What you don't know about Personal Health Information can hurt you

February 1, 2005

From a compliance standpoint, one medical center wanted to make sure that none of its personal health information (PHI) was leaving the network.

 "Ignorance is bliss," wrote an 18th century poet. But clearly he didn't have responsibility for a hospital's information systems and didn't have Health Insurance Portability and Accountability Act (HIPAA) in mind. We were certain our network was secure from internal misuse. We had our firewall locked down. We had the appropriate URL filters in place. We had blocked access to all the popular instant messenger (IM) applications. Confidence that the hospital network was secure was very high. We were naive.

The southeastern medical center, a network of three southeastern hospitals with 6,000 PC users and 700 beds, had a relatively relaxed corporate policy on employee Internet use, thinking of it both as a fringe benefit as well as a business application. Our HR department has a zero-tolerance policy for abuse, but it's hard to determine whether anybody is abusing the network without procedures in place to monitor what's going on. From a compliance standpoint, we wanted to make sure that none of our personal health information (PHI) was leaving the network. However, with the prevalence of Web-based email, that is difficult to ascertain. We can control our corporate email, but it's difficult to control when nurse Jane uses her local ISP account to send an email containing patient information. That's what prompted a two-week exposure risk assessment, which unveiled multiple activities by employees, staff and associates, ranging from excessive Internet use to unauthorized instant messenger applications and we discovered three PCs that were serving as peer-to-peer file sharing supernodes. The assessment, which was done by installing Vericept Solutions, provided a view into our network use.

Upon removing those three file sharing PCs, the medical center's IT department immediately resolved serious Internet performance issues. By reclaiming 30% of the hospital's T-1 line, performance improved with the other 2,000 workstations across the WAN. The hospital network was able to halt a planned purchase of a second T-1 line, an annual savings of at least $25,000. Additionally, if those PCs hadn't been disconnected, any additional bandwidth purchase would have been immediately consumed by these peer-to-peer operations.

Although the bandwidth savings was considerable and easily quantified, the risk assessment further highlighted issues for the medical center in its compliance with HIPAA privacy and security rules, as well as employee behaviors that put at risk the outstanding community reputation of the 100-year-old hospital.

Using the intelligent content monitoring software, we spotted and halted an established practice of sending Excel spreadsheets with patient information via unencrypted e-mail. This was not done maliciously, but rather out of habit. Since implementation, we've been able to target our policy education to prevent that activity. And, in compliance with HIPAA, when we discover it, we send a copy of the e-mail that the software captures to our privacy officer, who can address the compliance concern.

Further complicating matters is the wide distribution of doctors' offices around the metropolitan area, making it difficult to manage what everybody is doing. And we have doctors' offices that are loosely affiliated with the medical center although they are not our employees. We can't go in and dictate what they do, but we have to protect the PHI they're handling because they're treating our patients in our hospitals.

During the first two weeks of the risk assessment, we discovered rampant instant messaging use, despite policies prohibiting it. One of the biggest challenges with instant messaging traffic is stopping it. Instant messaging clients reconfigure themselves automatically to find ways out through a firewall. The software showed exactly which PC on our network was using IM and the exact IP address of the server it was talking to on the Internet so we were able to block that server at the firewall.

For the medical center, this sort of activity represents today's biggest security risk - the behavior of our own employees within our organization. Now, after taking a proactive stance, we are completely confident that if anything occurs that's against our policy, we'll know about it. Our risk management software has really helped us tighten up the edge of our network and if anything does squeak past, we'll know about it right away. The risk assessment also provided alarming data about just how much the URL filter was missing. Our users were routinely going to Web sites for sports, entertainment, and gaming despite policies against going to those types of sites.

In the year since Vericept's software has been installed, we've been able to discover employees who have attempted other methods to get around our security to do the things they want to do. The software has provided us the confidence that our network could not be a conduit for the most malicious and reputation-damaging activities, such as pornography or identity theft. Lastly, armed with reports generated by the software, we've been able to analyze productivity by comparing actual Internet traffic with what should be required for the job. This has allowed us to avoid surplus hires and given the HR department the documentation necessary to intervene before employee situations reach the crisis stage.

Pete Statia is information security engineer at a major southeastern medical center that consists of a 500+-bed hospital, two smaller hospitals, two large physician practices, and 6,000 users.