On June 20, 2005 the California Department of Managed Health Care fined a division of Kaiser Permanente $200,000. The nation's largest non-profit health insurer had begun a test program in 1999 to make medical records of some of its members electronically available to its physicians. The test also allowed Kaiser members access to their own records over the Internet.
The problem was the public Web site included confidential patient information, which violates a state law called The Notification of Risk to Personal Data Act. It also violates HIPAA, the Health Insurance Portability and Accountability Act that went into effect across America April 14, 2005. The federal law carries penalties of up to $250,000 in fines and jail time up to 10 years.
The news represented an event Charles Bondurant has worked hard to avoid. Bondurant, the CIO of Meadows Regional Medical Center in Vidalia, Georgia, says his 100-bed hospital cannot afford that kind of fine. So he outsourced his network security to protect the hospital's data as well as its financial health.
Testing new software is just one way hospitals can get into the crosshairs of these new laws. Another way is theft of data or equipment. On March 28, 2005 the San Jose, California District Attorney filed charges against a former branch manager at the San Jose Medical Group. Joseph Harris stole two computers and a compact disk that contained 185,000 patient records. To date this is one of America's largest cases of personal data theft; the ChoicePoint incident (where the credit card company sold the data to thieves posing as a legitimate business) only involved the personal information of 145,000 people.
Complying with the Law
Bondurant says when Congress passed HIPAA his staff of 11 assessed the new requirements. The IS department determined it could handle every issue except the security rules, which require stringent data security and a business continuity plan. "We knew we couldn't meet the deadlines, given the work effort involved and the short time frame," says the CIO.
Meadows Regional, which has been healing Georgians since the 1960s, is not new to outsourcing. The hospital already outsources its IT infrastructure. So Bondurant asked his trusted outsourcing partner if they could suggest an outsourcer who specialized in healthcare data security. They suggested Perimeter Internetworking.
First, Perimeter sent a consultant to do the required security analysis. She identified a number of issues for the organization. "She helped us patch the holes," says Bondurant. Next, the Perimeter consultant prepared a comprehensive business continuity plan, which Bondurant's department will test on its own.
Why the Firewall Is Crucial to a Hospital
Feeling comfortable with Perimeter, the hospital chose to outsource its firewall to the supplier, which the hospital was planning to do before HIPAA compliance made it a necessity. "Now they deal with all our data threats," says the CIO.
Outsourcing the firewall is crucial to hospitals because "stuff that comes through the Internet can bring our network down," notes Bondurant. Today hospitals are much more computerized; data networks are the repository of all a patient's medical records (medical, insurance, and financial), which makes them the central nervous system of the hospital. For example, radiologists often send film to physicians over the network. "If the network is down, we can do business, but not very efficiently," says Bondurant.
Perimeter monitors the firewall for Meadows in two ways: it keeps its data safe while it resides in the hospital by keeping out unauthorized users and it ensures all patient data is safely transmitted outside the hospital (one of the reasons Kaiser got into trouble.) For example, when the hospital department sends clinical results to a physician over the Internet, it encrypts it.
For other healthcare clients Perimeter can also provide what is called "security in the cloud"--all data out of and into the hospital passes through Perimeter's infrastructure first. If there is a problem, the supplier can turn on its solution in the cloud, inconveniencing its buyers as little as possible.
Why the Hospital Outsourced Its Firewall
Outsourcing was the best route because no one in the IS department had the time or expertise to spend a significant portion of their day monitoring the data logs, nor could they do it as efficiently as Perimeter, which has a network operations center that monitors over 3,000 devices, according to Richard Dobrow, Chief Security Officer for Perimeter. Bondurant says on one occasion Perimeter discovered a problem before both the hospital and its ISP even had their first clue.
In addition, Bondurant says he would be challenged to find the right talent to do this in his geographic region. The medical center is located in a rural area 90 miles from Savannah. "Typically, data security experts don't want to live in the country. To get the top talent I need, I have to outsource some portion of the process," says the CIO.
He says the local technical college can provide entry-level talent. "But when it comes to managing the firewall with all its complexities, we needed experienced talent."
Dobrow says Meadows General is typical; most hospitals don't have the financial resources to provide the necessary data security. "Healthcare providers are sensitive to IT capital costs," points out the Perimeter executive.
Staffing to monitor the network 24/7 can also be a challenge. A typical account needs at least four people for proper monitoring, according to Dobrow. They would rather have a stand-up MRI machine than cutting-edge infrastructure and security technologies. Dobrow estimates a hospital would have to spend at least $20,000 and that would only buy "mediocre architecture." He says the state-of-the-art infrastructure outsourcing suppliers use is cost-prohibitive for small hospitals.
And then there's cost of the process. Employing economies of scale, Dobrow says Perimeter can save its hospital clients between 80-85 percent of the cost of "doing this properly in-house."
Dobrow says the supplier, which also specializes in financial institution data safety, has seen a "big jump" in interest in its medical data security solutions in the last six months, no doubt because the price of not complying with the new laws is daunting. Dobrow says healthcare as an industry has been a late adopter of security technology. But now, with more and more information being computerized, they realize some things are better outsourced.