I recently talked about HIPAA and HITECH compliance and how application and desktop virtualization can be an effective means for protecting against security breaches.

Today, I came across a whitepaper by another vendor that speaks about some of the same challenges and it struck me that there is still confusion between Security Breaches and Privacy Breaches.

The author opens by citing privacy breaches in the healthcare industry (improper access to “Octomom’s” medical records, and doctors improperly accessing celebrity patient records at UCLA), but then proceeds to describing solutions that prevent only security breaches, but not privacy breaches.

Privacy breaches occur when properly authenticated and authorized users look at a patient record that they have no business looking at… at least not at the time when they are looking at it. For example, a doctor pulls up a record (celebrity, athlete, their neighbor’s kid etc.) to review information although they are not treating the patient at the time. This is a privacy breach that may have to be disclosed under HITECH. The same user may have a perfectly legitimate reason to pull up the same record and review the same information a week later when the patient is coming in for a visit, in which case the access would not constitute a privacy breach.

Preventing security breaches can be accomplished through two-factor authentication at the workstation, locking terminals to prevent improper viewing of data, and other authentication and authorization approaches for clinical users and database administrators, who have sometimes direct access to the raw data. The latter would be important to prevent privacy breaches, but it is more difficult to accomplish. Even the implementation of access logging mechanisms alone cannot stop all technical personnel with the right kind of low level access to circumvent the logging layer and go straight to the data.

So, the vendor of the whitepaper I mention earlier states the HITECH problem correctly, but positions the authentication and authorization solutions that only protect against security breaches, which is necessary but not sufficient. 

Now, here’s a thought:
One healthcare organization spoke at HIMSS 2010 about leveraging sophisticated data mining techniques to flag improper access by otherwise authorized clinical staff.

If the Electronic Medical Record application is delivered via Citrix XenApp, organizations can use the Smart Auditor feature to review recorded user sessions to verify user behavior. This could even be employed to watch the technical IT staff by presenting the terminal emulator windows to go to the heart of the data exclusively over XenApp. Given that one would not be able to review the sessions of thousands of users, this would need to be implemented in conjunction with data mining of the logs to flag suspicious data access. Yes, it sounds like “big brother is watching you”, but there mere knowledge that any system interactions are recorded at the user session level will provide an additional deterrent to privacy breaches through employees.
This is another way that virtualization techniques support data security and patient privacy.

Please share your thoughts and comments.

Florian Becker

Follow me on twitter @florianbecker