In 2011, we saw a huge increase in the number of major breaches of Protected Health Information (PHI) due to the loss or theft of unencrypted devices. The largest of these breaches was experienced by Sutter Health of California which suffered the theft of a computer containing more than four million patient records. The data for about 3.3 million of these patients included their names, addresses, dates of birth, phone numbers and email addresses. The remaining 943,000 records also contained medical diagnoses and services provided.
With such a huge risk of data loss from just one end-user device, it may be a good time to reevaluate the client/server infrastructure in the offices of healthcare providers.
Server-based computing has been around seemingly forever. Anyone who has ever interacted with a "terminal" or "green screen" has used server-based computing. There was no data processing or storage on the end-user device; it was all handled by the server on the other end of the connection.
The advent of PC-based computing, especially in private physician practices, came about largely because end users needed more functionality than a terminal alone could provide, and also because it became increasingly difficult to purchase replacements for failed devices. Unfortunately, the adoption of PCs in medical practices has contributed heavily to the decline in the overall security of patient information.
Server-based computing can really be thought of as a "remote desktop." The desktop that you are interacting with is actually hosted on another system in a remote location. Depending on the type of system that is implemented, the desktop will provide the end user with either dedicated or shared computing resources such as memory, processor and storage.
The traditional server-based computing systems from Citrix and Microsoft are systems that share computing resources among the connected users. Because of limited server resources and the need for high availability, these systems provide end users with limited customization, and system maintenance can affect a large number of those users.
A growing technology, VDI or Virtual Desktop, is another type of server-based computing system that provides dedicated computing resources to the end user. This means that a user is provided with a remote desktop session into a dedicated operating system with dedicated processor, memory and storage. With the resources being dedicated, the user has the ability to make customizations that would not be possible on a shared resource system. Any issues with the system that require troubleshooting by the IT staff only affects that end user and no one else as this is an isolated system.
This solution helps fulfill some of the regulatory requirements for data security because:
- The centralized data processing and storage capability allows end users to use "thin" devices that are not capable of data storage. This removes the possibility that patient information can be accidentally or maliciously stored on an end user device.
- The server-based computing infrastructure is in a central location (main office, datacenter, etc.) so the physical access to these systems is limited.
Learn more about cloudSHIFTSM Desktop – virtual desktop services from mindSHIFT Technologies
For more information on ePHI, read my previous post: "Do you know where your ePHI is?"
Chris Cline is a Senior Sales Engineer at mindSHIFT Technologies, Inc., based in our Morrisville, NC office.