SECURITY REALITIES FOR BEHAVIORAL HEALTH

Days after last month's arrests in the alleged terrorist plot involving liquid explosives, my mother-in-law called my house while packing for the flight for our family vacation. She was about two “oy vays” away from being hysterical. The standard hello and announcement of who is calling (I'd know that voice if I had amnesia) were followed by the routine check that I was properly caring for her grandson. In her voice I heard great concern and worry. A less experienced son-in-law would claim the baby well fed, rested, and dry, but with almost ten months of experience under my belt, I proceeded with the $1 million question.

“What's wrong?” I asked. She answered with the concern and respect of an overworked, underpaid therapist working seven days straight and seeing her twelfth client of the day. She scoffed, “Haven't you seen the news? How am I supposed to fly without my medications, my toothpaste, my makeup, for goodness sake? I need my Listerine! The whole world's a mess. What am I to do?”

Having been trained by dozens of care providers and behavioral health executives, I gently responded, “I understand your concern. Your situation is real. Let's talk through this and discuss some solutions. You will be okay. Let's start with some facts. What exactly must you check with your luggage versus carrying on the plane?”

Some of you may be wondering what this conversation has to do with security and behavioral healthcare. Others may be questioning my sanity for sharing my family vacation with my mother-in-law. Either way, there is a lot in common between preparing for air travel in today's security and threat-focused aviation industry and securing behavioral health data and access in today's ever-increasing technology-infused world.

The Threats Are Real

Some threats are internal, some systemic, and others external. Laptops are stolen. Users select easy-to-crack passwords. Well-intentioned, experienced, caring staff post their user names and passwords on yellow sticky notes next to their computers. Individuals load unapproved software. Even advanced, talented IT staff occasionally go astray. The story of the system administrator that “loaned out server time” to a software program to track extraterrestrial activity is no myth; I've seen real-world deployments (of the program, not ET). Some employees even install unauthorized and often unencrypted wireless networks at remote locations. These are internal threats—very real but also very manageable.

Any resemblance of characters or individuals in the introductory paragraphs to real people are purely coincidental. My mother-in-law is wonderful, and I still have a lot to learn as a son-in-law.

Bad, misdirected people act maliciously. Often motivated by reasons or causes we cannot discern, these people inflict random yet real damage. This is the reality with which we must deal. This is the reality in air travel and when securing your organization's data.

For those who need more convincing, consider the following:

• Remember that infamous lost—and then found—Department of Veterans Affairs laptop?

• The American Institute of Certified Public Accountants lost a hard drive containing 330,000 unencrypted Social Security numbers.

• The CEO of QUALCOMM had his laptop stolen.

• Fourteen FBI laptops containing classified information were stolen.

• 600,000 laptop thefts were reported in 2004, costing an estimated $5.4 billion in theft of proprietary information, according to Safeware, The Insurance Agency, Inc., in 2004.

• Nearly three quarters of stolen laptops do not meet regulatory compliance requirements for data encryption, mainly the stringent HIPAA privacy regulations, according to the Corporate Exposure Survey: Lost & Stolen Laptop Edition, 2005.

• The theft of a laptop results in an average financial loss of $89,000; only a small percentage of the sum actually relates to the hardware cost, according to the Computer Security Institute (CSI)/FBI Computer Crime & Security Survey, 2002.

• 40% of companies do not log security incidents (2005 CSI/FBI computer crime survey).

• 90% of companies suffered a computer security incident in the past year (2005 CSI/FBI computer crime survey).

• 20% of companies have suffered network or data sabotage (2005 CSI/FBI computer crime survey).

Steps to Minimize Risk

First, acknowledge reality.

Once we accept the situation, we can begin to adjust our behavior to avoid problems and adhere to the proper rules (e.g., don't carry on toothpaste). Discuss the threats with your management team and your entire staff. Review statistics, and decide as a group how you will move forward to change your business practices and minimize the pain (“You mean I have to buy toiletries when we land?”).

A practical, basic checklist for this first step includes:

1. Have management discuss publicized threats. Review the 2005 CSI/FBI computer crime survey (https://www.gocsi.com), details of the VA laptop case, and a local example.

2. Have an agency-wide discussion. Survey your staff to seek their level of awareness of risks and threats. Administer a short, one-page survey, and leave room for one or two open-ended answers and recommendations. Review the survey's results with management and staff.

3. Inventory all unauthorized software deployed in your agency. Budget five to ten minutes per computer, and understand the use and need for every software product inventoried.

Next, manage reality.

This is the equivalent of going to the Transportation Security Administration's Web site and reviewing the list of banned carry-on items. The task requires some effort and occasional review, but it will simplify the process for all involved.

Below is another basic checklist:

1. Make decisions. Take the leadership role. Review solutions. Weigh the pros and cons. Decide and move forward.

2. Publish security policies (for passwords, encryption requirements, etc.). Leverage your investment of time and effort by letting your team know what is expected, how to operate, what programs are authorized, etc. Combine strong, time-sensitive password methodology with “workplace and desktop management” (in other words, police your offices for yellow sticky notes with passwords on computers).

3. Invest a percentage of your revenues or IT budget in proven encryption and other security technologies. Seek concrete solutions from security software leaders. Avoid elaborate studies and analyses that do not include specific recommendations and implementation guidelines.

4. Adopt best practices. Design your processes and practices by leveraging ISO 17799, ITIL, or COBIT (great sources to keep you from reinventing the wheel).

5. Verify as much as you trust. Test your policies, backups, and security procedures.

6. Audit your data—inventory incoming and outgoing data. Be aware of data needs and corresponding security requirements. Review these periodically.

7. Encrypt data. Make sure you deploy the encryptions solution you purchased, and monitor for encryption avoidance.

Securing your organization's data, data access, and data flow is challenging but not impossible. There are very clear rules and guidelines you can follow. The benefits of getting started far outweigh the consequences of becoming a local headline and, more importantly, facing the legal consequences.

Matthew M. Dorman, MBA, is the founder and CEO of Credible Behavioral Health in Bethesda, Maryland. With more than 15 years of management experience in operations, finance, and investment banking with Lockheed Martin and Fortune 500 companies, Dorman has knowledge of and experience in the software, mobile healthcare, and technology fields. Dorman has worked in county and state governments in Maryland, as well as on Capitol Hill for Sen. Paul Sarbanes (D-Md.).

Sidebar

SATVA's Position on EHR Standards

The Software and Technology Vendors’ Association Board of Directors finalized a position statement on electronic health record standards this summer. Below is the statement.

The Software and Technology Vendors’ Association (SATVA) is concerned that standards for electronic health record systems (EHRs) be developed, disseminated, and adopted with utmost care because they are likely to have such a profound impact on our entire industry. We have therefore drafted what we believe to be our most important positions on these issues.

1. EHRs provide tremendous value for improving care. Their widespread adoption is important.

2. EHR standards are vital to facilitate widespread EHR adoption, and SATVA participates actively in their development and promotion.

3. To be applied by specific settings, EHR standards must be targeted for and appropriate to them—not one size or type fits all. For example, what is needed by a large urban psychiatric hospital, an outpatient behavioral health service within a social services organization, and a stand-alone intensive outpatient substance abuse treatment program will likely differ.

4. EHR standards must be reasonable and realistic.

5. Organizations contemplating selection and implementation of an EHR system in the near future without the benefit of finalized EHR standards can still do so effectively. SATVA works with other trade associations to develop guidelines for how organizations can select and implement an EHR system effectively with anticipation of emerging EHR standards.

6. State behavioral health agencies should work in concert with national standard-setting efforts. They should be careful not to inadvertently stall EHR adoption.