eWEEK speaks with Dave Marchand, Dell Healthcare's CTO, on how health care organizations can approach security.
With security breaches
always a threat, health care organizations need to find a way to share data to
provide quality of care while also keeping data secure.
Recent breaches involved
misplaced backup tapes for Tricare
a provider of health care services to active and retired military personnel,
and 20,000 patient records leaked to a private Website by a contractor for Stanford
spoke with Dave Marchand,
CTO for Dell Healthcare & Life Science Services, to find out how health
care organizations can tackle security challenges.
How can data breaches in
health care such as the one at Stanford Hospital be prevented?
In the case of Stanford, someone had access to that spreadsheet of
thousands of records. Was it pulled off of a network drive, were we monitoring
the network drive, were we encrypting the data in the first place? There's
several things we can do to prevent something like that from happening.
One of the ways is through
encryption-encrypting the data at rest. The other way is encrypting the data in
motion: Whatever communication is being used to transport data from one machine
to another, from one organization to another, is encrypted.
The third one is tools, and
these are emerging, which actually look at the data being used and look at
behavioral trends and starts to provide notification if the patterns of use
look suspicious in any way.
What factors are forcing
health care organizations to rethink their security policies?
One was ARRA HITECH [American Recovery and Reinvestment Act/Health Information Technology for
Economic and Clinical Health Act], revamping of HIPAA
[Health Insurance Portability and Accountability Act] policies, but in the last
year, the Department of Health and Human Services' Office of Civil Rights has
been imposing more and more penalties.
Earlier this year, they came
out with that ruling they call the "access report," where they are
enabling any patient to come in and say who's touched my health record. And
whether that means for who's used it in the course of doing their job or
whether it's been disclosed to an outside entity, I think that's causing a lot
of people to revamp this.
But I think a lot of it is
the breaches, the penalties and now the complexity of things becoming more and
more electronic. And them having to take that data and share it through health
information exchanges (HIEs)
and new models such as accountable care.
How can doctors make use of
data for diagnosis and decision making while still keeping the data protected
To do their job in the future, they're going to have to collaborate
more. It's not just their data but sharing that with their peers in a
community. And making sure it's not just their use that's secure; the
community's use is secure as well. The more touch places you have, the more you
risk that things aren't secure.
This is where Dell looks at
where if we can provide a lot of these solutions out of the cloud, out of our
data centers, we have fewer places to secure.
If we use virtual
, which is one of the underpinnings of our Mobile
solution, we can make sure the data stays there and it
just will get sent out as what they need to view in that period of time. But
the data never gets transferred to their device. When it does get transferred
to their end-user device, we make sure that it is encrypted and we make sure
that if that device ever gets lost or stolen, we can lock that device down.
are some key findings from your May security survey that will be relevant going
into the fourth quarter of 2011 and beyond?
For the most part, when we took a look at the security spending, ROI,
most people believed that they were doing pretty good on securing things, but
they couldn't really say what money was going to be allocated toward security.
It seemed that security was embedded in a number of initiatives.
When we asked [health care
executives] to take a look from a risk perspective, this is where we see a
recurring pattern. The biggest concern for them was the unencrypted patient
data on laptops, smartphones and tablets. What happens when we have to make our
work force mobile to do their job-so that was the No. 1 risk.
What happens when you move
that data into the cloud: Is that cloud secure? That's a predominant theme. We
did a CHIME [College of Healthcare Information Management Executives] CIO forum
about a year and a half ago, and the No. 1 concern there was data on mobile
devices as well.