View all newsletters
Receive our newsletter – data, insights and analysis delivered to you
  1. Analysis
March 15, 2010

Fraud Protection for Electronic Healthcare Data

Electronic data within any healthcare organisation needs to be protected from fraudulent activity. But, whether this be done by employees or outsourced third parties, what are the best methods and major challenges for securing healthcare data systems?

By cms admin

The protection of electronic data is vital to patient and staff confidence in any healthcare organisation. Frances Penwill-Cook talks to Colin Tankard, managing director of Digital Pathways, which has more than 20 years’ experience in designing, implementing and managing data security systems and solutions, to find the best methods of implementation and where the pitfalls lie.

Frances Penwill-Cook: Where do the main data security risks come from within the healthcare sector?

Colin Tankard: The challenge for most hospitals is the protection of data inside the environment rather than protection from outside.

We see this issue a lot with our corporate customers who use third-party companies to help them support a database, a particular piece of software or manage their server infrastructure.

These people tend to have high administration rights to gain access to the environment, the servers and network.

There is a real risk that the information viewed could be used for personal gain or financial reward. You need to consider the possibility of disgruntled employees who may have a personal agenda and use the information to discredit the organisation.

Because of the way personal information is stored within the health environment – and the way the UK government wants e-health to move forward and be available to external organisations – it is not hard to see that the whole issue of confidentiality, and the robustness of security systems, will percolate very much to the fore.

FP-C: How do you think healthcare organisations should go about making sure they are protected?

CT: Generally the issue of data protection falls into various categories: for example, the security of the data – who has access to it, what can be done with the data and how the data is tracked. But in its basic form, you protect against physical theft, somebody taking one of your backup tapes or running off with a hard drive from the server. The way you can protect yourself against this is to use encryption technology, which scrambles the data so that the person who runs away with it can’t read it.

“You need to consider the possibility of disgruntled employees who may use the information to discredit the organisation.”

It is vital, of course, to ensure that the key to the encryption is kept separately from the data. We find that many clients think they are protected because they have encryption but don’t think about where they store its key. Nine times out of ten it is still with the data. If someone has access to both the key and data, they will be able to crack it, so we recommend clients always keep them separately so the data is encrypted and the key is held somewhere in a secure environment.

Encryption, however, will not stop a valid user or administrator viewing the data as encryption alone cannot prevent this. The encryption needs to be linked with strong access controls to the data.

Access control is about two things: firstly, users, which means good passwords or, better still, a one-time-use password, smartcards or token authentication – the latter being the best option. Good access control is unique to the individual, which confirms who logged on and accessed the data at what time, and gives non-repudiation of the user to the data.

The other critical part is what applications are allowed to access the data. This is important as it links a user with a specific application. So, for example, if I’m accessing a Word document, I will be forced to use Word rather than Notepad or some other similar application. This limits my options and when this form of control is linked to more complex applications, it makes getting at the data that little bit harder for the wrong person.

So, if I create a path to access my data, and I put some controls around it – control which path / application you take to access the data – then I can block any other path / application to that data. We do this for any application or tool and so you are controlling who and what application is accessing the data. This combined approach of linking encryption with good access and application control is often missing in an organisation’s strategy for data protection.

FP-C: Is that the kind of strategy you also recommend for protection against third-party fraud?

CT: It is for everyone. The risk of third parties is slightly greater than with employees, but if you have a disgruntled employee, or someone with their own agenda, they could be looking to gain access to information they shouldn’t have access to.

You may have different access rules for different users; doctors may have different access rights compared to administrative employees and likewise the facilities group would have no access to doctor or admin data.

Access to data should be on a ‘need to know’ basis. What is needed is a hierarchy of both access and control, managing who or what data the varying individuals can see. And it is a challenge, it is not easy, but it is good practice for a policy to be put in place.

FP-C: Do you see healthcare organisations employing these pathways or do you believe they are not protected enough?

CT: From the organisations we’ve talked to in this area, many data protection systems seem to be based around point solutions – the use of differing solutions for different areas; for example, securing PCs with one solution and servers with something else.

You can say that these solutions are strong and robust, but I feel they bring up issues of management and control because they often have different policies; then, as soon as it becomes complicated, things get missed and policies are not covered properly. That is exactly the time when people exploit the lack of continuity to gain access to these systems.

Looking at this strategy demonstrates that there is no cohesive approach to providing a consistent level of security of access control to data across all users. This is a big weakness and we see it in the health sector. It is a very disjointed approach to providing security of data in our view.

FP-C: What steps should healthcare organisations take towards implementing a more cohesive approach?

CT: When we talk to clients about this I always liken it to a traffic light system. Think of the red light – you stop. So, stop and think about what data you have and where it is. You will be surprised just how many organisations really do not know where all their data is.

“Linking encryption with good access and application control is often missing in an organisation’s strategy for data protection.”

Identify the data, locate its server and environment, look at the type of data and decide whether it needs to be protected. In the health environment, for example, patient records all need to be protected and that would also include any kind of correspondence related to it. Also included may be trust, salaries and HR information, all of which may need to be protected.

Then on to amber: this is ‘what is needed to protect this information?’ Highly critical information, such as patient records, need to be encrypted and organisations should have control over which users and applications have access to that data. This requires applying appropriate technology, and processes or procedures to that particular data.

On to green: go. The system goes live and people are accessing the data, but now we need to audit and monitor what is happening. Auditing enables the system to tell you who’s accessing the data; say, Mr White accessed the data at 11.30am and changed five or six areas logging off at 2pm, which could be normal practice. If someone suddenly accesses the data again at 1.30am and makes unusual alterations, you most certainly would want to know.

Auditing, and knowing what is going on, is key. The chief executives need to have reports on who or what is accessing the data and, if things go wrong or legislation changes, they can then decide to go back from green to red and stop the error or put in additional controls to meet new regulations.

In real terms you can’t be this pragmatic. Often we may start at green, put in auditing and monitoring so people get to see who is accessing the data, put in place policies to protect the data, and then work our way back through the process. But in a nice clean world we would go red, amber and green.

Our experience tells us that often companies do not know exactly who is accessing their data and that is very worrying. It is quite a complicated area and generally the big institutional organisations are the ones that have weaknesses. In a large organisation such as the Health Service, it is really hard to understand who does what and what information everyone has access to. It is a very complex procedure.

FP-C: Do you think a cohesive approach could be mainstream in the next five to ten years?

CT: I think if there’s enough focus and clarity of thought, it can be done very quickly. Some of our big corporate customers can do these things within a week or so, but you have got to be very focused and that is the hardest thing nowadays, especially where budgets are tight. I certainly do not see why it could not be done in a five-year period. We would take each piece separately and work through. I fear the approach the NHS will take is to try and do it all in one go – it will fail if it does that.

Related Companies

NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. Get important industry news and analysis sent to your inbox
I consent to GlobalData UK Limited collecting my details provided via this form in accordance with the Privacy Policy
SUBSCRIBED

THANK YOU

Thank you for subscribing to Hospital Management