Security alert

The doctor-patient relationship might be sacred, but the Hippocratic oath doesn't automatically apply to data drives. MT works on its networking skills.

Earlier this year the UCLA Medical Center in California was forced to fire 13 of its employees for illegally accessing, and publicising, the medical records of tcelebrity Britney Spears, who had been treated by the facility.

The incident was a timely, albeit sensational, reminder to practices around the world just how seriously they should be taking network security.

Aside from the negative publicity received by UCLA, the Californian government subsequently passed new legislation that allows the state to hand down heavy fines to medical practices guilty of data security breaches.

While practices in the Middle East are typically more discreet than their American counterparts, it pays to take a proactive approach to ensuring the security of any network that houses sensitive information.

It only takes one high profile - or high volume - breach and your practice's name will be tarnished.

Global threats

Data security is already on the radar of local health authorities, states Mark Clark, director of e-health solutions for Hitachi Data Systems Europe, Middle East and Africa: "Most companies in the Middle East take a responsible approach to data security because they have been made to follow guidelines that have been lifted from bodies such as the National Health Service (NHS) and Food and Drug Administration (FDA)," he says.

It is sign of how seriously the medical profession now takes IT security that the Middle East's health ministries are taking notice.

Nevertheless, in the fast-moving world of technology there is rarely a good time to rest on your laurels.

"You need network security for a number of areas nowadays - it is not just between your departments," explains Clark. "Now you need it for between hospitals, in between providers, and sometimes in between different countries."

The globalisation of medicine has brought with it even greater security challenges. Ten years ago there was little likelihood of physicians sending patient data across the internet. Now, with international relations and fast connections it is truly possible to have 24-hour, global healthcare processing.

"With the advent of tele-radiology, for example, the need for security when sharing data is so much more prevalent," explains Clark. "And obviously when you are sending personal clinical data from country to country it is more important than ever to make sure it can't be intercepted or tampered with."

Mobile menace

In medicine, accidents do happen. In medical IT, however, it seems that they can happen with alarming frequency. Recent stories in the British press revealed that more than 1,300 data security incidents have been reported since January 2007, with four NHS trusts in five admitting to have lost patient data. The figures are worrying considering that most countries would consider Britain to be a leading nation when it came to technological security.

One of the main reasons for the high number of security incidents has been the significant increase in connectivity. When a network was simply five computers in the same hallway it was easier to control the access points.

Now that physicians are moving towards having remote and mobile access to their patients' data it has become a lot easier for files to go missing.

Handheld technology, in particular, has been a guilty partner in data lapses. IT managers should take every step to ensure that mobile medical devices have the maximum security protection possible, says Khaled El Emam, an associate professor at the University of Ottawa and the Canada Research Chair in electronic health information.

"If there is a lot of personal information on these devices then the minimum should be that the drive has full encryption," he says. "If you don't have that you will be walking around with unguarded personal health information."

User errors

With a medical IT system it can be tempting to think that all you have to guard against is human error: a data loss would be embarrassing for patient and practice alike, but it is not as if medical records are under any serious security threat. The problem with that attitude, says Mark Clark, is that it doesn't really stand up to scrutiny if someone does act maliciously.

"There is no great evidence that people are desperately trying to get at this data, but any security breach would be such a serious incident for both doctor and patient that it is crazy not to try and protect yourself."

One of the most overlooked areas of network security is the humble USB port, according to Andrew Clarke, the international senior vice-president at data security firm Lumension Security.

Clarke argues that companies are prepared to spend substantial sums on peripheral IT security, but often ignore the damage that can be done by single users.

"With today's technology someone can take sensitive data off a laptop with a USB stick, or they could even upload a virus. [You have to] control the input and output of users," he says.

Lumension has recently been contracted by an NHS trust to develop a ‘whitelist' of devices that can access its network. Any unsanctioned device would be immediately blocked by the system.

Throwing the book

It is clear that regulators are getting increasing frustrated with data breaches and are looking at ways to place more responsibility on the medical industry.

In the UK, compliance with data security standards could soon be a contractual requirement for GPs. In a circular to primary care trusts, NHS chief executive David Nicholson said: "Each practice is legally responsible for holding data securely and we are looking at the national contract and considering how best to secure compliance through contractual means in the future."

Where the British go, the Middle East often follows, says Mark Clark. It is not unimaginable to see the region look towards tougher legislation surrounding network security.

"Security is pretty tight at the moment across healthcare, but with the ability for people to transport information there is a much greater risk that individuals can misplace data," he says. "One of the things that the Middle East's regulators might consider is going for stricter penalties for data loss."

READERS' COMMENTS

MORE FROM ARABIANBUSINESS.COM