Dell's Marchand Says Encrypting Mobile Device Data Essential in Health Care

By Brian T. Horowitz  |  Posted 2011-10-05

Dell's Marchand Says Encrypting Mobile Device Data Essential in Health Care

With security breaches always a threat, health care organizations need to find a way to share data to provide quality of care while also keeping data secure.

Recent breaches involved misplaced backup tapes for Tricare, a provider of health care services to active and retired military personnel, and 20,000 patient records leaked to a private Website by a contractor for Stanford Hospital.

eWEEK spoke with Dave Marchand, CTO for Dell Healthcare & Life Science Services, to find out how health care organizations can tackle security challenges.

eWEEK: How can data breaches in health care such as the one at Stanford Hospital be prevented?

Marchand: In the case of Stanford, someone had access to that spreadsheet of thousands of records. Was it pulled off of a network drive, were we monitoring the network drive, were we encrypting the data in the first place? There's several things we can do to prevent something like that from happening.

One of the ways is through encryption-encrypting the data at rest. The other way is encrypting the data in motion: Whatever communication is being used to transport data from one machine to another, from one organization to another, is encrypted.

The third one is tools, and these are emerging, which actually look at the data being used and look at behavioral trends and starts to provide notification if the patterns of use look suspicious in any way.

eWEEK: What factors are forcing health care organizations to rethink their security policies?

Marchand: One was ARRA HITECH [American Recovery and Reinvestment Act/Health Information Technology for Economic and Clinical Health Act], revamping of HIPAA [Health Insurance Portability and Accountability Act] policies, but in the last year, the Department of Health and Human Services' Office of Civil Rights has been imposing more and more penalties.

Earlier this year, they came out with that ruling they call the "access report," where they are enabling any patient to come in and say who's touched my health record. And whether that means for who's used it in the course of doing their job or whether it's been disclosed to an outside entity, I think that's causing a lot of people to revamp this.

But I think a lot of it is the breaches, the penalties and now the complexity of things becoming more and more electronic. And them having to take that data and share it through health information exchanges (HIEs) and new models such as accountable care.

eWEEK: How can doctors make use of data for diagnosis and decision making while still keeping the data protected and HIPAA-compliant?

Marchand: To do their job in the future, they're going to have to collaborate more. It's not just their data but sharing that with their peers in a community. And making sure it's not just their use that's secure; the community's use is secure as well. The more touch places you have, the more you risk that things aren't secure.

This is where Dell looks at where if we can provide a lot of these solutions out of the cloud, out of our data centers, we have fewer places to secure.

If we use virtual desktop technology, which is one of the underpinnings of our Mobile Clinical Computing solution, we can make sure the data stays there and it just will get sent out as what they need to view in that period of time. But the data never gets transferred to their device. When it does get transferred to their end-user device, we make sure that it is encrypted and we make sure that if that device ever gets lost or stolen, we can lock that device down.

eWEEK: What are some key findings from your May security survey that will be relevant going into the fourth quarter of 2011 and beyond?

Marchand: For the most part, when we took a look at the security spending, ROI, most people believed that they were doing pretty good on securing things, but they couldn't really say what money was going to be allocated toward security. It seemed that security was embedded in a number of initiatives.

When we asked [health care executives] to take a look from a risk perspective, this is where we see a recurring pattern. The biggest concern for them was the unencrypted patient data on laptops, smartphones and tablets. What happens when we have to make our work force mobile to do their job-so that was the No. 1 risk.

What happens when you move that data into the cloud: Is that cloud secure? That's a predominant theme. We did a CHIME [College of Healthcare Information Management Executives] CIO forum about a year and a half ago, and the No. 1 concern there was data on mobile devices as well.

Dell's Marchand Says Encrypting Mobile Device Data Essential in Health Care

title=Mobility Altering the Health Information Security Landscape} 

eWEEK: How is mobility changing the landscape of health information security?

Marchand: I think there's a real concern of how do you allow people to have the mobility to do their job and how do we make that data secure. They will allow these devices to be used but will load software on it that will make sure that every interaction between that personal device and the system's network is controlled, so that if anything ever happens to the phone, you can lock it down, you can encrypt it or you can wipe that portion of the data off the phone without touching some of their personal resources.

eWEEK: How is security handled differently for health information on mobile devices versus desktop?

Marchand: I think you're going to see some of the same things on the desktop. It's just more of the techniques we use because we have to support more operating systems, and everything else is slightly different for the truly mobile device. Some consider a laptop a mobile device. The desktop is going to become less prevalent over time as people have different ways to access system resources and to access what they need to-as we get more devices out there, managing those from a central place where there's a single set of credentials to manage. What the physicians don't want is to have three or four devices to make them more efficient.

Essential credential management is going to be an important part moving forward. The encryption side of it. Knowing where your endpoints are and knowing if it's a place you're able to track it down.

You may have six different operating systems when people use their own devices. It's OK to let them do that, but you're going to make them load software on to the device. Software segregates what was loaded on for business reasons versus personal reasons. If a phone or mobile device gets lost or gets stolen, all the information that went through that software can be wiped off of that device remotely.


Rocket Fuel