Saturday, July 4, 2009

Michael Jackson's Death: A Wakeup Call for Healthcare Providers

By: N. Parker Cowand
Chief Executive Officer (CEO)
Cooperative Management and Consulting (Cmac)

What can the sudden death of the “King of Pop” teach the world about the way the healthcare industry operates?

We were all shocked to learn of the pre-mature death of Michael Jackson this past week. Many speculated that drugs played a role but few would have guessed that Jackson was being administered a potent anesthesia to help him sleep. It has been widely reported that Jackson craved anesthesia and used the drug Diprivan which is currently marketed as Propofol; the drug is said to have euphoric side effects. Propofol is a potent, injectable Emulsion for IV administration and is an agent that is used widely for the induction and maintenance of anesthesia, as well as, for sedation in the intensive care unit. It is also a global central nervous system depressant and is used in ambulatory settings. The drug’s approved indications are: Initiation and maintenance of Monitored Anesthesia Care (MAC) sedation; Combined sedation and regional anesthesia; Induction of General Anesthesia; Maintenance of General Anesthesia; Intensive Care Unit (ICU) sedation of intubated, mechanically ventilated patients.

It is no secret that Jackson used an alias or two to get prescriptions filled at pharmacies for drugs like Demerol but that doesn’t explain how he got his hands on ampoules of Propofol. Perhaps, one of his medical providers brought it to him but access to drugs like this doesn’t necessarily require the cooperation of a physician. It is not too difficult to compromise the lackluster controls that many medical groups have half-heartedly implemented in their organizations.

For the general public, the idea that a drug like Propofol can be obtained easily without a hospital stay is mind boggling. How does the drug get out of the hospital setting without being noticed? Did anyone report the missing ampoule? Was there an accounting or tracking procedure in place? It is said that the DEA will be investigating how Jackson was able to obtain a drug that was not available to the public. The following anecdote will show one very easy way in which a regular person like you or I could acquire a drug like Propofol with very little effort and very little money.

Hospitals have internal pharmacies that receive and store medications. Drugs like anesthesia are couriered on carts by staff members to the operating room (OR) storage areas where they are kept in a drug closet under lock and key. The drugs are then carted to the individual surgerical rooms in the OR area (large hospitals may have dozens of these rooms) where they are stored in smaller drug carts next to the operating table. The Joint Commission (formerly JCAHO) accredits hospitals and sets guidelines and best practices for medication reconciliation procedures and patient safety parameters. The guidelines require hospitals to track and log the chain of custody of drugs from receipt in the pharmacy…through storage… to the usage, dispensing or disposal of the therapy. One reason for this is to track down, account for, and/or purge expired or recalled drug therapies.

Many times this chain of custody is broken somewhere along the line, usually at a level that is far removed from the watchful eyes of the pharmacy. Many times this occurs due to negligence and mismanagement rather than by nefarious intent. As a healthcare consultant, I have witnessed countless areas where the tracking mechanisms fall far short of any reasonable type of control. I have seen drug cabinets with their doors swung wide open at all times, drug carts without locks on them, and, in some cases, no drug log anywhere near the areas where the drugs are stored. If one of these hospitals were ever audited, then the auditor could follow the drug’s chain of custody into the pharmacy, to the OR room, and then to the drug cabinet. Since many times the chain of custody ends at that point, an auditor can’t determine where the drug went from there; the tracking mechanism would improperly show that the drug remained in the drug cabinet into perpetuity. The paper trail would end here without so much as a hint of the drug; in this scenario heads will likely roll. Through Vicarious Liability and the Doctrine of Respondeat Superior, those held immediately and directly accountable will be those sitting on the Executive Board of Directors (BOD.)

More times than not the drug storage units remain unlocked partly because the room itself, which houses the storage bin, is typically equipped with an electronic card swipe for keyless entry and therefore it is considered to be adequately under lock and key. Here’s the problem with this scenario and one of the ways in which a normal every day person could obtain Propofol without any involvement of a physician or medical professional: security access cards are issued to many staffers including the cleaning staff or janitors as well as other personnel and vendors not directly associated with the OR. It is easy, extremely easy, for a janitor to gain access to the OR and open up a drug cabinet or drug cart where ample drugs sit for the taking. There is a black market for such drugs as the Jackson scenario teaches us. Propofol comes in a 20mL ampoule that can easily be smuggled inside of a coat pocket or in a purse. The worse part about this scenario is that it commonly occurs and the hospitals either don’t catch it or fail to address it.

