A healthy way to protect patient data: a healthcare organization found that it needed a way to control the use of removable media to ensure that patient data remains protected.LIKE ALL HOSPITALS and medical facilities, Baptist Memorial Health Care Corporation (BMHCC BMHCC Baptist Memorial Health Care Corporation ) must comply with the Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. According to the Centers for Medicare and Medicaid Services (CMS) website, Title I of HIPAA protects health insurance coverage for workers and their families when (HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, ), which requires medical services providers to provide security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising" security for all stored patient health information. But the organization realized that its compliance efforts were threatened by the ease with which sensitive information could reside unprotected on USB flash drives and other portable devices. [ILLUSTRATION OMITTED] BMHCC, which has more than 12,000 employees working in nine hospitals in Tennessee List of hospitals in Tennessee (U.S. state), sorted by hospital name.
When BMHCC purchased its current desktops, it purposely excluded writable media, which at that time included floppy drives and CD burners, says Lenny Goodman, IT director of desktop management, corporate information systems. "We felt the endpoints were secure--there was not a way for users to take data out of our endpoints and take it home." But, says Goodman, the organization had no way to back up data, so when USB flash drives became affordable and popular, many tech-savvy users bought one so they could do it themselves. "We didn't condone it; we didn't condemn it," says Goodman. "We didn't see it coming." About two years ago, BMHCC looked for a solution. Goodman and his IT team evaluated everything that they could find. After winnowing winnowing: see threshing. down the possible contenders to three, the team decided that Auditor and Protector, two products made by Safend Ltd. of Tel Aviv Tel Aviv (tĕl əvēv`), city (1994 pop. 355,200), W central Israel, on the Mediterranean Sea. Oficially named Tel Aviv–Jaffa, it is Israel's commercial, financial, communications, and cultural center and the core of its largest , Israel, "had the most mature approach," Goodman states. Auditor is a software utility that queries network endpoints, locating and documenting all removable media In computer storage, removable media refers to storage media which can be removed from its reader device, conferring portability on the data it carries. A removable drive is a reader device for such media. devices--past and present--that have ever been connected to each endpoint machine. "The way that it gathers and organizes the data into useful audit reports far exceeded any of the other products," Goodman says. Protector detects and allows or restricts devices by device type, model, or specific device serial number. It also monitors traffic in real time and provides logs to administrators to make it easier to create policies for removable media. [ILLUSTRATION OMITTED] Installation was simple and without glitches, Goodman reports. Just as important was the rapport he built with Safend representatives. He says he developed a wish list for the company that Safend was happy to accommodate. For example, could he get a log of all file transfers between the host machine and the flash drives--both inbound and outbound? "They said, 'Yeah, we'll go back to the drawing board and we'll do that.'" BMHCC began using Auditor about a year ago, and is in the process of identifying all devices enterprisewide. "We're still in the ratchet-down phase, as I call it, trying to approach a day when the only thing left on our system is approved devices," Goodman says. Goodman is also creating administrative processes to determine who is responsible for identifying end users with legitimate business reasons to carry data on flash drives and other portable devices. "This means a written approval process and a chain of authority," he says. An example of such an approved end user is a staff member who develops PowerPoint nurse-in-service training programs and then presents them at different BMHCC sites. Goodman and his team decided that approved devices had to be password protected as well as fully encrypted because users tend to lose them regularly. They also had to be plug-and-play and offer a user-friendly interface to ensure fail-safe security practices. They found DataTraveler Elite-Privacy Edition (DTEP DTEP Down to Earth Products (Colerain Township, OH) DTEP Digital Transmission Evaluation Project DTEP Digital Topographic Enhancement Program DTEP DODIIS Tactical Extension Program DTEP Damage to Existing Property ) by Kingston Technology Kingston Technology Co. is an American producer of memory products. It is located in Fountain Valley, California with manufacturing and logistics facilities in the United States, United Kingdom, Ireland, Malaysia, China and Taiwan. Company of Fountain Valley, California Fountain Valley is a city in Orange County, California, United States. The population was 54,978 at the 2000 census. History The city was incorporated in 1957, before which it was known as Talbert (also as Gospel Swamp). , a USB drive A flash memory card that plugs into the computer's USB port. Small enough to hook onto a keychain, it emulates a small disk drive and allows data to be easily transferred from one machine to another. that allows users to fully encrypt data without having to install additional software on the host machine. The device is protected by a password control mechanism that locks out users after 25 failed password attempts. To date, BMHCC has deployed about 100 DTEP devices to approved users and plans to provide 500-700 more this year as the approval process continues to take place companywide. "We're implementing in stages," Goodman explains. "One of the things you don't want to do is say, 'In two weeks you won't be able to use your device anymore' because you don't want to encourage a rush to bad behavior. On the other hand, you don't want to just turn everything off and wait for people to holler, because you may have just crippled a really vital business process that you weren't aware of." Goodman says that it has cost about $20 dollars per endpoint for the software. Additionally, the DTEPs cost about $100 each. The cost is justified by the high cost of a single HIPAA violation, which is "potentially $200,000," he states. "And then there's the public relations public relations, activities and policies used to create public interest in a person, idea, product, institution, or business establishment. By its nature, public relations is devoted to serving particular interests by presenting them to the public in the most cost," which "can be incalculable." (For more information: Safend: 215/496-9646; fax: 215/496-0251; Web: www.safend.com. Kingston Technology Company: 714/438-1845; fax: 714/438-1845; Web: www.kingston.com.) --By Ann Longmore-Etheridge, associate editor |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion