Information technology (IT) systems—including hardware, software, and related systems—are far from foolproof, and dependency on them is frequently rewarded with an ill-timed outage. Even large organizations such as airlines, the stock exchange, and the federal government experience occasional computer issues.
In the course of working in healthcare IT for well over a decade, I have seen my share of IT problems. I eventually developed a list of the most common IT threats to healthcare facilities—the “Dirty Dozen.” Most of these issues are so fundamental that they are akin to a bank putting a sign on the front door at night, saying “the door is open and the safe is unlocked.”
Addressing the risks below will go a long way toward ensuring that your IT systems are up and running so you can take care of patients. Failure to address these issues not only puts your medical facility at operational risk, in virtually every case it also represents a potential HIPAA breach issue. If lost productivity is not a motivator to take action, then consider that the maximum fines for a HIPAA breach increased in 2009 from $25,000 to $1.5 million.
Unsupported unpatched operating systems
All software, and especially operating systems, need frequent updates to add new features, to handle “bugs” or glitches, and to address ongoing security threats. In the most popular operating systems, the updates are so common that many organizations establish a weekly “patch day,” when new updates and security patches are implemented. In virtually every healthcare environment I have evaluated, however, one or more systems are found to be unpatched.
A virtual tsunami threat is coming in April 2014, when Microsoft will no longer provide any updates for Windows XP, a system used on approximately 30 percent of all desktops and laptops. IT bad guys—those who write malicious software such as viruses, Trojans, and worms—know this fact and are just waiting for this Windows XP “window” to open. Windows XP is more than 10 years old, and in April 2014 it will turn from just a very old operating system to a virtual virus magnet.
No combination of hardware, software, and network security has yet been developed that is entirely foolproof except one: turning the computer off and disconnecting it from the network. At last count, the computer security firm Symantec had identified more than 23 million viruses. There is a technology arms race between the bad guys (virus writers) who want to destroy systems and good guys (information security geeks) who attempt to protect them.
That’s why antivirus systems must be updated constantly. Unfortunately, in healthcare environments it is all too common for one or more systems to have faulty, out-of-date, or missing antivirus software. A poorly protected laptop or workstation can have the same deleterious effect on other systems as a patient with a staph infection can have in a hospital, creating a contagion.
Poor security authentication
Using weak usernames and passwords is a big problem. Because healthcare computers (or even jobs) are shared among multiple people, passwords such as “Nurse1,” “FrontDesk,” or “Billing” are common. Sometimes this is done to avoid licensing costs, sometimes it is done because of ignorance, and sometimes a facility will request it to avoid having to call IT every time staff turnover occurs. None of these is a legitimate excuse, and this is such a major issue that even the most cursory HIPAA assessment would show this as a giant red flag.
Unsecured wireless networks
Like many computer components, wireless (WiFi) gear comes from the factory with default settings and security. Most IT installation companies forget (or don’t know how) to properly secure these systems, leaving them vulnerable to the most basic hacking skills.
For many years, the most common WiFi encryption protocol was WEP (Wireless Encryption Protocol). However, it has been compromised and, although it is technically a form of encryption (and therefore technically satisfies the HIPAA requirement for encryption), it is no longer considered acceptable.
No data redundancy, backups
I have seen every conceivable form of “data redundancy” system available, including systems that not only were not redundant, but that also increased the likelihood of data loss by five times. Even some systems that are theoretically properly designed for redundancy and backup may not be configured properly. In one medical practice, the data backup job had been “hung” for 10,000 hours, or well over a year.
Portable media and laptop security
Most reported HIPAA breaches result from users storing data locally on laptops, USB drives, and other portable media. Most postmortem articles on these breaches state that the facilities attempted to deal with the problem by implementing encryption, increasing employee training, and beefing up written user policies. However, the proper way to deal with this issue is to set up IT systems that make this user behavior both impossible and undesirable.
Poor user training
Most HIPAA breaches—indeed, most IT issues in general—are caused directly or indirectly by user issues. Many of the items on this “Dirty Dozen” list are enabled or caused by users who are doing something either incorrectly or inappropriately. Most facility managers just assume that employees know how to use computer systems. However, a little user training goes a long way toward reducing many computer issues.
Old, out-of-date, out-of-warranty systems
Most computer systems become obsolete very quickly. According to Moore’s Law (named after Intel cofounder Gordon Moore), computer systems roughly double in capacity approximately every 2 years. Most computer systems have just 3-year warranties, yet healthcare facilities commonly keep systems for 4 to 7 years or longer.
Not only are these old systems underpowered, but their components may frequently fail, leading to costly downtime—and even potential data losses. Squeezing extra life out of computer systems is risky.
Lack of employee computer use policies
HIPAA security regulations—as well as IT best practices—dictate the development and use of employee computer use policies. Facilities should enforce the idea that “PC” doesn’t stand for “Personal Computer,” it stands for “Practice Computer.” The practice will be held liable for virtually any use of its computers by its employees, so it should develop very strict policies on how company computers should be used. The policies should be very explicit and should be communicated both to new hires and periodically reinforced to existing employees.
Email scams, hoaxes, phishing
Virtually everyone has received at least one version of the “Nigerian widow” email scam and knows to avoid it. However, these scams are becoming more sophisticated and now include targeted email campaigns known as “spear phishing.”
For example, a medical practice manager who routinely gets emails from insurance companies or clearinghouses receives an email with “recent claims denials” as a header and an attachment that contains a virus. Everyone should be wary of clicking on links or attachments contained in emails.
Inept/untrained IT support resources
IT is a “black hole” to most users. It is very difficult for users to determine the skill set and background of their IT support provider(s). I’ve heard people say, “Our IT guy worked for 10 years at NASA. He’s great!” The question is, what did he do at NASA? If he was a network engineer, chances are he knows little about servers and storage. If she was a server system administrator, she probably knows next to nothing about networking.
Medical practices need support personnel with the proper experience and background to handle all of the practice’s IT needs. Although qualified IT personnel may be difficult to find, it is possible, especially if the practice seeks IT resources that have the relevant certifications and experience. Ask IT providers how many times they have done the procedure they are recommending. Ask them how this project compares to other projects they have completed. If this is the biggest project that they have actually done, the practice becomes an experimental IT patient—not a good position to be in.
Data on workstations, laptops
Because practice IT systems are so hard to use, frequently users will copy data from practice management and EHR systems and work on them on a local drive, such as a laptop or desktop. Many of these users are management level and have access to the entire system. They may copy reports, letters, and other files. When a breach happens, which it inevitably does, the numbers—especially as relates to penalties and fines—are truly frightening.
Take it to the next step
Although these are among the most egregious problems with healthcare IT, they are not the only ones. I’ve continued to add to this list, and now am up to a “dirty 30.” In upcoming issues of AAOS Now, I’ll review more of these healthcare IT hazards.
Marion K. Jenkins, PhD, FHIMSS, is the executive vice president, healthcare for 3t Systems, an IT services company; he also serves as adjunct faculty at the University of Denver Graduate School.