www.canadiansecuritymag.com

News Data Security
Sick Kids Hospital moves ahead with encryption of patient data

The Hospital for Sick Children (SickKids) has taken steps to protect medical data housed on mobile devices by installing full-disk encryption software.


April 29, 2009
By Patricia Pickett

Topics

The move is partially in response to the highly-publicized January 2007
theft of a laptop belonging to a SickKids physician, and is the last of
several steps the Toronto-based hospital has undertaken to comply with
Ontario Information and Privacy Commissioner (IPC) Ann Cavoukian’s
March 2007 order for the hospital to encrypt its data, said Bob Spence,
spokesperson for the Office of the IPC of Ontario.

SickKids is installing WinMagic Inc.’s SecureDoc encryption solution on
more than 300 Windows laptops, and is also testing the software’s
newly-released Mac version. The hospital is also issuing MXI hardware
encrypted USB keys to transfer confidential information. Spence noted
that prior to the full encryption system being implemented, SickKids
“has not been storing personal health information on mobile computing
devices unless an encrypted USB key is used.”

Cavoukian applauded SickKids’ move to deploy strong encryption on all
of its laptops and USB keys. "In data-rich and mobile environments,
securing personal information — especially sensitive personal health
information — has become the default policy priority and a standard
operating procedure,” she said.

In selecting an encryption solution, SickKids had to take into account
its organizational complexity as well as its unique data security
requirements, said Joseph Belsanti, vice-president of marketing for
Mississauga, Ont.-based WinMagic, which makes SecureDoc, the encryption
software the hospital selected. Patient information resides not only
within notebooks and workstations, but also on USB thumb drives, CDs
and DVDs.

The hospital’s heterogeneous environment also complicated the
situation, Belsanti said. Since it is a research organization, SickKids
has a constant influx of interns, fellows and department heads who are
using a variety of platforms and systems.

“The encryption solution
needed to be flexible enough to deal with (Windows) Vista, NT, XP, as
well as Mac environments,” while also taking into account future
technologies such as self-encrypting hard drives and upcoming Opal
specification drives, he said.

Data encryption is often a challenge in health care organizations where
efficient care of patients is the highest priority, Belsanti said. “The
problem is that there has traditionally been an inverse relationship
between security and ease of use,” he said. “The more secure you make
something, the more hoops you have to jump through to get access to
data.” This can be frustrating for users who just want to provide
quality care, he said.

According to a statement from SickKids, the hospital researched several
full-disk encryption solutions and narrowed the list down to three
options — SecureDoc, SafeBoot from McAfee Inc., and SafeGuard Device
Encryption from Utimaco Safeware AG — which were then put through a
proof-of-concept. The hospital tested each solution for high-level data
protection capabilities, Windows compatibility and simplicity for the
user, and the ability to unencrypt data, recover it and support
security policy protocols. SickKids also looked at each product’s
client management and monitoring capabilities, auditing and reporting
features and pre-boot authentication functionality.

SickKids said that in the end, SecureDoc won out for its ability to
integrate with the hospital’s technical environment, as well as its
central management feature, which determines who is allowed to access
keys that in turn provide access to information. The hospital also
liked the fact that the software can run transparently in the
background, giving medical staff easy access to encrypted information.

There are three ways SecureDoc works in a health care organization,
said Belsanti. In the first scenario, if an encrypted device is lost or
stolen outside of the hospital building, the breach does not have to be
disclosed. “The drive has been encrypted sector by sector, and all of
the information, including file names, are protected,” he explained.

Secondly, the software protects information on a device that has been
lost within the confines of the hospital building. For example, if a
doctor accidentally leaves an encrypted USB key in another ward and
someone else picks it up and plugs it into a computer to try to find
out what’s on it, that computer will go back to the server to check if
the user has specific permission to access the information. Meanwhile,
the owner of the lost device will automatically receive a text message
regarding the device’s location, Belsanti said.

Third, SecureDoc helps make information sharing easier for staff who
work in the same ward or who are collaborating on a project. “If they
are part of the same team and are supposed to have access to the same
information, the software automatically provisions the encryption key
so they have access transparently without doing anything,” Belsanti
said. “This keeps productivity levels high.”

While encryption is essential for health care organizations, Cavoukian
pointed out that it is not the be-all and end-all of data security. As
stated in her 2007 health order, hospitals must also implement other
technical, administrative and physical security measures, including:

”¢   a hospital-wide endpoint electronic devices policy, applicable to both desktop and portable devices;
”¢    a comprehensive corporate policy prohibiting removal of personal health information from premises;
”¢   a privacy breach protocol/policy; and
”¢   education and training for staff members, researchers and clinicians.

"Good data security, like privacy, requires a holistic and iterative
approach,” said Cavoukian. “Build both into the very design and
architecture of your operations if you want peace of mind."

Related stories

Protecting patient data