June 2008

Editor:
Raymond D. Aller, MD
Hal Weiner

Security safeguards: How to protect your laboratory’s data

“Laboratory data has always been valuable,” and private labora­tories are particularly vulnerable to security breaches, says security consultant Brad Smith. “It’s that free-standing lab that’s the target right now because it contains the lab values and the billing data, and that’s what they’re [thieves] after,” says Smith, a registered nurse and director of the Computer Institute of the Rockies, a Helena, Mont.-based school that offers computer security training and assessment. Hospitals are less vulnerable, he adds, because they are required by the Health Insurance Portability and Accountability Act to keep billing information separate from laboratory results.

Laboratories, in general, have done a good job of protecting their data, but they are becoming more vulnerable as they increasingly transmit data electronically to physicians, hospitals, and regional health information organizations, Smith says. “Now that we’re dispersing the data in more directions,” he continues, “that’s an area where we can have potential security problems.”

While computer hacking by an outsider is a major problem, Smith says employee theft has become an even greater issue. Two years ago, internal theft began to outpace external theft, he adds. “It’s your employees stealing from you.” This, Smith continues, is why job candidates should be subject to thorough background checks.

Laboratories too should have policies that define what employees can and cannot do with data, he says. The policies should state that the data are the sole property of the company and that those who violate the policies will be subject to prosecution. Employees should be required to sign such policies to acknowledge that they’ve read and understood them, Smith says.

Beyond those measures, Smith continues, there are technical and physical controls that can protect laboratory data from outside hackers and unscrupulous employees.

In particular, Smith recommends that laboratories hire someone to assess their security measures. The assessment will identify where their data are most vulnerable to attacks. The assessment should involve penetrating the lab’s Web site to try to access restricted information. It is reasonable to run as many as 5,000 attacks against a site to determine how secure it is, Smith says.

To maximize physical security, rooms that house system servers should be locked and offer only restricted access. Furthermore, employees’ computers shouldn’t be left unattended when non-employ­ees are in the area, Smith says. “It only takes a few seconds to place a device on the computer that will capture every keystroke typed,” he explains. “When the ‘patient’ returns, they remove the key logger and have all the passwords needed to compromise the facility.” If you must step away from your work area, lock your computer screen, he advises.

Laboratories should also remove from computers functionality for copying or extracting data, such as software to duplicate CDs. “Remov­ing the ability to write CDs doesn’t keep it [the computer] from being used to install software or read other CDs, it just removes the ability for some nefarious person to steal your data,” Smith says. And computers should be set up to require users to go through a two-part authentica­tion process to access data, he adds. A username and password aren’t sufficient to prevent unauthorized individuals from accessing information, he says. Instead the authentication process should include entering a password and undertaking another security step, such as swiping an encoded card or requiring identification through biometrics, such as a thumbprint or retinal scan.

Older wireless computer systems should be upgraded with better security because it’s easy to steal data sent through wireless channels, Smith continues. “Certain types of wireless take a matter of minutes to get into because they’re not built for the security,” he explains.

Health care institutions, overall, need to invest more money in sophisticated security systems, Smith concludes, because the need to protect data is only going to increase. Thieves may sell medical data on celebrities, he says, but what is equally, if not more, valuable is identity information on the average patient.

Novovision launches digital dictation system

Novovision is now offering NovoVoice, a digital dictation system that enables in-depth, location-free management of the entire transcription process. Users of NovoVoice can dictate and digitally capture complex reports, automatically assign voice files for transcription, and track all details of document production.

NovoVoice supports all voice-recognition systems compatible with Windows XP and higher. It provides transcriber work lists to prioritize documents for full-text transcription or review of voice-recognition files. NovoVoice is customizable to meet a full range of user preferences and the workflow of large and small user groups.

New AHRQ Web site focuses on health care innovations

The Agency for Healthcare Research and Quality has launched the Health Care Innovations Exchange, a Web-based repository of successful health care innovations. The repository (www.innovations.ahrq.gov) also includes descriptions of innovations that failed.

“Sharing information about important new developments in methods of delivering effective health care is typically a hit-or-miss process,” says AHRQ Director Carolyn Clancy, MD. “Such information exchanges often occur only within organizations, through conferences, and by chance over the Internet. AHRQ’s updated innovations exchange will encourage information sharing, reduce duplication, and save time and money.”

The Web site is being launched with 100 examples of innovations in the delivery of health care services and attempts at innovation. It will be updated every two weeks.

Users of the exchange can read articles and perspectives on creating and adopting innovations; read expert-generated commentaries on innovations; comment on specific undertakings; participate in topic-specific Webinars and discussions; and join online forums that connect innovators with the appropriate organizations.

HMS introduces public health surveillance system

Health Monitoring Systems has introduced its EpiCenter public health surveillance system.

The data analytics and networking software program is designed to help public health specialists identify new or emerging public health threats. It operates seamlessly with immunization registries, disease reporting systems, and other programs used in the public health environment.

EpiCenter is an open-source, Web-based application hosted by HMS. It can process and correlate multiple streams of data in real time. The system can be used to support local, state, and national investigations.

A community health surveillance feature combines syndromic surveillance, notifiable disease surveillance, and outbreak management. Health issues can be viewed down to a neighborhood level.

The application also details symptoms, such as a cough or fever, and can be used in tracking the outcome of an emergency department visit or hospital stay.

VeriChip marketing patient ID microchip

VeriChip Corp. has begun marketing to consumers its Health Link radio frequency-identification technology-based patient identification system, formerly called VeriMed. Initial marketing will focus on the South Florida area.

Patients using the Health Link system are implanted with a micro­chip that’s linked to their medical information. (See “Radio-frequency identification: coming soon to a patient near you?” CAP TODAY, November 2004, page 121.) The chip, which contains a 16-digit identification number assigned by the vendor, is placed underneath the patient’s skin between the elbow and shoulder.

Medical personnel obtain the identification number by scanning the patient’s arm with the VeriChip reader. They can then access the patient’s medical record by entering the number in VeriChip’s Web-based patient registry database.

RelayHealth buys vendor of revenue cycle software

The RelayHealth division of McKesson has acquired HTP, a vendor of transactions processing and revenue cycle management software. Terms of the acquisition were not disclosed.

The acquisition provides RelayHealth, a provider of connectivity services, with new front-end, pretreatment financial management services.

Contracts

Cortex Medical Management Systems has signed contracts for its Cortex Medical Billing System with the following health care entities:

• Western Pathology Consultants, Reno, Nev.
• Central Texas Pathology Laboratory, Waco
• Associates in Pathology, Wausau, Wis.
• Northwest Pathology, Bellingham, Wash.

McKesson has contracted to handle all billing and collections operations for more than 650 physicians associated with Lucile Packard Children’s Hospital, an academic medical center at Stanford University, Palo Alto, Calif.

EClinicalWorks has announced that it will implement its practice management and electronic health records software at 31 Unity Health Care clinics. Unity Health Care operates a network of community health centers in the Washington, DC, area.

Cerner has implemented Cerner Millennium health care information technology solutions at Tawam Hospital, Al Ain, Abu Dhabi, United Arab Emirates. Tawam Hospital is affiliated with Johns Hopkins and owned and operated by SEHA, the Abu Dhabi Health Services Company. The Cerner Millennium solutions will eventually link all SEHA facilities in Abu Dhabi, including 14 hospitals and more than 55 ambulatory and primary health clinics. Four SEHA hospitals and 12 clinics throughout Abu Dhabi will implement Cerner Millennium solutions before the end of next year.