Similar to many healthcare organizations these days, Shafiq Rab, CIO and Vice President of Hackensack University Medical Center in Hackensack, NJ, uses an all-in approach when it comes to data security. While Rab understands security is a learning process and best practices are developed over time, having best-of-breed products in place on top of regular privacy and security examinations is a must for a 771-bed hospital.
Rab knows that patient’s data is in Hackensack’s hands during care and in turn, they put their privacy in its control. A big part of ensuring patient data is safe and secure is locking down their EHRs with high-level privacy and security controls while being vigilant of internal and external threats by performing security audits. Hackensack University Medical Center has been through Stage 1 Meaningful Use security analyses and now it’s getting ready for Stage 2 Meaningful Use, which has put it in a good position from a security standpoint.
We know that one day we’ll be audited and because of that we look to see if there are any deficiencies. From a few different risk assessments to multiple penetration tests to data loss prevention (DLP), we have put all those things in place. And through those tests, we have a risk mitigation process where a committee meets every month and helps [uphold high security standards].
Rab said Hackensacks uses, for example, McAfee Deep Defender, which runs on Intel, so it can secure the data at the root level. When a user tries to connect a device, the product checks the other root key first and only if it’s can information be saved on [a device]. The organization has EpicCare Links for role-based accesses. For example, if a nurse who works 7-4 p.m. and accesses data she doesn’t need to after 5 p.m., Rab and Hackensack will know about it. Because Hackensack does audits internally and externally, role-based access is important. This level of scrutiny also applies to administrators, as it continually determines who has all access and why they have that kind of access.
In addition to in-house audit tools, we generally don’t ask the consultants who have helped us in the past to do the audit. We instead ask people who we haven’t worked with yet. (The next audit will be in December). They tell us what we need to do better and then we make those changes.
Furthermore, Rab said the organization uses a real-time data locator that ensures all the data ports are locked from, for example, virus-ridden USB sticks. And on a daily basis, Hackensack looks at who’s trying to attack and penetrate in from the outside and ensure there are no distributed denial-of-service attacks (DDoS attacks).
We also have a malware mitigation plan that can help avoid problems from people bringing viruses from home. Part of this is blocking USB drive ports, which upset some people but in the end the IT department supplied internal USB sticks [to be used in the hospital]. That was a little tough for us and we’re still not over it because there are some physicians or nurses who go elsewhere to give presentations.
Hackensack BYOD policy: A collaborative effort
Rab has also learned through years of healthcare industry experience that “Thou shalt not…” policies don’t work when applied to clinical staff. This is especially true for mobile security and BYOD policy. Rab and Hackensack instead choose to embrace the security challenge and adopt it as part of the organization’s culture.
Hackensack allows users to access its network through a BYOD program, but through trial and error the organization has collaborated with clinical staff and developed a policy that fits everyone’s needs. In addition to handing out corporate-owned devices, Rab and Hackensack allowed physicians and nurses to bring in their iPhone or Android device into the hospital to implement device management (MDM) solution from Mobile Iron and Airwatch that’s integrated into its BYOD policy. “The [BYOD] line was about 50-60 people deep throughout the three-day period and my CEO asked me if I was handing out candy,” he said.
For the BYOD phones, Hackensack put the MDM solution with a bubble around it on the device so when they would open the clinical applications, they don’t touch the rest of the data. If a staff member ever lost the device, Rab can control of the application and wipe the app from the phone without losing the rest of the data.
We also asked if we could put controls on the device (such as a laptop or phone) so that we can monitor it to ensure there’s no malicious activity. Instead of us shoving the policy down physicians’ throats, they willingly gave us the opportunity to control the hardware. There was one instance in which someone lost a phone and we quickly initiated “Defense Protocol No. 23″ and in two seconds, we knew where the phone was and the physician was able to get to his phone exactly where he left it.
Putting healthcare applications and data into a bubble on BYOD devices is becoming the norm now, but you have to have good WiFi, a good MDM solution and security policy. But at the same time, you have to have willing people to work with you and trust you.