Apr 22
2014
Data Security: Securing Community Healthcare Data and Devices
Guest post by David Reynolds, IT systems manager, Rhode Island Blood Center.
Maintaining blood supplies to meet the needs of the hospitals in the region is a key mandate for the Rhode Island Blood Center. The Center collects 250 pints of blood from donors to meet this commitment. To make it easy for donors, more than 3,000 mobile blood drives are held annually throughout the community.
While we have nurses and lab technicians to take care of the donors’ physical needs, it is my job as the IT Systems Manager at Rhode Island Blood Center to take care of their personal information. We gather this information from each donor at the mobile clinics and store it on laptops, so it is essential that we have safeguards in place to ensure the data is properly secured.
Data security is a key concern for the majority of healthcare organizations in the US. And like most organizations, Rhode Island Blood Center must follow regulatory guidelines and protect patient data.
My department is responsible for the IT and telecommunications equipment used at the remote blood drives and the six Center locations. The typical set-up includes a large number of Center-owned laptops where donor information is stored.
While most people arrive at a clinic and see the positive results of a community coming together and helping each other – all I see are laptops loaded with confidential information for which Rhode Island Blood Center is ultimately responsible. I know if even one laptop is lost or stolen, confidential donor information could be at risk.
Data at Risk
Reviewing daily healthcare news, it is clear that data breaches are a huge issue for healthcare organizations across the US, but bad press isn’t the only issue – many organizations face large non-compliance fines and damage to their reputation that can never be restored.
Two of the three largest healthcare data breaches in 2013 involved stolen laptops:
– Four laptops stolen containing healthcare and other data affecting 4,000,000+ people
– Two laptops stolen containing healthcare and other data affecting 720,000+ people
– Patient records improperly disposed of by third-party vendor, total data affecting 275,000+ people
The third example is important because it shows the long arms of HIPAA regulations around data security, although currently these do not extend to blood banks. In this incident, even though the mistake was made by a third party, the healthcare organization was on the hook for the violation. This change to accountability is recent – in the 2013 Final Omnibus Rules Update — requirements were expanded to include business associates.
For me, this means if Rhode Island Blood Center data was breached by a contractor, volunteer or third party, it would be our responsibility. So I spend a lot of time ensuring we’re able to keep it secure.
Securing Healthcare Data – On and Off the Network
The ability to track and secure the laptops in our mobile environment is key. If I can’t connect with a device then I can’t do my job.
We chose Absolute Computrace because it met our need to maintain a connection with each device and because it allows us to track devices on or off our network – a necessity for our mobile environments.
Absolute persistence technology was the biggest selling feature. It’s built into the firmware of devices from most manufacturers and it ensures the software agent remains installed and active on each device. And it works.
After removing a hard drive from one laptop and installing it in another, we were amazed when the software agent automatically reinstalled. It’s the closest we’ve seen to a software solution that is indestructible – it was impressive.
Remotely Protecting Healthcare Data
The ability to connect with a device regardless if it is lost or stolen allows us to invoke remote security commands so we can properly protect the data that is stored on the laptops.
Since we began protecting our devices with this technology, we’ve deleted data from, and frozen six devices. Four of these were stolen from Center locations. But because we were able to execute data delete commands immediately, none of our confidential data was compromised.
Given the rise in mobility through all areas of healthcare, along with the tightening of regulations, it’s reassuring to know that Rhode Island Blood Center devices and data are secure. While supporting blood drives, we are still able to protect our patients, donors, and the organization. I rest easy.
David Reynolds is the IT systems manager at Rhode Island Blood Center. Reynolds has 15 years’ experience working in the IT field supporting private sector, municipalities and healthcare organizations. Reynolds maintains a multitude of technical certifications and proficiency including CWNP, MCSE, MCSA, and CEH. He is a regular contributor and publisher to technical periodicals including CIO, Tech Target and Mass High Tech. He also served as co-chair for a National IT Conference for the blood banking industry.