We don’t know if Jackson’s physician provided the Propofol or not but it is clear that Jackson would not necessarily need the services of a physician and could have obtained the drug easily on the black market.

For hospital administrators, the questions go deeper and the spotlight intensifies on practices that put people, not just their patients, in harm’s way. The BOD’s of ALL medical organizations must take their collective heads out of the sand and implement an enterprise-wide system where a third party professional organization can come in and provide an assessment on their policies, procedures, and practices relating to medication reconciliation and information assurance. Recommendations for these third party assessors will need to be holistic and involve the implementation of a training and education program tailored to ALL employees in the organization. Failure to do so can be considered an “unfair trade practice” by the FTC and could lead to scenarios like the Jackson tragedy where people die and investigations begin.

Hospital administrators heed this warning: do not leave your medication reconciliation implementation up to your staff. Do not, under any circumstances, rely on your IT department to provide information assurance or computer security when it comes to patient confidentiality. It is well documented that 88% of ALL security breaches are due to insider negligence. A professional, well trained, certified third party assessor is just what the doctor ordered.

For further information please visit www.cooperativemac.com.

Friday, June 19, 2009

Oregon Health & Science University Data Breach: Avoidable?

By: Seth A. Cowand, CISSP
Chief Information Security Officer (CISO)
Cooperative Management and Consulting (Cmac)

There are many incidents of healthcare data breaches from atypical healthcare organizations (i.e. pharmacies, medical schools, etc). What makes these interesting is their status. Does a medical school or pharmacy take the same steps that a hospital or medical group takes to safeguard protected health information (PHI) or electronic PHI (ePHI)? Maybe…maybe not!

A report about a June 2009 data breach from Oregon Health & Science University stuck out at me…but then the details of it made me think…was this avoidable? The limited information available about the incident reveals that approximately 1,000 patients’ records were stolen when “a physician's laptop was stolen from a car parked at the doctor's Washington County home. Patient names, treatment dates, short medical treatment summaries and medical record numbers were stored on the computer.” The questions that popped-into my head are: Why are these records saved on a mobile computer? What type of identification or authentication is used to login to the laptop? Does the organization encrypt the data ‘at rest’? Are there back up copies of the 1,000 records? But my ultimate question has two parts...Why is a physician taking these records home? And, more importantly, why didn’t he or she take the laptop inside the house and physically safeguard it?

Security management has many tenants, but one of the primary ones is risk management. How do organizations, their employees, their managers, and ultimately their customers (i.e. patients) manage the risks associated with PHI and ePHI security and privacy? If a comprehensive approach is implemented, the answer is they use a Layered Security (commonly called Defense in Depth) approach. What this means is there is no single layer (point of failure) for safeguarding the confidentiality, integrity, and availability of PHI or ePHI. Another tenant to risk management is the organization or its respective decision makers having the authority and responsibility to ‘accept certain risks’. I provide the following analysis (based on what is publicly available) by pairing the concept of risk management and the Oregon Health & Science University data breach together.

It appears that either Oregon Health & Science University does not have policies, procedures, and training (PPT), or does not have enough enforceability (adequate PPT) that implement a ‘culture of security’ to influence the respective physician to think about the security of the physical laptop and the associated data stored on the laptop. According to the Federal Trade Commission (FTC) the most effective steps one can take to avoid a data breach is having a well trained workforce. I am going to give the University a benefit of the doubt on its safeguard of ‘user access’ to the laptop and presume that a strong identification or authentication scheme is implemented, and to presume that the data stored on the laptop is protected by a strong encryption algorithm. I do not know this, but I am more hoping this is the case than anything else. However, I do have my doubts about why the respective physician left such a sensitive laptop in his or her vehicle. Physically safeguarding the laptop in the residence provides at least one more layer of security that a nefarious individual has to overcome to gain access to the laptop and protected data. This is not the first data breach resulting from a stolen laptop, and I am confident it won’t be the last. As computers become smaller, faster, and more mobile, and as physicians and organizations are pushed to become compliant with electronic medical record regulations, the more the patients’ privacy and security of the most sensitive data an individual has is at risk.

