Solutions for mitigating health care investigation complexities and risks

June 27, 2017

By Shane Whitlatch

A large hospital group with 60,000 users experiences a data breach.

Patient records are offered for sale on the “Dark Web” and the provider has to track down the source of the breach. Management at the provider starts an investigation, which requires a team of staff to review potentially hundreds of different applications and the access rights of countless vendors and other third parties.

Traditionally, health care data breaches and the ensuing investigations were managed reactively. For example, an outside agent accesses information in a criminal manner, offers it for sale, and the company finds out about the issue from the authorities. Or maybe their internal IT discovers irregularities, but it’s well after the theft occurs, so the company has to piece together what happened.

Your Trusted Source for Sony Medical Displays, Printers & More!

Ampronix, a Top Master Distributor for Sony Medical, provides Sales, Service & Exchanges for Sony Surgical Displays, Printers, & More. Rely on Us for Expert Support Tailored to Your Needs. Email info@ampronix.com or Call 949-273-8000 for Premier Pricing.

An industry shift from a reactive to proactive approach is key to reducing breaches.

Overcoming challenges
Contrast the challenges facing health care providers with banking institutions.

With a bank, there is typically a core application that manages transactions between both the customer and the bank. There might be some other related applications, but the main application provides structure and accountability to various processes. In a health care setting, such as a larger hospital group, there could be hundreds of applications in use simultaneously. Each one might have different data set standards, and there may be little to no interconnectedness between the solutions.

The IT capabilities of hospitals and providers have evolved over time, but not at the same speed as other industries. Whether they are confronting ransomware or managing breaches, these IT departments need to oversee a multitude of applications that might all contain private patient information. It’s fundamentally a breadth issue, as health care requires specialists, various departments and outside referrals to all work together for patient care. This breadth means the efforts taken to manage and catalog user identities are a massive problem in health care. User names are not typically connected between applications, so can the organization be sure “Steven Ray Reynolds” is also “srrreynolds” on another application? Security risk analyses are worthless unless all of the users are properly identified.

Another health care-specific challenge is the ability of clinical applications to provide investigators with usable information. These applications are designed to provide fast and accurate clinical care, and many of these systems were not originally built to provide an audit trail for forensics. They’re technologically challenging and outdated, which puts additional pressure on IT. Regulations such as HITECH and Meaningful Use force EHR providers to produce audit logs if they are going to be reimbursed, so many providers are now offering audits as part of their technology.



You Must Be Logged In To Post A Comment Sign In If you've already created an account, use your email address and password to sign in using the form below. Login Problems: Click here if you are having login issues. Email address: Password: Forgot your password? Login Problems? View our Legal Notice and Privacy Notice Register Registration is Free and Easy. Enjoy the benefits of The World's Leading New & Used Medical Equipment Marketplace. Register Now!