The move is partially in response to the highly-publicized January 2007 theft of a laptop belonging to a SickKids physician, and is the last of several steps the Toronto-based hospital has undertaken to comply with Ontario Information and Privacy Commissioner (IPC) Ann Cavoukian's March 2007 order for the hospital to encrypt its data, said Bob Spence, spokesperson for the Office of the IPC of Ontario.

SickKids is installing WinMagic Inc.'s SecureDoc encryption solution on more than 300 Windows laptops, and is also testing the software's newly-released Mac version. The hospital is also issuing MXI hardware encrypted USB keys to transfer confidential information. Spence noted that prior to the full encryption system being implemented, SickKids “has not been storing personal health information on mobile computing devices unless an encrypted USB key is used.”

Cavoukian applauded SickKids' move to deploy strong encryption on all of its laptops and USB keys. "In data-rich and mobile environments, securing personal information — especially sensitive personal health information — has become the default policy priority and a standard operating procedure,” she said.

In selecting an encryption solution, SickKids had to take into account its organizational complexity as well as its unique data security requirements, said Joseph Belsanti, vice-president of marketing for Mississauga, Ont.-based WinMagic, which makes SecureDoc, the encryption software the hospital selected. Patient information resides not only within notebooks and workstations, but also on USB thumb drives, CDs and DVDs.

The hospital's heterogeneous environment also complicated the situation, Belsanti said. Since it is a research organization, SickKids has a constant influx of interns, fellows and department heads who are using a variety of platforms and systems.

“The encryption solution needed to be flexible enough to deal with (Windows) Vista, NT, XP, as well as Mac environments,” while also taking into account future technologies such as self-encrypting hard drives and upcoming Opal specification drives, he said.

Data encryption is often a challenge in health care organizations where efficient care of patients is the highest priority, Belsanti said. “The problem is that there has traditionally been an inverse relationship between security and ease of use,” he said. “The more secure you make something, the more hoops you have to jump through to get access to data.” This can be frustrating for users who just want to provide quality care, he said.

According to a statement from SickKids, the hospital researched several full-disk encryption solutions and narrowed the list down to three options — SecureDoc, SafeBoot from McAfee Inc., and SafeGuard Device Encryption from Utimaco Safeware AG — which were then put through a proof-of-concept. The hospital tested each solution for high-level data protection capabilities, Windows compatibility and simplicity for the user, and the ability to unencrypt data, recover it and support security policy protocols. SickKids also looked at each product's client management and monitoring capabilities, auditing and reporting features and pre-boot authentication functionality.

SickKids said that in the end, SecureDoc won out for its ability to integrate with the hospital's technical environment, as well as its central management feature, which determines who is allowed to access keys that in turn provide access to information. The hospital also liked the fact that the software can run transparently in the background, giving medical staff easy access to encrypted information.

There are three ways SecureDoc works in a health care organization, said Belsanti. In the first scenario, if an encrypted device is lost or stolen outside of the hospital building, the breach does not have to be disclosed. “The drive has been encrypted sector by sector, and all of the information, including file names, are protected,” he explained.

Secondly, the software protects information on a device that has been lost within the confines of the hospital building. For example, if a doctor accidentally leaves an encrypted USB key in another ward and someone else picks it up and plugs it into a computer to try to find out what's on it, that computer will go back to the server to check if the user has specific permission to access the information. Meanwhile, the owner of the lost device will automatically receive a text message regarding the device's location, Belsanti said.

Third, SecureDoc helps make information sharing easier for staff who work in the same ward or who are collaborating on a project. “If they are part of the same team and are supposed to have access to the same information, the software automatically provisions the encryption key so they have access transparently without doing anything,” Belsanti said. “This keeps productivity levels high.”

While encryption is essential for health care organizations, Cavoukian pointed out that it is not the be-all and end-all of data security. As stated in her 2007 health order, hospitals must also implement other technical, administrative and physical security measures, including:

”¢   a hospital-wide endpoint electronic devices policy, applicable to both desktop and portable devices;
”¢    a comprehensive corporate policy prohibiting removal of personal health information from premises;
”¢   a privacy breach protocol/policy; and
”¢   education and training for staff members, researchers and clinicians.

"Good data security, like privacy, requires a holistic and iterative approach,” said Cavoukian. “Build both into the very design and architecture of your operations if you want peace of mind."

Related stories

Protecting patient data