Health care providers seek convergence
Efforts to secure network and building access nascent but growing
As more health care providers begin the move to electronic medical records, efforts are underway to better secure the computers and networks that store the data.
The U.S. government’s Health Information Technology for Economic and Clinical Health (HITECH) Act and it’s $19 billion for providers has been the driver for many to move to electronic records.
The legislation also calls for health care organization to have “meaningful use” of the software in order to qualify for the grants. “The criteria requires health care data to be kept confidential, private and secure, accurate, shareable with patients as well as providers, mobile and exchangeable, and readily available,” states a Smart Card Alliance white paper that was released in February.
Some type of identity management system is necessary to meet this requirement and control access to patient medical records. A Ponemon Institute report on medical ID theft released in March stated that 78% of those surveyed want health care providers to ensure the privacy of records. The same report stated that 1.49 million people will be the victims of medical identity theft in 2011 at a cost of more than $20,000 per case.
While companies report that health care providers are securing networks, there are still gaps. The U.S. Department of Health and Human Services Inspector General issued a report stating that general IT security controls were lacking for electronic medical records systems.
Another report that looked at how states were complying with HIPAA identified problems with how states were securing electronic personal health information. The audit of seven hospitals across the country identified 151 vulnerabilities in the systems and controls intended to protect personal health information, of which 124 were categorized as high impact.
“Outsiders or employees at some hospitals could have accessed, and at one hospital did access, systems and beneficiaries’ personal data and performed unauthorized acts without the hospitals’ knowledge,” the audit stated.
There are a variety of technologies health care providers can deploy to secure networks. At Albert Einstein Healthcare System in Philadelphia and Seattle Children’s Hospital, smart cards and one-time passcode tokens are being used.
Albert Einstein made the switch because it was separating from another health care system in Philadelphia, says Russ Johnson, network director of protective services. Since all employees would have to be rebadged the organization decided to migrate to a converged multi-technology credential from HID Global and integrated by Seimens.
The health care provider had been using an antiquated Weigand swipe card for physical access control, Johnson says. Making the switch for the health care system’s 7,500 employees and 1,000 physicians at four hospitals, seven campuses and 50 offsite primary care physician and surgical center locations was a daunting task. They had to issue the new credentials and notify individuals of the change. “Because the employee’s were spread out it was a logistical challenge,” he says.
HID’s Identity on Demand product was ideally suited for the task, Johnson says. The vast majority of employees already had photos in the human resources database so the health care network seperated the employee’s by location, had HID produce the card and then mail the credentials to those specific locations. Albert Einstein went with multi-technology cards, including iClass, prox and bar codes.
For physical access control, the health care provider went with a dual technology reader that handles both the older Weigand technology and the new iClass technology. They replaced 1,000 readers.
Bar codes were needed for the Kronos payroll system, Johnson says. Employee’s punch in and out using the bar code on the badge, so it was critical that this piece worked correctly from the start otherwise employees might not get paid. “We went though four or five pay cycles using different employees testing the bar code in the time and attendance system,” he says.
The bar code is also used to make purchases in the cafeteria and keep track of annual testing for flu shots and safety certifications. Eventually some of the bar code capabilities may move to the contactless interface, Johnson says.
The credential is being used for single sign-on to the hospital’s networks. Employee’s simply tap the badge against a reader and are signed into the network.
Johnson would like the facility’s medical equipment to be enabled by the credential too. Eventually he hopes to have employees logon to all different types of medical equipment, including medication carts, with the badge. “We want to see the ID as a gatekeeper,” he says.
The most important take away for Johnson is communication. Health care providers undertaking a rebadging or a refresh of identification technology need to make sure to communicate with employees, set deadlines and stick to them.
Seattle Children’s Hospital
When employees use the computer network internally at Seattle Children’s Hospital they still login using user names and passwords, says We Wright, vice president and chief technology officer at the provider. But the provider was looking for something that employees could use to securely access the network from home or when traveling.
The hospital selected Gemalto’s Protiva .NET solution to leverage the “plug and play” capabilities of its existing Microsoft infrastructure. This included the ability to deploy three types of .NET devices provisioned and managed through Protiva Strong Authentication Server–the .NET USB key, the .NET Dual token and the Easy OTP token.
Some 2,700 keys have been deployed for employees who travel or need to access the network from home with plans to distribute a total of 4,500, Wright says. Seattle Children’s opted for the USB keys because they didn’t require dedicated card readers or additional software that would be required for smart cards. “If you’re using a hotel computer you can’t install any software,” he adds.
Using the device, a user can access to a virtual desktop, Wright explains. The employee goes to the Web site, enters a user name and password along with a six digit PIN from the token and then has access to the desktop as if they were in the hospital building. This includes electronic medical records, Microsoft Exchange and other patient applications.
Wright considered having the tokens used as an additional form factor for internal security but it created too many workflow issues.
Seattle Children’s took the step to better secure its virtual networks. But health care organizations are taking a tougher look at both physical and logical security, says Ray Wizbowski, global senior director of marketing for the Security Business Unit at Gemalto.
“Health care providers are looking at both logical and physical access to meet regulatory requirements, i.e., HIPAA, but there is a struggle between recommendation and implementation,” he says. “A converged solution offers the best economies of scale by centralizing all authentication needs into one credential. Hospitals in particular can benefit from this type of solution, but have faced the challenge of user adoption.”
Government regulations may eventually force health care providers to add security, Wizbowski says. For example, A U.S. Department of Health and Human Services committee recommends that at least two-factor authentication be required for those exchanging information using the Nationwide Health Information Network standards.
Health care providers that are looking for increased security seem to be taking one of two routes, Wizbowski explains. They are either going the route Seattle Children’s selected or they are going for a standard’s based approach. “For providers who are looking to tie into broader national initiatives like the First Responder Access Credential, the choice is to go with an open platform identity based on the PIV-I standard,” he says. PIV-I is a U.S. federal standard for identity documents for non-government employees.
Using PIV-I would give health care providers more options. “The value of this technology will be fully realized as the ecosystem becomes more developed and the interoperability of the identity can be used in multiple domains with multiple applications,” Wizbowski adds.