Medical Device and Electronic Security: What Should Your Practice Know?
As increasing amounts of data are stored in online accessible distributed databases, colloquially known as the "cloud," any breach of the security that guards these databases has potentially wide-ranging implications and could affect many individuals. Banking, insurance and now medical records are largely digital, and as long as aggregate access to this data remains possible, inappropriate access is a concern. In the past year, major corporations such as Equifax and Yahoo have announced data breaches, exposing internal and customer data.
To a large extent, the medical field accepts and operates in a lower security environment, and relies on the non-maleficence of individuals operating within the system. Patients with implanted medical devices have private data that is created and stored on the device, and may be vulnerable to unauthorized access, or worse, alteration of the medical device programming or function. The longstanding balance between availability and security breaks down when there can be continuous anonymous attacks to a system by potentially distant operators, such as with an imperfectly secured web portal for patient records, where there is little penalty and a great opportunity for attempted compromise of a system.
As physicians, practice managers and users of connected devices, what are we to do regarding electronic security and our medical practices? There are some very quick and common-sense steps to ensure quality and the balance of security, inconvenience and ensuring legitimate access.
The first is to understand your practice's security setup. Talk to your IT administration and ensure that basic consensus operations are implemented. For example, do office computers have hard drive encryption, preventing the hard disk from being removed and analyzed for passwords, patient or practice information? This can be implemented in a fashion that is transparent to the user. Talk to your device representatives and ensure that updates are pushed to all device programmers and that patches, if available, are given as an option to patients with devices that can be upgraded.
The second is to make sure that your own computer and device systems are up to date and continually patched. Even the simplest of office and electronic medical record systems needs to be actively managed and updated. Personal systems that are connected to the hospital network or contain any protected medical information must be kept up-to-date with all known exploits removed. Routers, computers and even connected devices should be continually updated with the latest firmware and fixes.
Finally, it is critical to use good sense when transporting or transmitting medical information in any form. Laptops that contain protected information must have strong encryption, in addition to any flash drives or portable storage. There are numerous free tools that IT professionals can help implement in all operating systems. Email should generally be regarded as insecure and vulnerable to interception during transmission although with modern programs the presence of end to end security is now indicated to the user and should be used if available. Keep in mind that even with encrypted transport, account administration at either end of email may generally access emails and records.
Security does not need to be, and should not be, an overzealous mission that becomes self-defeating. After a brief heyday of strict password-changing in the early 2000's, IT administrators ultimately realized that the enforced changing of passwords every few months does not actually improve security, as users will just write them down or increment one small aspect of the password. Similarly, requiring a difficult to remember and combination of odd symbols password is less important than ensuring adequate length of a password and prevention of commonly used words. In the physical world, placing everything in an office under a lock and key has the possibility of keeping legitimate users out, makes things difficult in an emergency and makes for an unwelcoming environment. The best fixes preserve this balance with local systems, while all online systems, or those widely exposed to the internet, must be given continuous attention and tight security.
This article was authored by G. Stuart Mendenhall, MD, FACC, FHRS, cardiologist at the University of Pittsburgh Medical Center.