TORONTO — Canadian health care facilities have built highly secure wireless systems – but don’t expect them to use them for anything involving electronic patient records anytime soon.
That was the consensus of the audience at a panel discussion Wednesday on overcoming challenges to wireless security at the 4th annual summit on wireless and mobile health care technology.
“We at Saint Elizabeth Health Care partnered with Ontario’s Smart Systems for Health to establish secure e-mail,” said Paresh Manek, director of technology at the home health care provider organization in Toronto. “We use the SSHA network as the basis for exchanging information securely. We got everything done, and after all the celebrations were over, six months later it’s collecting dust.”
Manek said the organization’s privacy officer shut it down, or at least confined its use to back office applications, because it is seen as too risky to exchange patient-related information among various facilities, although from an IT perspective, it’s as air-tight as it can be, he said.
“So today, even though we have the technology in place to go all the way to the RIM environment so our nurses out in the field will be able to get information securely, we can’t use it because we haven’t defined the right policies and the right protocols. We are stuck (trying to figure out) what kind of information we can send, what kind of information is not allowed, and who is authorized.”
Manek said no one has provided health care organizations with the parameters they need to figure out who can see what in terms of patient information. If a nurse is sent to a patient’s home for follow-up care after hip surgery, for example, does the nurse need to know that person has a history of violence or sexual aggression if it’s not related to the hip operation?
Until those issues are solved, he said, the electronic patient record will go nowhere.
Kim Dell, manager of infrastructure at Hamilton Health Sciences, agreed.
IT is trying to get to a better benchmark than what currently exists in the paper-based world in terms of wireless security, but IT has yet to be told what the standards for wireless security are when it comes to patient information.
“We’re continually asked ‘what are you doing and how secure is this data?’ And we’ll say, how secure does this data need to be? You need to tell me how secure it needs to be and then I can let you know how I can do that, but it sort of gets tossed back and forth between IT and the privacy officer,” she said. “Nobody really knows how secure it should be and what protections should be in place.”
As well, said Manek, patients have yet to be sold on the security of the systems. Patient surveys Saint Elizabeth has conducted indicate that while anywhere from 50 to 75 per cent of patients will consent to their information being stored electronically on site, that figure drops to less than two per cent when asked if that information can be shared among health care facilities – even with hospitals as well-known and trusted as Toronto’s Hospital for Sick Children.
“We find it is a lack of education, it is the fear of the unknown,” he said. “If you’re sharing my information with an organization, how will you prove someone who is unauthorized will not have access to it? How do we address that? We’re at a loss. We’ve done everything we can to let them know it’s a secure environment with top notch vendors who built it and SSHA managing it, and they say, yes, it is well and good — but not in my back yard.”
Another audience member said because provincial and federal privacy legislation provides guidelines, as opposed to strict practices, it’s impossible to know until it’s too late if an organization’s privacy practices aren’t acceptable. The health care community, he said is “in an environment of who’s going to get caught first. At some point, someone is going to be taken. Everyone’s hovering and it really ties IT’s hands.”
One of the steps health care organizations need to take in ensuring the security of their wireless networks is to make sure IT has a good grip on what constitutes normal traffic, advised panelist Darren Jones, associate director at risk management consulting firm Protiviti Canada.
Network managers also need to be on the lookout for rogue devices, he said, because they can make a network vulnerable to a denial of service attack, which could be fatal in a hospital environment where physicians are relying on information over wireless networks.
But that’s easier said than done, said one audience member, who noted that 90 per cent of the rogue devices on his organization’s networks belong to doctors, who simply unplug the hospital’s PCs and plug in their Macs, for example.
“We need tools that can automatically shut those devices down, and maybe they’re out there, but hospitals can’t afford to buy them, so we’re chasing our tail in a lot of different ways,” he said.
Jones said when his firm conducts surveys of wireless access points, barely one-third have the encryption enabled. Many health care organizations move ahead with wireless projects without first conducting risk assessments, which is a disaster waiting to happen.
“They rush to get the technology installed and they believe the loose ends will get cleaned up later.”
At the same time, advised panelist Tyler Lessard, technical alliance manager at Research in Motion, organizations need to keep in mind that there has to be a balance between security and ease of use.
“Make sure when you do put a solution in place that it can still be used by users,” he said. Devices such as BlackBerries and PDAs afford a lot of opportunity to improve patient care, he added, but doctors have to use them to enjoy those benefits – and they won’t if the security process is too cumbersome.
“As soon as that doctor has to log in through three screens to get to what they want, they say forget this, I’m going to go back to what I was using before.”
The conference wraps up tomorrow afternoon.