Editor’s Note: Jon Senger is the CTO of Vertiscale . He writes frequently on the on the topic of HIPAA compliance and the role of MSPs in healthcare security.
The leading cause of data breach incidents in healthcare facilities is lost or stolen end-user devices, including laptops and tablets. Such breaches have led to six figure fines for HIPAA violations in some cases, and with the stepped up enforcement coming in 2016 promised by the Department of Health and Human Services, we can expect to see more healthcare providers receiving similar fines.
The best way to ensure security of applications and data is by pulling the security perimeter back to the data-center, keeping data off of end user devices. The resulting security landscape is much easier to manage and audit than a traditional distributed device scenario.
By implementing a system that optimizes employee productivity and enables secure remote access to sensitive data, healthcare providers can drastically reduce their compliance risk profile, while modernizing their IT operations and insulating themselves from attacks from hackers and other criminals.
In addition to keeping protected health information (PHI) off of end user devices, a server-based security architecture yields several other important benefits, including the ability to log access to PHI, tighter limitations of access, and enablement of BYOD and secure remote access capabilities. Perhaps most importantly for small practices though, are the substantial cost savings that can be realized from implementing this type of architecture.
Approaches for Server-Based Security
One approach for implementing server-based security is to use virtualization technologies. Simply put, this method permits users to access data and applications in a shared environment where multiple users are working on one or more physical devices. Frequently, a single physical server can support an entire office of workers. These environments enable users to access all the applications and data they need in their daily work, without actually downloading and installing anything on their local laptop, desktop, or tablet.
The virtualization concept is a perfect fit for healthcare practitioners but only if they select the right kind of tools that offer the benefits of enterprise-grade virtualization in a way that does not raise their costs. Many of the broad spectrum solutions will quickly raise costs, increase complexity, and reduce security in many cases.
However, there are specialized virtualization solutions available that will offer many immediate benefits. Regardless of which one you choose, your solution must support:
· Prevent PHI from being stored on end user devices. If the provider can ensure that no PHI is ever stored on a laptop or a tablet, it means that, even should a device go missing or be stolen, no data breach — and no HIPAA violation — has occurred.
· Robust authentication for authorized users. A server-centric architecture means that the provider can employ a variety of techniques to ensure that only people who should have access to PHI are able to gain that access. The authentication protocols can be tightly integrated with the overall network and server architecture.
The specific HIPAA requirement is: “Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.” — 164.312(d) Technical Safeguards of the Security Standards for the Protection of ePHI, HHS.gov. If data is allowed to reside on end user devices, such authentication becomes impossible to enforce; moving all PHI into a controlled server environment is the only realistic solution.
· Accurate and complete logging of PHI access. Since all data is stored centrally, this approach also enables the system to record access to PHI. In a properly designed system, these logs are stored offsite in secure datacenter, are stored for up to 28 years (as required by HIPAA), and are available on demand.
According to HIPAA regulations, covered entities must keep logs for a minimum of six years, and some states (notably Texas) require providers keep logs for at least ten years. It is also vital that inspectors and auditors be able to review and have access to these logs at any time. If the patient records or PHI are related to minors, this could extend for a total time of up to 28 years. (§ 164.308, Administrative Safeguards and § 164.312; Technical Safeguards; §164.316 Policies and procedures and documentation requirements, Technical Safeguards of the Security Standards for the Protection of ePHI, HHS.gov.)
· Encrypted file storage. Keeping data off of end user devices also implies that all is stored in a central location, where it can be encrypted without worrying about users attempting to bypass or subvert local encryption systems that they may, by policy, be required to use but may also be easily bypassed when the user is in a hurry, has not been properly trained, or is simply not on board with the idea of protecting sensitive information.
· Enablement of secure remote access and “Bring Your Own Device” (BYOD) capabilities. Healthcare providers, like every other type of organization, are under pressure to operate more productively, including allowing workers to move around easily within a facility and to move between facilities while still being able to access all the information they need to do their jobs.
Bring Your Own Device (BYOD)
Supporting a mobile workforce is becoming a true necessity for many practices. Specifically, tablets like the Apple iPad and the Microsoft Surface have become extremely popular in the healthcare field and many people wish to use their personally-owned tablets and laptops to access PHI. From a business point of view, use of tablets, whether they are owned by the organization or by the end user, offers numerous benefits, including increased productivity, improved employee satisfaction and cost savings.
Managed Service Provider (MSPs) Considerations
Healthcare providers also typically outsource their IT needs to Managed Service Providers (MSPs), who function as their IT department. Working with MSPs allows providers to greatly reduce their operating expenses, since the personnel, equipment, and other technical costs can be shared among all of the MSPs clients.
It is an excellent way for a provider to ensure that their IT needs are met while being compliant with HIPAA laws and keeping costs down. The trick, as many healthcare providers have already discovered, is finding an MSP that is truly knowledgeable about data security and has the technical wherewithal to implement HIPAA compliant IT systems.
Fortunately, new types of virtualization-based services and tools are now available that are designed specifically for MSPs to use in deploying and managing IT infrastructures for healthcare providers. These tools are low cost, provide all the security benefits of the systems available from large enterprise-focused vendors, but without the high costs and complexity associated with deploying them in smaller, diversified environments.
Best Practices for Evaluating an MSP
Practice managers evaluating an MSP should be sure to get satisfactory answers to the following questions:
· Can you configure our systems so no PHI is allowed to be stored on the end user devices, but still ensure that authorized personnel have access to the PHI they need to do their job?
· Can you allow my people to access our systems securely from any location?
· Can you allow my people to use any computer that is available to them to access our systems, without having to download and install any additional software?
· Can you help us extend the life of our installed base of desktop and laptop computers?
· Can you provide us with an encrypted file storage system and require that all PHI be stored in that encrypted system?
· Can you ensure that our systems will record when our users are accessing PHI and that I can access those logs at any time?
· How much will all this cost?
The only way to accomplish all this is to use the server-based approach described above. MSPs that can provide satisfactory answers to these questions should be able to deliver a set of IT services that will help the practice maintain HIPAA compliance, and also ensure that the practices operation will run smoothly with maximum productivity at the lowest possible cost.