How to Secure Patient Data During Consolidation

When a hospital integrates with another hospital through an affiliation, merger or acquisition, information technology systems must integrate as well. According to Darek Dabbs, vice president of information security at Sera-Brynn, a cyber security company, when two or more hospitals combine IT networks, vulnerabilities and threats may be more easily exploited.

For this reason, hospitals need to tread carefully during consolidations and implement network segmentation. Network segmentation identifies and isolates critical, core information in the healthcare environment so it may be effectively protected. According to Mr. Dabbs, it is an important step in protecting a hospital's IT environment.

Network segmentation is necessary to protect sensitive data
For instance, improper network segmentations could introduce issues with either hospital's firewall and virtual local area network configurations that left alone, could derail information security or data exchange to or from each hospital. According to Mr. Dabbs, a hospital's firewall could be too strong or not strong enough. Both circumstances could hurt a partner's network and the security level of its patient data.

"Traditionally, two entities will not maintain the same [firewall] configuration management policies, [meaning] the type of sharing allowed and acceptable use policies of each organization could be dynamically different," says Mr. Dabbs. "[The hospitals] should thoroughly review risk analyses before merging networks."

Negative implications of firewall configuration problems

1. Data availability. The wrong firewall configuration could prevent data availability by being too strong, says Mr. Dabbs. For instance, if a firewall for one hospital is not configured properly, it could block radiologists trying to send digital images from an MRI scan to physicians at another hospital, or to physicians in their own hospital. According to Mr. Dabbs, the data could also be corrupted, threatening any future use of that information.

2. Malware. On the flip side, if one hospital has weak rules for its firewall configuration, it could subject the affiliate hospital to significant holes in protection. "A weak firewall and Intrusion Protection/Detection systems is equivalent to having no protection against stopping  malware in its infrastructure. Integrating with another hospital would expand those problems," says Mr. Dabbs. "All it takes is one unsecured computer for an exploit to occur and spread across the entire network. Vulnerability could proliferate across the entire organization."

Create a migration plan for information technology
In order to perform successful network segmentations and prevent the above mentioned risks, Mr. Dabbs recommends that hospitals create a migration plan for information technology during an acquisition.

"A migration plan will ingest one organization's IT into another, bringing them together successfully. The migration plan can include the network and IT security needs for every service," says Mr. Dabbs. "The plan should include firewalls, intrusion detection systems, intrusion protection systems and network topology data-flow diagrams. This will ensure a full-fledged risk analysis to all of those devices."

If security strengths and weaknesses are identified during a transaction— before a deal is final — each hospital can internally evaluate IT factors as part of the entire deal's worth. "A hospital may not have the money to implement strong security measures for another hospital. Or, they may not have the capital needed to reach a premiere level of security — a level that may not be necessary but the partner prefers," says Mr. Dabbs.

While creating migration plans can be expensive, they can save a hospital a great deal of investment later. "It is a pay me now or pay me later type of environment. If hospitals ignore risks to security during consolidation, they could have a data breach that loses thousands of records. The costs of such a breach would make the expense of a migration plan look like pennies," says Mr. Dabbs.

Furthermore, a migration plan is not time consuming. According to Mr. Dabbs, a usable migration plan could take no more than five days to develop. "The first phase is a site survey — visually evaluating what IT infrastructure the organization has. Then, based on that, the hospital can determine next steps," says Mr. Dabbs.

When a hospital creates a migration plan for an affiliation, merger or acquisition, potential problems with data availability and security could be avoided. Often times, hospitals place the most focus on integration operations, staff and executive teams. Due to the prevalence of data breaches, it is important that securing data privacy during transitions is a prime concern as well.

More Articles on Health Information Technology:

Voice Biometrics, the Key to Simple and Secure Access to Health Information
Handle Hospital Data Breaches With Care: 5 Issues to Consider
Top 5 Strategies Hospitals Use to Protect Patient Data

© Copyright ASC COMMUNICATIONS 2021. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.


Featured Whitepapers

Featured Webinars