Dell's Marchand Says Encrypting Mobile Device Data Essential in Health Care

eWEEK speaks with Dave Marchand, Dell Healthcare's CTO, on how health care organizations can approach security.

With security breaches always a threat, health care organizations need to find a way to share data to provide quality of care while also keeping data secure.

Recent breaches involved misplaced backup tapes for Tricare, a provider of health care services to active and retired military personnel, and 20,000 patient records leaked to a private Website by a contractor for Stanford Hospital.

eWEEK spoke with Dave Marchand, CTO for Dell Healthcare & Life Science Services, to find out how health care organizations can tackle security challenges.

eWEEK: How can data breaches in health care such as the one at Stanford Hospital be prevented?

Marchand: In the case of Stanford, someone had access to that spreadsheet of thousands of records. Was it pulled off of a network drive, were we monitoring the network drive, were we encrypting the data in the first place? There's several things we can do to prevent something like that from happening.

One of the ways is through encryption-encrypting the data at rest. The other way is encrypting the data in motion: Whatever communication is being used to transport data from one machine to another, from one organization to another, is encrypted.

The third one is tools, and these are emerging, which actually look at the data being used and look at behavioral trends and starts to provide notification if the patterns of use look suspicious in any way.

eWEEK: What factors are forcing health care organizations to rethink their security policies?

Marchand: One was ARRA HITECH [American Recovery and Reinvestment Act/Health Information Technology for Economic and Clinical Health Act], revamping of HIPAA [Health Insurance Portability and Accountability Act] policies, but in the last year, the Department of Health and Human Services' Office of Civil Rights has been imposing more and more penalties.

Earlier this year, they came out with that ruling they call the "access report," where they are enabling any patient to come in and say who's touched my health record. And whether that means for who's used it in the course of doing their job or whether it's been disclosed to an outside entity, I think that's causing a lot of people to revamp this.

But I think a lot of it is the breaches, the penalties and now the complexity of things becoming more and more electronic. And them having to take that data and share it through health information exchanges (HIEs) and new models such as accountable care.

eWEEK: How can doctors make use of data for diagnosis and decision making while still keeping the data protected and HIPAA-compliant?

Marchand: To do their job in the future, they're going to have to collaborate more. It's not just their data but sharing that with their peers in a community. And making sure it's not just their use that's secure; the community's use is secure as well. The more touch places you have, the more you risk that things aren't secure.

This is where Dell looks at where if we can provide a lot of these solutions out of the cloud, out of our data centers, we have fewer places to secure.

If we use virtual desktop technology, which is one of the underpinnings of our Mobile Clinical Computing solution, we can make sure the data stays there and it just will get sent out as what they need to view in that period of time. But the data never gets transferred to their device. When it does get transferred to their end-user device, we make sure that it is encrypted and we make sure that if that device ever gets lost or stolen, we can lock that device down.

eWEEK: What are some key findings from your May security survey that will be relevant going into the fourth quarter of 2011 and beyond?

Marchand: For the most part, when we took a look at the security spending, ROI, most people believed that they were doing pretty good on securing things, but they couldn't really say what money was going to be allocated toward security. It seemed that security was embedded in a number of initiatives.

When we asked [health care executives] to take a look from a risk perspective, this is where we see a recurring pattern. The biggest concern for them was the unencrypted patient data on laptops, smartphones and tablets. What happens when we have to make our work force mobile to do their job-so that was the No. 1 risk.

What happens when you move that data into the cloud: Is that cloud secure? That's a predominant theme. We did a CHIME [College of Healthcare Information Management Executives] CIO forum about a year and a half ago, and the No. 1 concern there was data on mobile devices as well.