New Healthcare. New Security.
The changing requirements of the New Healthcare extend far beyond operations and planning. Hospitals large and small are being forced to reexamine their security postures in response to new regulations (like the HITECH Act) and increased scrutiny around data breaches. Long gone are the days when breaches could be dealt with discreetly ” nowadays, they are national events that can linger in the public’s mind for months, or even years.
With all this increased attention, how can those who handle sensitive Protected Health Information (PHI) properly secure, manage and analyze it? A well-known set of best practices has evolved around these tasks and resourcing departments are increasing aware of how they expect their data to be treated. When a data breach occurs, everyone is responsible. Therefore, it is in best interests of hospitals and vendors to prevent against it.
Security Checklist. How Secure is Your PHI?
When assessing a security position, there are both physical and virtual considerations. For example, it may make sense that all data should be kept “physically secure” (behind locked doors, password-protected) ” after all, many breaches are in fact due to social engineering and stolen property. But far too often, this is not the case. PHI on laptops, unlocked doors and portable thumb drives can be a recipe for disaster.
The network architecture used to store and access PHI is equally important. Upon review, most security experts specifically look for the following attributes:
- Three-tiered architecture (data, application, display)
- Strong separation of these tiers in different subnets or VLANs
- Use of reverse-proxies to shield the existence of inner architecture
- Automated monitoring of PHI data access
- Encryption or protection of sensitive information both at rest and in transit (e.g. if you *must* place PHI on a laptop, ensure that the hard drive is encrypted. Serve web traffic over SSL)
iVantage is aware of these increased requirements and is firmly committed to being on the vanguard of PHI security. We have made two major improvements to ensure that we continue to provide a reliable, highly secure environment for our users.
First, we have relocated our production servers to an Equinox data center. While this was prompted by a desire to be both internally scalable and externally secure, it was also undertaken to provide iVantage with the data center security profile of a Fortune 50 company:
- SSAE16 SOC 1 Type II compliant
- Utilizing the largest Internet peering point in North America
- Nine of the top ten global content delivery services located on site
- Extensive physical safeguards (biometric palm scanning)
- Fully redundant infrastructure (power, fiber, hardware)
Second, we have begun transitioning to a Virtual Desktop Infrastructure (VDI). This enables us to login remotely to our data center and work as we normally would ” with the added benefit that no sensitive PHI data physically resides on our desktops or laptops. It will also enables us to better centralize and more tightly manage data authentication, permissioning, storage, backup and disaster recovery.
With all the changes brought on by the New Healthcare, security breaches are some of the biggest challenges and they’re everyone’s issue. New data security standards and new expectations for vendors are driving the need to be physically and architecturally secure. It’s not enough to just assume that your data is secure ” the stakes are simply too great.