Children’s hospital tightens security for patients
By Vawn Himmelsbach
The Internet has become an integral part of our health-care system, both for patients and staff, but it’s also introduced myriad security and privacy concerns — as demonstrated recently by several high-profile breaches that made national headlines. Hospitals and health-care facilities are now faced with channeling resources toward more efficient health care, while having to worry about data security breaches and Web threats.
By Vawn Himmelsbach
The health-care system is based on trust, and for the Children’s Hospital of Eastern Ontario (CHEO), this is particularly important because of the age of its patients. “We have to have top-notch security that drives that trust,” says Tyson Roffey, CIO of CHEO, an academic pediatric hospital affiliated with the University of Ottawa that provides treatment, diagnostic and laboratory services for children and youth up to 18 years. “[Families] need to be able to trust that information captured electronically is not being shared.”
Being a pediatric hospital, it’s responsible for protecting all sensitive and confidential patient information, but employees also need to access that information quickly and easily. This is a delicate balancing act, since many of its programs — from mental health to autism to outreach work — don’t live within the four walls of CHEO. And there are no rules around trust. “You could lose it faster than you could ever gain it,” says Roffey. “It’s the lens we use most often — everything we do electronically needs to hold that same level of trust people have today.”
So CHEO has invested in Websense’s Web Security filters and security solutions to promote safe and responsible use of the Internet, ensure only authorized access to health records and make more efficient use of bandwidth, as well as gain insight into how the Internet and intranet are being used. As a result, CHEO is able to provide free Internet access to patients and their families — which has become an important communications tool, particularly for children, who can feel isolated while in hospital.
CHEO, for example, participates in a program called Upopolis, which was created by the McMaster Children’s Hospital Child Life Team in collaboration with Telus and Kids’ Health Links Foundation. Upopolis is a secure online social networking tool for children in hospital care, which includes a personal profile, secure mail, instant chat, discussion boards, personal blogs and links to child-friendly games. It also features a homework site to help them keep up-to-date with school, as well as links to child-friendly health and wellness information, such as different diagnoses, treatments and equipment.
“It’s essentially a safe Facebook for kids that are prepping for surgery,” says Roffey. “Upopolis has chat features, for example, with kids from other hospitals who have similar diseases.” CHEO has child life specialists who manage this tool, as well as the use of computers with certain patient populations. By using Websense, they’re able to offer access to all social networking tools, including Facebook — only they’re more closely supervised from a technology perspective.
At the same time, the medical community also needs access to the Internet, but for different purposes. An urologist, for example, researches parts of the body that may be filtered by an overly generic tool. CHEO chose Websense for its ability to provide flexibility in drilling down to the individual level while covering the masses, allowing for free public Internet service so families can surf and communicate. Yet, roles-based rights can be granted to research staff, key clinicians and IT staff through its intranet portal.
CHEO is also using the reporting features within Websense as an educational tool. Inadvertently, employees or guests go to the wrong place or do the wrong thing. “Our average staff is in their late 40s or early 50s,” says Roffey. “The Internet isn’t a natural tool for them, and their profession didn’t teach them how to use that.” CHEO now has access to reporting tools that bring these types of issues to light.
Websense provides security in three areas, including e-mail, data and Web security. In health care, security becomes an issue when anything tries to enter or exit the system, whether it’s a botnet trying to ping home or a user unknowingly accessing a malicious or compromised Web site.
“It’s never a malicious thing — it’s somebody trying to do more work or balance their workload,” says Fiaaz Walji, country manager for Websense. “But there’s a process flaw there.” In one case at a hospital in the U.S., nurses were storing patient data on USB sticks hanging around their necks. At other hospitals, healthcare professionals were entering data into Web-based Google applications, so they could work on it later. But these can all lead to serious security breaches.
There’s also the issue of bandwidth. “A lot of hospitals, given tight budgets and economic times, want to make sure they’re not spending on bandwidth they don’t have to,” says Walji. Websense allows them to throttle bandwidth between personal and business-related surfing, and pull out data to solve business problems.
CHEO had a problem, for example, with Internet radio — since patients near the MRI department were unknowingly sucking up bandwidth. “Nobody was doing anything wrong — they were putting radios under these huge magnets and it was a frequency-free zone,” says Roffey. The IT department started receiving complaints about slow applications. “We were going bananas until we understood the reporting capabilities within this tool and that’s what we used to solve the problem.”
The reporting capabilities allowed them to identify patterns that explained why this was happening and what could be done about it. “The easy answer would have been to double our bandwidth, but it costs us money, and every time we spend money we have less money to deliver care,” says Roffey. By pulling out relevant data, CHEO is able to filter out non-critical use of bandwidth and maintain costs — not arbitrarily expand or spend more dollars. While it’s not a hard ROI, any time they don’t have to spend extra money, it’s dollars they have to provide more care.
In Ontario, the Personal Health Information Protection Act, or PHIPA, provides privacy guidelines for health information custodians (breaches are forwarded to the Ontario Information and Privacy Commissioner). Websense is one of several tools that CHEO uses to comply with PHIPA. “Privacy is more about giving patients control of their information, and we use security tools for that, but it’s more about their rights than ours,” says Roffey.
While Websense isn’t being used for health records at this point, since CHEO is still in the early stages of its electronic health records evolution, it will play a yet-to-be-defined role in the future.
Websense is morphing to include a gateway product that does real-time analysis. “In the old days Facebook was either good or bad,” says Walji. “Now you can surf wherever you want to surf, and we’ll analyze it in real time and block the pages that don’t fit your policy.”
Legal liability is one of its core tenants. “You want to make sure somebody isn’t surfing something that goes against HR policy,” he says. Whether it’s an audit or continual compliance, there are regulations that rule the healthcare world, so Websense offers ways to automate reporting and run the business based on those reports. “If you think about legal liability from an inappropriate site being surfed, all it takes is one incident for somebody to complain and get a legal case against you.”