Notes from the Road 16: Securing Patient Data

Turn your head and cough…

It seems to me that more and more hospitals and healthcare organizations require sensitive patient information before you even describe what your ailment even is. The simple name and address form of yesteryear has easily turned into pages and pages of questions on everything from past medical history, contact information and even billing and payment data. Think about it this way. You go to the “Doctor” (even that is a loose definition these days) and before you even say my back hurts you are handed “the clipboard”, with a pen branded with a pharmaceutical company logo. You take your clipboard to a seat in the waiting room, no doubt picking up several new strains of bacteria on your way. Then 15 minutes later you walk back to the receptionist (more germs as that precocious child with the snot flowing form his nose coughs in a straight line towards your mouth) and you hand over “the clipboard” that is now chock full of your most sensitive and confidential data. But what does the receptionist do with that information from that point forward?

Most likely they take your written answers and enter them into their patient medical records program. You are now an entry and your intimate details live on in perpetuity, electronically as a series of 1s and 0s. And we all know the liability of having an electronic persona. Who hasn’t heard the horror stories of the uncomfortable post on Facebook that goes viral? Now imagine that all the answers to those questions on that seemingly benign “clipboard” were to also fall into the wrong hands. Holy Horror Batman!

I am not sure how I stumbled on this tidbit of scared straight facts from “MedPage Today” but they recently revealed that 96% of Healthcare Organizations reported patient data or related information had been lost, stolen or otherwise compromised. This is a 23% increase from the same statistic in 2010. A 23% increase in under 2 years?!?! Even gas prices aren’t increasing that fast. And how do I find the 4% that are not seeing my data lost, stolen or otherwise compromised? We have all seen the stories and the headlines, “Hospital Employee leaves laptop on train. Thousands of patient records compromised.” Especially in my home town of Boston where some of the best medical facilities exist, a stone’s throw from Fenway Park we hear this same crisis over and over. It has gotten to the point where this scenario is more uncomfortable than a prostate exam.

But ask yourself this question; how did we go from “the clipboard” to widespread data breach and patient vulnerability? I am very confident that the piece of paper with my hand written details on it was promptly shredded by the receptionist. Even if it wasn’t it is securely stored within the medical facility. It is the healthcare worker, the one who takes their portable device home to do some work after dinner, this is the weakest link. They are not even working on my information. But because my information was on that laptop that they left on the train, bus or plane, I am now exposed to the world like a man wearing a hospital johnny two sizes too small.

We haven’t even discussed the scenario of these employees using public cloud services for data sharing like Dropbox. Now they don’t even need to leave their portable devices behind for my sensitive data to be let loose in the digi world. They can actively and intentionally release it into the wild from the comfort of their monotone colored, windowless office in the basement of the hospital. Someone take my temperature (orally please) because I just felt a shiver.

Now, I do not want to cause wide spread panic or imply that data breaches are a pandemic in the healthcare industry only. No, it is a horizontal issue across almost every organization and vertical. Ever use a lawyer to close on the purchase of a house? When I think of the information my lawyer has on me it makes my eyes hurt. He has seen me through divorce, asset acquisitions, wills and probates and trusts, oh my. What if he started using Dropbox to share legal records with a partner law firm? What if he left his laptop on the train?

Now that I have you sufficiently wound up thinking the sky is falling and we are all doomed, I’d like to offer the solution. The magic pill if I could string back to the medical theme of this blog. At RES we recently released a solution we branded “RES HyperDrive” and offer it up as the on premises solution to public cloud offerings such as Dropbox. I have been speaking about this topic at several trade shows recently (including Microsoft MMS and TechEd EMEA) and a theme repeats itself over and over. My users are already using Dropbox. I can’t very well strip them of that necessary functionality that they already use to do their jobs without having an alternative that satisfies their requirements to be productive and also satisfies my requirements to be secure.

At this point I usually offer up RES Baseline Desktop Analyzer as a means to discover, with facts, what the user population’s current Dropbox usage is. Now that you have the Dropbox report, you can work to remove the threat, introduce the solution and maintain productivity. With RES HyperDrive, your users can still leverage the benefits of a collaborative work style but do it more securely and on premises, in your own private cloud. They can still even maintain a collaborative work style with partner organizations, but you as the IT team can whitelist exactly who and which organizations they can interact with. You can also trace route (remember TRACERT?) your data to see where the users have been working across organizations.

But Sean, you ask, this is all great and I love it (of course you do). But what about your original scenario of the lost or stolen portable devices? The data is still on those, private cloud or not, isn’t it? Well, thank you for bringing that up. Because of the way RES HyperDrive works, yes the data is in your private cloud, and it is synchronized with your own devices. Local access is always key, isn’t it? In this scenario the user comes to you, head hung low because they lost their laptop. Believe it or not, their first concern is the tangible asset they lost, an $800 portable device. But we know, it is not the device. The device is a simple commodity that is easily replaced by turning to a shelf where you keep a dozen laptops on hand. It’s all about the data!

Imagine a scenario where you chastise the employee, if for no other reason than the sheer fun of it, and then issue them a new laptop. They log in with their credentials. They are instantly presented with the environment they had before. The RES HyperDrive agent launches. They issue their credentials and BANG, instantly their data is sitting where it always was. Instant recovery and instant productivity. But that doesn’t cure the data breach ailment with the laptop that is now in the hands of an unknown. So, through RES HyperDrive’s console you issue a kill pill. The end result is a wipe of the data from that lost device. It is not a systematic blowout of the device (what if the scenario was an employee who left the org and used their personal device?). Your data is secured again. Crisis averted. All is good with the world again.

The moral of the story; before you take that pen with the Viagra logo on it and write down your most intimate details ask the receptionist this question, “Do you use RES HyperDrive or shall I just post my medical history on Facebook?”

Stay tuned for the next blog in the NFR series. “Frederick W. Taylor; Father of Scientific Management or Productivity Madman?”

Posted in RES Community and tagged .

One Comment

Leave a Reply