12-05-13 | Blog Post
The prolific number of endpoints that laptops, tablets, iPads, and mobile phones bring to the traditional and mobile healthcare settings makes the hair stand on end for those unfortunate information technologies, security, and compliance officers forced to protect patient data.
Those caught up on the instinctive rush to secure all endpoints with customized security protections quickly realize this approach is in vain, as the multiple of hardware times operating system platforms quickly out-tasks even the well-resourced healthcare IT department — and I challenge anyone to find a healthcare IT department with any idle time on its hands. It’s no wonder that those protecting health information struggle against the stereotype of being the eternal “no-go” person.
Nonetheless, meaningful use is driving CPOE (Computerized Provider Order Entry), patient engagement, telemedicine, and remote patient monitoring to improve outcomes for discharged patients and prevent unnecessary readmissions. Somehow, data security will need to harmonize with the efficiencies and improved care coordination digital health information can provide.
Where to start?
Experienced IT, security, and compliance professionals start at the top, identifying and classifying information according to its sensitivity and risk of exposure. What data could harm patients and the entity the most? What impact would result if the data were lost or stolen? What areas are most critical to protect?
Then, finding a sustainable method of controlling the flow of patient data without further compromising provider workflows is the next conundrum. Sophisticated CIOs familiar with virtualized environment often choose a VDI, or Virtual Desktop Infrastructure, to create and manage a single security profile across the entire spectrum of hardware and operating systems. Microsoft’s Remote Desktop Services, Citrix XenApp and VMWare’s Horizon View are examples of these types of environments. What makes them safer than your typical mobile app? While you can still interact with the data presented through the VDI, the data can stay securely on the server tucked safely in the data center without being stored on the end point device. This means that if the endpoint device – the laptop, tablet, or mobile phone – is lost or stolen, there is no sensitive information there to fall into the wrong hands.
Hopefully the information architect has taken precautions to implement things like two-factor access control for an extra layer of identity verification, and secure VPN tunnels to encrypt the data in-transit, and an encrypted server architecture to protect the data at-rest as well as make it harder for someone to discover a user’s login and get to the data on the home server.
But wait, what about web apps? Aren’t they better? For new initiatives, perhaps. But for an IT environment with any degree of complexity or legacy applications (in other words, almost every healthcare IT environment), it’s not practical to rewrite all of the functionality as a web app. The risk to patient data from introducing new errors or the disruption of care provider workflow is likely to outweigh the benefits of using a web app. Sometimes it’s much easier, safer, and cost-effective to present those legacy applications through the Virtual Desktop Infrastructure instead. Companies with the luxury of creating health information systems for mobile devices only recently may have been able to build these systems from the ground up as web apps, in which case the need for a VDI to shepherd the data from the user to the server in the data center becomes obsolete.
Regardless of which side of the VDI/web app fence IT applications fall on, either is far better than storing text files, spreadsheets, or any type of patient information on a device that can easily be removed from a protected care setting. Many well-intended providers don’t realize that clicking on a file in their email effectively downloads that data to their phone or tablet — easy pickings for anyone who discovers the device or happens to be sharing the same unprotected coffee shop network.
Does that scenario seem like a remote possibility? Consider this: In 2010, over 10,000 Medicare-certified home health agencies served nearly 3.5 million beneficiaries with over 122 million visits. We know that each of those visits generated patient data — in the patient’s home. We know that those care providers didn’t wait until the end of a full day of patient visits with all of that information in their heads to travel back to the same location as the secure server tucked away in the data center to enter all that patient data. No, they charted that patient information on paper, or on a remote device like a laptop or other mobile device.
With the exception of the advanced and progressive home health agency with a well-resourced IT department, or patient record system, the vast majority of those 122 million visits worth of patient data traveled in cars and backpacks all day along. This is where either a VDI or web app can drastically reduce risk. If care providers can use a mobile device with VDI or web app access to a secure server – wherever it may be – they can enter the data without it touching paper or the device memory and go directly to a protected (hopefully encrypted) IT infrastructure environment.
About the Author
April Sage has been involved in the IT industry for over two decades, founding first a technology vocational program, and secondly a bioinformatics company supporting the pharmaceutical industry in the development of research portals, drug discovery search engines, and other software systems. Currently, April is the Director Healthcare IT for Online Tech, focusing on HIT thought leadership and the impact of HIPAA/HITECH policy on IT infrastructure and systems. April holds a BGS from the University of Michigan, and is a cohort member of the University of Michigan’s inaugural 2014 Masters Health Informatics program, jointly sponsored by the UofM School of Public Health and UofM School of Information.