October 29, 2009, 2:00 PM — Healthcare organizations are energetically seeking cures for managing identity and security in fast-paced hospital environments to help physicians and nurses do their jobs more easily -- and to keep patient data safe.
Sophisticated single sign-on systems are being deployed in hospitals to make it simpler for time-pressed physicians to find records, while encryption and data-loss prevention (DLP) technologies are being introduced as barriers to any chance of exposing sensitive patient data . That's more urgent than ever since a new federal law that's gone into effect, called "Health Information Technology for Economic and Clinical Health Act" (HITECH Act), forces healthcare organizations to make a public announcement through the media if they lose patient data that's not encrypted.
As such, the HITECH has become a driver propelling healthcare organizations into deploying new technologies, such as DLP, to try and make sure they're not among those forced into the harsh limelight of disclosing mishaps with patient data.
"We have two major systems being implemented right now because of the HITECH," says Ben Nathan, associate director for security and identity management at New York City-based Weill Cornell Medical College, affiliated with New York Presbyterian Hospital and other institutions. With HITECH in effect, "if we lose personal health information, the onus is on us to report it to everyone, and to the media."
The college is adopting a DLP system based on the Symantec Vontu product and is also deploying PGP Inc.'s encryption software on laptops. The medical college, which has 5,000 faculty and students, has already put in place an electronic- records monitoring system based on vendor FairWarning's surveillance and audit product that analyzes how individuals access data, with the goal of flagging suspicious activities.
"We want to know if someone who usually looks up 10 records a day is suddenly looking up 1,000," Nathan says. "Or if someone looks up data from another department. We at least need to know about it because maybe someone's account has been compromised."
Weill-Cornell Medical College is tying these data-security and monitoring systems back into its ArcSight security-event and information management system to centralize alerts and correlate information. It's the best method for understanding the risks and what's occurring, Nathan says.