wouldn't be an issue, Sah says.
Amedisys purchased encryption software as part of a bundle of technologies that also included anti-virus software, a data loss prevention application, an e-mail gateway and personal firewalls, says Sah, who declined to reveal the brand of the technologies. This made the technologies less expensive and easier to deploy, he says.
Encryption ChallengesBut implementing encryption was far from easy, Thompson acknowledges. "We had a number of challenges during deployment resulting from encryption-related device failures and slow communications challenges with central servers," Thompson says. "We worked with relevant vendors to improve the back-end infrastructure and communications and to fine-tune policies to ensure that the deployment was successful."
One lesson learned, Sah says, was the importance of thoroughly testing new security technologies. "We had great pain when we went through this process because we tested things in scenarios that we thought were practical for our environment, but we discovered they were not."
The rollout of encryption and other security technologies was accomplished in conjunction with a "technology refresh" project that Amedisys recently completed. Most clinicians now have new devices with the security technologies pre-installed.
Home health clinicians generally are using tablet computers that store a very limited amount of encrypted data on relevant patients to help minimize risk, Sah says. Clinicians transmit and receive updated information about patients daily, using encrypted messages over a virtual private network.
Data Loss PreventionAmedisys is a using a data loss prevention application to help control the use of thumb drives for storing patient information. The use of USB ports is blocked under certain circumstances, such as for those staff members who have files containing large amounts of patient data, Sah says.
The company also is using DLP, combined with an e-mail gateway, to help prevent transmission of e-mail containing protected health information, yet another way to avoid a HIPAA violation.
To add another layer of security for those who have the greatest access to patient data, especially on back-end servers, Amedisys is equipping these "privileged users" with hardware tokens for two-factor authentication.
"We're looking forward to making continuous improvements to the security infrastructure and information security services we provide to our internal and external clients while continuing to improve upon safeguards and controls to protect information assets," Thompson says.