Was this avoidable…you decide!

For further information please visit www.cooperativemac.com

References:

http://www.privacyrights.org/ar/ChronDataBreaches.htm

http://datalossdb.org/incidents/2113-patient-names-treatment-dates-treatment-summaries-and-medical-record-numbers-of-1-000-on-stolen-laptop

http://www.ftc.gov/bcp/edu/pubs/business/idtheft/bus69.pdf

Thursday, June 4, 2009

Analysis of Virginia’s Prescription Drug Database Breach

By: Seth A. Cowand, CISSP
Chief Information Security Officer (CISO)
Cooperative Management and Consulting (Cmac)

After I heard about the Virginia Prescription Drug Database breach, I was very curious about what is going on. What is happening?

Several quotes and statistics in news reports stuck out like a sore thumb, and confirmed what I have known for a while, but most in healthcare may not know. It then occurred to me that I needed to share this information and provide a little analysis of what this data breach means to the healthcare industry, and to healthcare information assurance field.

So first of all…what happened? Based on news reports, it appears that the Virginia database that holds millions of prescription records was compromised, records stolen, and the web page defaced with a ransom posted. According to Gov Timothy M. Kaine (D), Virginia, “It’s difficult to foil every criminal that may want to do something to you.” Emily Wingfield, chief deputy director of the Department of Health Professionals, “the database contains 31.3 million prescription records and 1 million records are added monthly”. Both of these quotes say a lot about the state of healthcare, and healthcare security. It states that as the government and industry pushes forward with electronic health records, the risk, vulnerability, and security of these records (our records that are in the care, custody, and control of others) are increasing.

Nefarious people and organizations target specific records (i.e. celebrity records being compromised), groups of records (i.e. Virginia database), or organizations (i.e. Commonwealth of Virginia) for various reasons including extortion. If you want to know what we need to do about it, we first need to answer: Is it worth the risk to have the most sensitive of information in electronic format and on the web? Then we have to ask, what do the custodians of these records have to do to protect the privacy and security of the records? The answer to number one is a political issue, and constituents need to voice their opinion to their elected officials. The answer to number two is to take a comprehensive view and assessment of the environment containing these records.

How did this occur? Until the authorities publicize their findings and investigation results we will never know. But we can read between the lines. Patricia Paquette, DHP's technology director, stated “the DHP's computer system -- which includes firewalls and backups -- is one of the most secure in state government”. Really????? Then why did this happen? I would suggest that the devils-in-the-details and that Ms. Paquette, a technologist, is not looking at the non-technology issues when trying to explain what happened. Security is a people problem…not a technology problem. Is this a money problem? Possibly. A technology problem? Maybe. What about a zero day exploit (a vulnerability that a hacker knows about but the security industry does not yet)? That is possible too.

According to Virginia Gov. Tim Kaine (D), “the breach indicates that the state needs to "create more sophisticated security." Maybe Gov Kaine is aware of something that is not being released, but I would suggest a comprehensive look at the DHP information assurance program before making definitive recommendation on what needs to be corrected. Information assurance is holistic, and looks at training, policies, procedures, technology, as well as environmental issues when assessing whether data (i.e. health data) is ‘secure’. The point I am trying to make is summarized well by Del. L. Scott Lingamfelter (R-Prince William) who stated, "I have some question as to whether there is a comprehensive approach to cyber security in the commonwealth.''

My advice to the Governor and the Commonwealth leadership is to look at information security from a holistic and comprehensive viewpoint, and hire a third party, qualified, independent, information assurance assessor based on the Federal Trade Commission (FTC) requirements for similar assessments. You may be shocked to see what you find!

For further information please visit www.cooperativemac.com

References:

San Francisco Chronicle. http://www.sfgate.com/cgi-bin/article.cgi?f=/n/a/2009/05/12/financial/f150940D35.DTL

Washingtonpost.com. http://www.washingtonpost.com/wp-dyn/content/article/2009/05/07/AR2009050702515.html


and


http://www.washingtonpost.com/wp-dyn/content/article/2009/05/12/AR2009051201934.html

Saturday, May 30, 2009

Comprehensive and Effective Information Assurance Program

By: Seth A. Cowand, CISSP
Chief Information Security Officer (CISO)
Cooperative Management and Consulting (Cmac)

On May 16, 2009, NewsChannel9.com reported “thousands of medical records discovered in recycle bin” in Chattanooga, TN. How does this happen in today’s environment of increasing scrutiny, regulation, and oversight in the healthcare arena? It boils down to two things: (1) lack of training and awareness, and (2) lack of an effective and comprehensive information assurance (IA) program.

