skip to: page content | links on this page | site navigation | footer (site information)
logo
Your gateway to HCAR breaking news and archived articles.
New and recent articles covering technology for clinicians, including OASIS, point-of-care, training and more.
Management and operational perspectives; finance, PPS and billing; budgeting for technology; reporting and analyzing data.
News from Congress and CMS, states, and RHHIs and other payers.
What’s hot, what’s not; what’s coming and what’s passé; hardware/software news and reviews.
Who’s buying, who’s selling, partnerships, product announcements, mergers and acquisitions among vendors and providers.
News and features about remote electronic monitoring; the products, vendors and users.
Reprint from: Home Care Automation Report    (www.HomeCareAutomationReport.com)
Issue date: 2008-08-13    Article category: Technology

Cisco Acquires Technology to Make Email Automatically HIPAA Compliant


advertisement
Benign email messages are safe when sent from one healthcare provider to another over public systems. Messages with patient information must be encrypted or sent through secure VPNs or purely in-house email routes. Knowing when to use each is sometimes complicated, leading many healthcare workers to use secure methods every time, which can become unnecessarily expensive, slow or both.

In a recent interview with Cisco representatives Frances Dare and Terri Quinn-Andry, HCAR learned that new technology is available to analyze email messages before they are sent, searching for sensitive words. When language is found that potentially crosses HIPAA privacy regulations, software automatically reroutes the email through a secure path.
Frances Dare
Frances Dare

Ms. Dare is Director of Healthcare Practice at Cisco's Internet Business Solutions Group. Terri Quinn-Andry is the company's Security Solutions Manager. They described for us a company called "Iron Port Technologies," which Cisco acquired last year.

"More than any other space in healthcare," Ms. Dare explained, "I believe home care is one where HIPAA regulations overlay with security. We are talking with all constituents about the need to render data unusable. If a backup tape or laptop computer is stolen and hacked, the data should be unreadable. For many healthcare organizations today, that security aspect – data at rest – is already covered by encryption and other technologies that continue to evolve."

"There is also the consideration of whether data should be copied from a mobile device to a central server or removed from the field unit when uploaded," Quinn-Andry added. "There are multiple ways to make data secure today but, because of the nature of home health care, where worker and data are traveling all day, you have to make sure patient data is unreadable if a loss or theft occurs."

Once data-at-rest is secure, data-in-motion is the next step, both women agreed. "Encryption is the most-discussed safeguard but it is also important to know whether, after a transfer, the data remain on the mobile device."

Terri Quinn-Andry suggested home care agencies treat mobile computers almost like mobile servers. "Is there really a need to carry thousands of patient records around town on a laptop PC?" she wondered aloud. Ms. Dare added that it may even be worth considering dumb terminals in some mobile scenarios.

Terri Quinn-Andry
Terri Quinn
"We focus on the nurse in the home but it is just as important to look at the info as it leaves the laptop and goes to the server," Ms. Quinn-Andry added. "Data integrity is key in healthcare; it could mean life and death."

Following that thought, Ms. Dare continued, "Part of the conversation around encryption is that you cannot double-check data accuracy after it is encrypted and ready to transmit. At that point, you cannot be sure malware has not entered into it and that you are not sending more than you think you are to your central servers."

That is where Cisco's new acquisition comes in, they explained. Iron Port Technologies features a healthcare terminology dictionary. It flags certain words in an email message and decides to encrypt it based on the presence of potentially sensitive information. It knows whether an email is traveling over a private connection or the public Internet and, if necessary, stops the sending process and warns the sender of a potentially dangerous.

"What this product does, in effect, is relieve a nurse from bearing the responsibility to make the decision whether a message must be encrypted before it is sent or not," Dare elaborated. "This is where privacy and security merge with human behavior. Sometimes, people do things without thinking so not there is a safeguard that can think for them in certain situations."

On a broader, policy level, Ms. Dare also described her work with Congress, trying to secure grant funding for data exchange investments. "There is a national aspiration for everybody to have access to Electronic Medical Records," she said. "In order to reach toward the common goal to have better care and fewer medical errors, these electronic tools need to be funded.

"I testified before the House subcommittee on Health and Energy that there needs to be a clear standard to say that if healthcare information is breached it must be rendered unreadable. In order to put such tools in place, there has to be funding to help healthcare providers acquire and implement them.

Data Security Challenges
Both Dare and Quinn-Andry agree that protecting critical assets within an organization is an ongoing systems process rather than simply a checklist of items to meet compliance requirements. Cisco has outlined four key areas to ensure that an organization's critical assets are secure:

1.     Education: Identify what the business critical data assets are and where these assets are located

2.     Operations (Process):  Safeguard critical data while "at rest" and "in motion.” Isolate access to those assets and network segments where the assets are with a layered defense approach.

3.     Regulatory and Corporate Policy Compliance: Adopt a security program that focuses on safeguarding critical data and addresses government and regulatory compliance requirements such as Sarbanes-Oxley, PCI, and HIPAA.

4.     Technology: Implement a solid security infrastructure and portfolio of technologies that satisfies the education, operations and policy steps.

Cisco has joined the "PCI Data Security Standards Council" with the goal of helping to evolve a security standard for the payment card industry in and out of healthcare. The company also participates as a board member of the HITRUST Alliance and actively participates in public policy discussions and Congressional hearings about data security advancements.
http://www.ironport.com

Contact Us | ©2006 Stony Hill Publishing