Ebola: Protecting Patients, DataVirus Outbreak Points to Need for Best Practices
As concerns grow about preventing the spread of the deadly Ebola virus, healthcare organizations are not only faced with the prospect of testing and treating victims, but also maintaining their privacy and security.
Some U.S. healthcare CIOs and CISOs tell Information Security Media Group they are ready to put to use the privacy and security best practices their organizations have implemented in other high-profile, highly sensitive, potentially dangerous or unusual circumstances.
Those practices include implementing physical safeguards; using monitoring technology to prevent and detect unauthorized records access; educating staff about privacy rules; and devising ways to securely share pertinent data that with public health and other authorities.
Facing a Crisis
Neither Emory Healthcare in Atlanta, which is treating two U.S. patients who contracted Ebola in Africa, nor Mount Sinai Hospital in New York, which is treating a suspected Ebola patient who subsequently tested negative, responded to ISMG's request for comment. But many other healthcare IT, privacy and security leaders offered advice and insights about handling crisis situations.
For example, John Houston, University of Pittsburgh Medical Center's vice president of privacy and information security, says the key to safeguarding patient privacy and data security during crisis situations, including potential epidemics and pandemics, is ensuring that strong privacy and security programs and practices have been implemented in the first place.
"If you have good security and privacy programs, it doesn't matter what the circumstances are," he says. Adjustments can be made as needed in special situations that build on existing, well-thought-out security and privacy programs and procedures, he says.
Protecting patient privacy in high-profile or crisis situations often requires physical access controls to restrict who can access a patient.
For example, when UPMC treats high-risk patients, they're often quarantined in rooms that require passcodes and special badges to gain entry, Houston says. The provider organization has used this approach, for example, when treating victims of gang violence.
Phil Curran, chief information assurance and privacy officer at Cooper University Health Care in Camden, N.J., also suggests that the healthcare entities' security teams "have a physical presence in the area where you are treating the [high-risk] patients. Limit access to the area to only the necessary employees."
He notes, however, that organizations "need to consider who from outside agencies requires access and how they would obtain that access. Any security incidents would be reported to our Security Operations Center. The incident management team must have a security radio in their area to monitor any security incidents," Curran says.
Electronic Data Access
Healthcare CISO and CIOs interviewed by ISMG say there are typically no significant additional restrictions made to block electronic record access in high-profile cases, due to the potential disruptions in clinical workflow that could hinder patient care.
Rather, the focus at many healthcare organizations is on using audit logs and monitoring systems that generate alerts if unauthorized people access patient records. In addition, some healthcare organizations dealing with a crisis or high-profile patients provide reminders to the workforce about the consequences of inappropriate records snooping, including disciplinary actions and termination .
At UPMC, to help safeguard patient's record in high-profile or crisis situations, those individuals are added to the "VIP" list for records access monitoring and auditing, Houston says. Alerts are triggered and sent to supervisors when those patients' records are accessed, not only providing the ability of managers to respond quickly to "voyeuristic" access, but also serving as a deterrent. "People understand that audit controls are turned up," he says.
Jennings Aske, who was chief privacy and security officer at Partners Health when its Boston area hospitals were treating patients injured by the Boston Marathon bombing last year, says reviewing access logs is important.
"Staff who may not be involved in the care of the patient may be 'curious' and will access the health records of the patients," says Aske, who joined voice recognition software vendor Nuance as CISO earlier this year. "This is definitely a problem during visible events. Organizations should also remind staff via e-mail and other communication mechanisms during these scenarios about the importance of role-based access and patient privacy,"
In a crisis such as an Ebola outbreak, Cooper University Health Care's Curran says, "First we would activate our incident management team and follow the process we follow for any high-profile patient. On the medical record, that includes adding 'break the glass' functionality on the patient's record. While not preventing access to the record, 'break the glass' does force the user to provide a reason for accessing the record and to input their credentials."
Curran receives daily 'break the glass' reports listing "the users who broke the glass, the patient record involved and the reason." That's in addition to daily audits to pinpoint unauthorized access to patient records.
When Beth Israel Deaconess Medical Center treated 24 victims, and the two perpetrators, of last year's Boston Marathon bombing, the hospital not only faced the typical privacy scrutiny hospitals deal with, but was closely watched by law enforcement, said CIO John Halamka. The medical center placed a message at the top of its intranet for every staff member to see on every page, which included a warning about penalties for unauthorized patient record access and other privacy violations: "disciplinary action up to and including termination of employment."
"Of course many questions about who looked at what records and where was data sent, and was anything copied [or] changed [came up]," Halamka said in a recent interview with Information Security Media Group. "So you need very good network forensic tools" to track access and changes to records.
In addition to educating staff about privacy rules and practices, healthcare providers must ensure that staff members are aware of social engineering risks, Aske suggests.
Reminding staff to be vigilant against spear phishing attacks is particularly important, Aske says. "Healthcare entities involved in publicly visible patient care scenarios could be targeted by attackers. And, busy clinicians are unfortunately easy targets at times, given the importance of eemail in many hospitals/patient care scenarios," Aske says.
In addition to those concerns, security teams need to be prepared for an increase in network intrusions during a crisis, he says. That includes increasing the on-call staff to respond to network security events. "As we've seen with the denial of service attacks against Boston Children's Hospital, publicly visible patient care scenarios can lead to hacktivists attacking a hospital," he says.
Securely Sharing Data
While there is a need to protect patient privacy in a crisis, there is also often a need to securely share information with public health and other authorities.
The HITECH Act, for instance, requires hospitals to send syndromic surveillance data and reportable lab results to public health departments electronically, says Halamka of Beth Israel Deaconess Medical Center. The hospital uses the secure channels of a state information exchange for this purpose, he notes.
Curran of Cooper University Health Care says an important reason to have the IT team closely involved in crisis response is because "they will also be integral in creating quick access to the EHR for outside entities," such as local and state public health departments and the Centers for Disease Prevention and Control.
The Department of Health and Human Services' Office for Civil Rights issued two bulletins following Hurricane Katrina that address data disclosures in emergency situations. The guidance states that when there's a threat of imminent danger, "providers can share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public - consistent with applicable law and the provider's standards of ethical conduct."
"We have not deviated from this guidance, which would hold true for any crisis situation like a pandemic," an OCR spokeswoman says.
The Department of Homeland Security, in conjunction with other federal agencies, has procedures in place to deal with security and potential bioterrorism related to Ebola, says spokesman Christopher O'Neil of the U.S. Customs and Border Protection, a unit of DHS.
"CBP and the CDC have worked in a collaborative interagency manner to develop policies, procedures, and protocols to identify travelers that are known by U.S. public health officials to have a communicable disease and to handle [these individuals] in a manner that minimizes risk to the public. These procedures have been utilized collaboratively by both agencies on a number of occasions with positive results," he says.