Imaging information is becoming increasingly mobile: For evidence, look no further than the FDA’s recent approval of an app for the iPod, iPhone, and iPad that allows diagnostic use of MRI, CT, PET, and SPECT exams. With increased connectivity, however, comes an increase in vulnerability. Under pressure to protect all patient health information or face significant regulatory backlash, how are facilities tending the technical security of medical-image data?
R. Todd Thomas, CIO of Austin Radiological Association (ARA) in Texas, says, “In the event of a breach involving 500 or more individuals, you have to publish it online and contact the patients involved. We hope we’re never caught in that kind of situation.”
Preventing security breaches that involve patient health information—whether they occur as a result of equipment theft, viruses, hacking, or other causes—requires continuous vigilance, Thomas notes. “We’re constantly evaluating where users are logging in from, so if it’s somewhere we don’t recognize, we can find out why,” he says. “Our alerts happen in real time, but we can also query historical data.”
Jerry Walters, director of information security for OhioHealth Information Services in Columbus, takes a similar approach: “We track who comes into the system, how often they come in, and where they come in from,” he says. “We have logs to keep that audit-trail information for us.”
Although he notes that it is becoming increasingly important to support mobile access, Walters says that OhioHealth Information Services currently limits access to apps on mobile devices. The organization has developed an app for the iOS and Android OS that allows physicians to check clinical results and offers other very basic functions; it’s also working on streamlining Blackberry access.
For tablets and remote computers, OhioHealth Information Services offers users remote access to a virtual version of their desktops. ARA takes a similar approach: “On the iPad, we provide access to applications through Citrix®, so there’s nothing we install,” Thomas says. “All the technology we authorize for purchase has a remote wiping capability, so we instruct users to let us know if they ever lose it.”
Encryption is a primary line of defense against data breaches, and both ARA and OhioHealth Information Services employ it for personal computers. Full database encryption, however, remains elusive for ARA. Thomas reports, “We don’t encrypt our database because of lack of support from third-party vendors. If we could guarantee we’d still get support on our applications from them, that would be different.”
Taking the extra precaution of encrypting a database would be meaningless, however, if the most basic defense against intrusion—authentication—is not taken seriously. Enforcing complex passwords, though, is difficult when using Windows®.
“How Microsoft® enforces complex passwords does not create very complex passwords at all,” he says. “It’s up to the user to create a stronger password than what Windows allows. We’ve looked at some two-factor authentication solutions, but it’s always a balance between the end users’ need to have it easy to use and our need to have it work well with our applications. The two don’t always mesh well.”
At OhioHealth Information Services, each imaging file is encrypted prior to storage, and encryption for desktops and laptops adds “a layer of protection, if the images and applications don’t encrypt on their own,” Walters says. He adds, however, that the organization has faced challenges similar to ARA’s in attempting to get multiple third-party apps to play nicely with one another: “There are a lot of different technologies that come into play, getting all the data together on who’s logging in where, so we’re investing in some new technology to consolidate the logs and do event correlation,” he says.
Both organizations employ intruder-prevention tools, as well as antivirus software—updated regularly, of course, to protect against emerging vulnerabilities. For further protection, OhioHealth Information Services in the process of implementing an app whitelisting program that prevents users from downloading unrecognized programs. “It looks at all the programs on your computer, and if it finds one it doesn’t recognize, it won’t let it run,” Walters says. “It takes a bit of management, so we’re rolling it out slowly, but we have it in place at one of our hospitals, and it works pretty well.”