The Boston Globe 09.12.2014
Laptops, smartphones, and tablets are revolutionizing health care, helping doctors better connect with their patients and giving health workers almost instantaneous access to medical information. But new technologies bring new risks, a lesson that Beth Israel Deaconess Medical Center officials were reminded of last month, when they reached a $100000 settlement with the attorney general’s office regarding the theft of a laptop containing personal information of thousands of patients and health care workers. Hospitals should see the settlement as an opportunity to reexamine how they protect patient data, and to begin moving more of it into secure cloud applications.
The case arose from an incident in 2012, when a doctor’s laptop was stolen from his desk. The attorney general’s office contended that the hospital’s lax security put sensitive information at risk. Beth Israel, for its part, has gone to great lengths to ensure that all of the computers the hospital buys are encrypted, and that health care workers attest once a year that their own devices are encrypted as well.
That’s the wrong way to approach the problem. What patients care about is the safety of their personal information, not the safety of the device that a doctor uses to read their personal information. Protecting the data itself is the best way to ensure that patient records are safe. To do this, hospital networks should put all of their sensitive data online, and then ensure that it can’t be downloaded onto a computer.
For a practical lesson on how information storage in the cloud works, hospitals need look no further than Google Docs, Google’s popular online word processor. With Google Docs, a user can write, edit, and share a document online, without ever having to download a copy to his or her computer (although users have the option to do so, if they choose). If a hospital could set up a system in which all documents are well encrypted and online, and doctors and nurses read and update these records in the cloud, there is nothing for a criminal to gain by stealing a laptop or a tablet. Providence Health and Services, a major hospital chain, began switching to a cloud-based system after its own security breach in 2005.
Such a system requires security experts to ensure that the network storing the data is impenetrable. But that is much easier, and far more reliable, than chasing down and encrypting the thousands of laptops — many of different makes — that a hospital’s staff is using. More important, it will allow busy doctors and nurses to focus on caring for sick patients without worrying about implementing time-consuming security systems. Far better to invest in robust security now than to incur the costs of an insufficient one later — both in lost patient data and government fines.