Editor's Corner

As the theft of patient data from Allina Hospitals and Clinics reminds us (see below), today's healthcare IT departments are in something of a security bind. With HIPAA enforcement looming, maintaining tight data security is more critical than ever. At the same time, it's become crucial to let staff members to bring data anywhere they need to go, and that means supporting a range of mobile devices. Unfortunately, securing these devices can be a tremendous challenge.

Today, caregivers must be able to move freely while they work, both around the facility and out into the community. Nurses are accessing patient information with PDAs. Doctors are entering orders using handheld computers and logging on to EMR systems from the field. And workers like Allina's obstetrics nurses are bringing care to patients' homes, armed with laptops that support the care process. These approaches aren't pervasive yet, but they're emerging quickly. Wireless mobility, telemedicine and home-based care are the future of medicine.

Without a doubt, these developments are positive, allowing for better coordinated, more effective care with improved outcomes. The problem is that at the same time, they expose health system networks and applications to countless additional security vulnerabilities. Though the Allina network may be very secure, all it took was one stray laptop, sitting in a vulnerable car, to expose highly sensitive data.

Even with good security software on board, physicians can download trojans onto their laptops that open network access to black-hat hackers, or install personal software that compromises security protocols. WiFi security is still in question, even with WPA standards in place. Add the growing use of VoIP over WiFi and things get even more complicated.

Particularly vexing are the issues created by wireless devices. These can pose an array of new security threats--and have multiple points of entry to protect, including the user interface, wireless modems, IR ports and 802.11 connectivity. Worse, there's little if any software out there designed to monitor for such threats or exterminate mobile viruses. As FierceHealthIT readers know, I'm just scratching the surface here. In short, supporting a mobile clinical workforce is enough to shorten an IT leader's lifespan.

To address this challenge, the healthcare industry simply must become a leader in establishing smart policies on distributed information security. Luckily, though, you don't have to reinvent the wheel. Among other preparations, you can standardize on approved devices rather than worrying over application differences; train users thoroughly and often; ensure that security approaches work across all platforms; and make sure you secure data on both on the device and the network. Hey, and maybe crossing your fingers wouldn't hurt.- Anne