Failure to Set Policy Tops List of Security Risks
While RIS and PACS have become indispensable components of the electronic health record (EHR), they also pose risks to patient security and data integrity. These risks can range in scope from blaster worms to the curious technologist to just plain carelessness, and steps must be taken to secure the personally identifiable information contained in imaging informatics systems, to maintain business continuity, and to ensure HIPAA compliance. “RIS and PACS are mission-critical systems and any user or device that accesses a PACS network entails risk,” according to Jim Morgan, vice president of medical informatics, FUJIFILM Medical Systems USA, Stamford, Connecticut. “There are internal risks and external risks: Internal risks can be anyone who has access to the system, from anywhere on the network.” Most RIS and PACS have internal locks and safeguards that can protect against inappropriate and unauthorized use and intrusions, Morgan says. The safeguards built into Synapse® RIS/PACS, for instance, are robust enough to meet US Department of Defense (DoD) standards. A strong security strategy, however, goes beyond the technical to establish security protocols and policies that reinforce safe use of the system. Potential Exposure Ironically, the people for whom the systems were designed—radiologists, referring physicians, clerical staff, technologists, and nurses—can inadvertently jeopardize patient privacy. If a radiologist sends an image to a colleague via email in a way that is not secure, this is a potential security threat. Radiologists or referring physicians who review content from home, if the PACS allows images or data to be downloaded and left behind on a remote computer’s hard drive, also could compromise patient privacy. Indiscriminate Web surfing is another potential threat: The nurse who downloads a virus from a website could bring down the whole system. Curious technologists and other hospital personnel, browsing the system looking for celebrity images, pose yet another well-publicized internal threat to patient privacy. Service engineers who connect new modalities have full access to the system, in some cases, and Morgan highly recommends that they connect securely via VPN and that they have their own login that can be tracked using event logging. If clerical personnel who provide CDs to patients do not have a policy in place to validate these requests, then patient information could be at risk. “In all cases, I don’t think there is malicious intent,” Morgan notes, “but each case poses risks to patient privacy.” As for external threats, Morgan includes health-care providers among the many organizations under threat from hackers, viruses, worms, and other programs designed to exploit holes in security. If the firewall is penetrated and an intruder gains access to the network, the organization becomes vulnerable. “It is important to remove holes in an organization’s security safeguards up front, as much as possible,” Morgan says. System Safeguards At a minimum, every PACS/RIS should have a mechanism for authentication—a challenge of user name and password—and encryption to secure system data. These tools are commonly paired with the use of a VPN that provides an encrypted tunnel from the health-care network to the end user’s computer. Network-domain and workstation-group policy, which provides network administrators with the ability to lock down workstations, is an additional safeguard. It offers settings that prohibit the use of executable programs, that limit access to websites outside the company’s intranet, and that prevent users from plugging a memory stick into a computer and extracting data from the system. The Synapse system, for example, has complete configurability at the workstation level, even extending to the ability to navigate patient/study folders to open and save documents, but many network administrators dare not go this far. “If you leave it completely open, the data can walk out the door on a memory stick, email, or someone’s laptop,” according to ider Wider, regional product support specialist, Fujifilm. Lock it down too much, and the system can become unusable. Network administrators struggling with the balance between workstation lockdown policies and providing enough freedom to end users are likely to find another tool useful: activity logging. Administrators can give users the freedom to go anywhere, but let them know that their activity is being recorded, analyzed, and evaluated, in the Hansel-and-Gretel approach to data safety. “This not only is important for security privacy (and in some cases, productivity analysis), but also is essential for The Joint Commission accreditation process,” he says. Physical security—the ability to use lock and key—should not be overlooked. “Simply keeping a computer behind a closed door eliminates the threat that a visitor will walk by and access the system,” he notes. System Nitty-gritty Fujifilm takes authentication and encryption seriously enough to meet military requirements, Wider says. “Our Synapse PACS and Synapse RIS use authentication methods that are extremely flexible and are also secure enough to meet the DoD standards,” Wider says. Authentication software for both Synapse PACS and Synapse RIS is tightly integrated with the Windows® operating system and uses Microsoft® Active Directory to manage login credentials. All bidirectional messaging between Synapse PACS/Synapse RIS and third-party systems (such as the hospital information system, the RIS, the electronic medical record, and the EHR) is encrypted—and, therefore, completely secure from unauthorized users and would-be actors. In addition, Synapse PACS/Synapse RIS uses standards and accepted industry frameworks such as DICOM, HL7, Integrating the Healthcare Enterprise, and XML for data transmissions between systems. Other security measures include the four that follow. No data left behind: After the user is finished with a workstation, a home computer, or a laptop, all data are removed from the hard drive. The system also can be set for automatic timeouts, so that if someone walks away from a workstation or laptop, he or she will be automatically logged out after a specified amount of time. Anonymizing images for export: With the click of a button, the radiologist can anonymize an image (by stripping it of patient information) and send it using encryption or other secure email methods. Access control: At each facility, Synapse PACS/Synapse RIS administrators have the ability to control access to virtually every piece of information in the system. If a celebrity or public figure is admitted to the hospital, that patient’s folder can be locked down so that only radiologists have access to it. Audit trails and activity logging: Synapse PACS/Synapse RIS also can provide an audit trail on each piece of patient information and can log the activity of every user, so that with just a click, you can immediately spot check and verify who has accessed the data (and when). An additional benefit of the security capabilities of the Synapse RIS/PACS is that their power can be leveraged by EHR implementations. “Using industry standards for encryption, such as Data Encryption standard (DES) and Advanced Encryption Standard (AES), with a standardized messaging format allows all of the systems to communicate in a secure manner,” Wider says. DES encryption is 56 bits long and was considered the gold standard in security at its release in the 1970s. AES was co-developed by the U.S. government and private industry and can be 128, 192, or 256 bits long. Common Shortfalls Technology and software will only take you so far, though, when it comes to securing patient information in RIS and PACS. Wider believes that the most common security weakness is the failure to set up and comply with institutional security and behavioral policies. “It’s not necessarily fun to set up, and you can get a lot of grief from the users because you are taking away their privileges and rights to Google a patient, look up their stocks, and go out to the Web and get extra content,” Wider says. Another major vulnerability, in Wider’s opinion, is the failure to enforce individual logins for each user who accesses the system. “At a number of hospitals, staff members have reported that when multiple users access the same computer, they don’t want to log off or on because it takes time,” he says. When you consider the consequences of a potential security breach, taking the time to set up security and behavioral policies that make sense for your organization—and fielding the ensuing flak—are time and effort well spent. Cheryl Proval is the editor of RadInformatics.com and Radiology Business Journal, and is vice president, publishing, imagingBiz, Tustin, California.