Topics
Reimbursement
Elevance, UnitedHealth among insurers accused of alleged price fixing
Elevance, UnitedHealth among insurers accused of alleged price fixing
Revenue Cycle Management
Mary Washington Healthcare latest to outsource revenue cycle 
Mary Washington Healthcare latest to outsource revenue cycle 
Strategic Planning
CommonSpirit, University of Utah Health team on access
CommonSpirit, University of Utah Health team on access
Capital Finance
Cigna nixes speculation of a Humana merger
Cigna nixes speculation of a Humana merger
Supply Chain
Feds shore up healthcare supply chain in wake of hurricanes Helene and Milton
Feds shore up supply chain in wake of hurricanes
Accounting & Financial Management
Labor expenses continue to challenge hospitals
Labor expenses continue to challenge hospitals
Budgeting
Health system operating margins declined in August
Health system operating margins declined in August
Quality and Safety
US healthcare system ranks last in equity, access
US healthcare system ranks last in equity, access
Billing and Collections
CFPB warns of illegal tactics by medical debt collectors
CFPB warns of illegal tactics by medical debt collectors
Claims Processing
Denials top reason for eroding provider-payer relationship
Denials top reason for eroding provider-payer relationship
Workforce
Elevance laying off 123 California employees
Elevance laying off 123 California employees
Operations
UAB, Press Ganey launch certificate program for healthcare leaders
UAB, Press Ganey launch certificate program for healthcare leaders
Medical Devices
Healthcare chatbots may promote racist misinformation
Healthcare chatbots may promote racist misinformation
Hospital/physician relations
Hospitals, physicians submit opposing views to FTC ruling on noncompetes
Hospitals, physicians submit opposing views to FTC ruling
Construction & Facilities Management
University Hospitals expanding with $3.2 million donation
University Hospitals expanding with $3.2M donation
Compliance & Legal
Johnson and Johnson sues HRSA for blocking 340B plan
J&J sues HRSA for blocking 340B plan
Policy and Legislation
Planned Parenthood, other groups decry executive power in House bill
Planned Parenthood, other groups decry House bill
Community Benefit
AMA pushes for stricter standards for hospital charity care policies
AMA pushes for stricter standards for hospital charity care policies
Accountable Care
NAACOS pushes ACO REACH extension after $1.54B in savings
NAACOS pushes ACO REACH extension
Acute Care
SDOH, tech key to advancing value-based care, says UHG
SDOH, tech key to advancing value-based care
Ambulatory Care
Cleveland Clinic and Amazon One Medical collaborate on primary care clinics
Cleveland Clinic and Amazon One Medical collaborate
Analytics
Interoperability in healthcare moving forward despite challenges
Interoperability in healthcare moving forward despite challenges
Business Intelligence
CVS announces Dr. Sreekanth Chaguturu as president, Health Care Delivery
CVS announces Dr. Sreekanth Chaguturu as president, Health Care Delivery
ICD-10 & Coding
Physician practices examine risk adjustment coding in wake of federal lawsuits
Practices keeping close watch on risk adjustment coding
Meaningful Use
Financial disincentives for providers who commit information blocking 
Financial disincentives for providers who commit information blocking 
Medicare & Medicaid
Almost a quarter of Americans underinsured, survey finds
Survey: Almost a quarter of Americans underinsured
Patient Engagement
HHS, Illinois reach agreement on disability rights laws
HHS, Illinois reach agreement on disability rights
Pharmacy
Express Scripts, Caremark, OptumRx fight back in lawsuit against FTC 
Express Scripts, Caremark, OptumRx sue FTC 
Population Health
Reproductive care, including abortion, facing challenges
Reproductive care, including abortion, facing challenges
Risk Management
UPMC for You partners to offer Medicaid redetermination coverage in laundromats
UPMC for You offers Medicaid redetermination coverage in laundromats
Telehealth
Telehealth prescribing of controlled drugs extended through 2025
Telehealth prescribing of controlled drugs extended
Mergers & Acquisitions
Cardinal Health set to acquire two companies for combined $3.9B
Cardinal Health set to acquire two companies for combined $3.9B
View more
Jan 14, 2013 More on Quality and Safety

3 strategies for strengthening internal data security practices

Benjamin Harris

When it comes to securing a hospital's IT, the focus is on keeping unwanted or unauthorized people out of the system. Strengthening a system to bar access to the wrong people while making it easy for the right ones to get in is always on IT managers' minds. What most people think about in the realm of security is referred to as "perimeter control," or securing a system from outside intruders.

But this is not the only area that needs focus, as there are just as many threats to network security within an organization as there are without. Paul Christman, Vice President, Public Sector Sales and Marketing at Dell, speaks about three key elements of internal controls that help ensure a system's IT is as strong inside a hospital's corridors as it on the outside.

[See also: Data breach leads to $1.7M fine for Alaska DHSS]

1. Two-factor identification. Probably the most familiar to the security-minded, two-factor identification is the next step beyond the traditional system of requiring a username and password for access. "Username/passwords are the foundation for a lot of our internal security, but passwords can get lost, passwords can get hacked," says Christman. Much more secure is coupling the username/password combination with an additional token, like a key card or some other unique device that helps identify a person trying to log on as who they should be. This second factor is only limited by the bounds of an IT department's imagination- and its budget. "It could be a key fob, you see people carrying around little tokens that have random number generators," says Christman. He goes on to describe advances being made to develop "soft tokens," or a strong second factor that can reside on something almost every hospital worker is permanently attached to- a person's mobile device. Two factor identification, while not bulletproof, makes simply cracking a password much less effective. Christman likens the system to an ATM machine, saying that just a PIN or card alone will not grant access – the two are needed in conjunction to make the system work.

2. Identity of a service. Anybody in a healthcare system probably has to deal with more than a handful of passwords. Christman says this horde of passwords is part of the problem. Another problem is keeping track of all of a system's users and the hassles that entails. The solution to this lies in authenticating a user's device to connect to a central server, which then passes on the authentication details to the specific applications that a user is approved to access. "The system understands who I am, the authentication engine passes my credentials on to the software," says Christman. "You can control these credentials from one place and you can shut someone out. You don't have to worry about all of the different places their identity was stored." Authenticating through identity of service also has its added security benefits. "If you just have a username/password to a website, you can share that on a Post-It note," says Christman. "It's horribly insecure." With identity of service, there are no passwords to share. Also, when someone leaves the system or loses a device, removing privileges is as simple as a few clicks.

3. Least privileges. Ever want to be king for a day? Turns out that's actually one of the best ways to manage large IT systems where multiple people need administrator access, according to Christman. Networks allow for different levels of permissions, or ability to change and control configurations, with the highest level called root, which is basically "god status," says Christman. "You can do anything you want inside the IT services. You can do all sorts of very very high level things." It's not necessary for most to operate at this level, and as a result they're granted the much more commonplace user-level accounts. When someone needs a higher level of authority, instead of granting them unlimited access, Christman says least privileges allows a manager to "grand the amount of privileges necessary for a person to do their job, no more, no less." With this system, a user can get enhanced privileges for a specified period of time when "everything you do during that time is watched and logged and audited," says Christman. "When you give the keys to the kingdom to someone, you have to know you can get them back."
 

[See also: Security breaches prove costly for California hospitals]

 

News
Healthcare organizations ask HHS to delay quality measure reporting for ACOs Healthcare organizations ask HHS to delay quality measure reporting for ACOs The American Hospital Association and American Medical Association are among the 11 organizations signing the letter.