Because this is not the first, and certainly not the last, data breach in healthcare I would like to provide a short primer on the components of an effective information assurance program. I hope that medical group managers and executives that are reading this information use it to assess whether their respective practice has a comprehensive and effective information assurance program. If it does not, you are opening yourself up to severe fines, liability, and business impact (average healthcare data breach costs $282 per compromised record).

Information Assurance Program: What makes it comprehensive? What makes it effective?

(1) What makes it comprehensive? First, the organization must take a ‘holistic’ approach. There is a difference between computer security and information assurance. Within the corporate compliance program (CCP), an information assurance program must be holistic, meaning:
Ÿ it is designed and implemented enterprise-wide,
Ÿ it includes the appointment of an accountable employee or set of employees responsible for coordination of the IA program. Responsible party(s) must be a part of the executive team or report directly to the executive team (i.e. Chief Information Officer, Chief Information Security Officer, Risk Manager, etc). Hospitals and medical groups commonly make the mistake to place accountability in the IT group, which is a misguided approach.
Ÿ it goes beyond the technology (i.e. computer security).
Ÿ it includes process, procedures, and training to address all areas of IA and protection of sensitive and protected data, including proper hiring practices.
Ÿ it includes hiring a qualified, third party, independent assessor every 2 years to analyze internal and external enterprise wide risks effecting protected health information, electronic protected health information, personally identifiable information, identity theft, and other protected data classes.
Ÿ it must include administrative, technical, and physical safeguards. Safeguards must include the protection of the confidentiality, integrity, and availability of the protected data.
Ÿ Identification of internal and external risks, monitoring of risk mitigation and elimination, and development of reasonable steps to oversee service providers and business associates that access protected and sensitive information, and
Ÿ Evaluation and adjustment of the IA program to reflect results of monitoring, third party, and internal and external assessments that change corporate operations or efficacy of the IA program.

(2) What makes it effective? Clearly the Chattanooga, TN medical group described above does not have an effective program. Why not? Effectiveness is interrelated to the notion of a ‘holistic’ information assurance program. If an organization considers security to be IT related, they have missed the mark. In order to be effective, senior leadership and the executive board must have complete buy-in, communicate buy-in to their respected employees and business associates, and take the proper steps identified above regarding a comprehensive approach. Effectiveness also relates to training and awareness. If executives and medical group managers do not put emphasize on security, they will not implement and require periodic training on security, privacy, and related information assurance topics. According to the Federal Trade Commission, “a well-trained workforce is the best defense against identity theft and data breaches”. Next, effectiveness also requires processes and procedures to be in place to protect, detect, and respond to security incidents and data breaches. Although no one is ever 100% secure, having a comprehensive security program (technology, policy, procedures, training, and assessment safeguards) in place will mitigate the damage resulting from a data breaches and reduce the cost of future liability in legal actions. According to the Federal Sentencing Guidelines for Organizations, organizations are required to: (1) ensure the organization has an effective compliance and ethics program, (2) evaluate periodically the effectiveness of the organizations compliance and ethics program, and (3) periodically assess the risk of criminal conduct and take appropriate steps to design, implement, and modify each requirement to reduce the risk of criminal conduct though this process.

If I could sum this up into one phrase it would be: security is a people problem…not a technology problem.

For more information on healthcare information assurance services and products please visit http://www.cooperativemac.com/

For further information please visit www.cooperativemac.com

References:
“Thousands of medical records discovered in Recycling Bin”
http://www.newschannel9.com/news/newschannel9-978371-records-afternoon.html

“Protecting Personal Information: A Guide for Business”
http://www.ftc.gov/bcp/edu/pubs/business/idtheft/bus69.pdf

“Data-breach costs rising, study finds”
http://www.networkworld.com/news/2009/020209-data-breach.html