What do hospital administrators and their CIOs fear above all else? It may be information theft, especially if that information includes sensitive patient data. Nothing grabs the attention as completely as learning that a laptop laden with patient data has slipped out the door. With preparation, though, such an event may be prevented, and if it is not—because no system is perfect—then its impact can be minimized.
That was the message of George Bowers, MBA, in What Keeps CIOs Awake at Night: Information Theft, which he presented on May 16, 2008, at the Society for Imaging Informatics in Medicine’s annual meeting in Seattle. Bowers, principal at Health Care Information Consultants, LLC, Baltimore, is the former CIO of American Radiology Services and the former vice president for information services and CIO at the University of Maryland Medical Center.
As Bowers summarizes HIPAA regulations, “Covered entities must maintain reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of their electronic protected health information against any reasonably anticipated risks.” Reminding his audience that in that single sentence there is room for all kinds of interpretation, he says, “What is reasonable, and to what extent are protections adequate?”
“One thing we have learned is that if it is not bolted down, it can develop legs and it can walk.”
—George Bowers, MBA
Today’s hospital has to worry that more information devices than ever can walk away with patient data on them: laptops, PDAs, keychain flash drives, and even smart cell phones. “We also have potentially malicious intent on the part of employees or outsiders who may want to crack systems and get data,” Bowers says.
A Case Study
To illustrate how severe the data-theft issue is, Bowers uses the example of a 100-bed rural hospital (which he does not name) where a laptop containing patients’ birth dates, names, and Social Security numbers was found missing from the emergency department two years ago. The laptop, used in the triage area for preliminary registration of patients, contained an abbreviated version of the master patient index going back to 1989, Bowers explains.
When the hospital learned that data had disappeared that might be used in patient identity theft, administrators responded by contacting the state hospital association, law enforcement, and the hospital’s insurance company. Then, the administrators searched out other hospitals that had encountered data theft and looked for models of how to respond. These steps took a couple of weeks, Bowers says.
Two more weeks passed while the hospital identified all the patients with stolen data and found current addresses for them. Next, the hospital hired a security firm to work with the patients to avoid identity theft and sent letters to all the patients notifying them of the situation. “Then it hit the papers. They got a lot of press, and they realized they needed to tighten up their security procedures to make sure it wouldn’t happen again,” Bowers explains.
The first step in the hospital’s action plan was to review all laptops for protected health information and eliminate it. Over half the laptops were physically locked down to fixed or mobile workstations, Bowers says. The hospital also initiated an organization-wide employee education program to identify risks and take steps to mitigate them.
The second step was to set up an interdisciplinary team to perform root-cause analysis and to detect latent system failures, as required by the Joint Commission. This step illuminated errors and weaknesses. The data on the missing laptop, for instance, could have been made invisible, Bowers says, but it hadn’t been. The laptop with sensitive information was in a high-traffic area, highly visible and tempting. The security cameras that the hospital had in place either were not working or were turned in the wrong direction to spot the theft. As part of security planning long before the theft, the hospital had created a security-variance system to highlight unusual activity, but it wasn’t being used.
When it came to latent system failures, the hospital determined that it lacked an integrated IT security program with provisions for regular review and update. There was also a lack of accountability. When the laptop was stolen, who was accountable? “Whose problem is this: the CIO’s or the department head’s? This was something they’d