Montrose Memorial Hospital: Safeguarding electronic patient information exchanges

Summary

A community-based health care provider in rural Colorado, Montrose Memorial Hospital has a strong tradition of protecting confidential patient information. The increasing use of email as a communications medium plus the advent of regulations such as the U.S. Health Insurance Portability and Accountability Act (HIPAA) regarding the need to protect electronic patient information prompted the hospital to look for an email encryption solution to facilitate business processes while helping ensuring regulatory compliance.

PGP Solution

• PGP Universal™ Gateway Email

Customer Profile

• A full-service regional health care system with 550 employees in the hospital & two satellite clinics
• Managed by Quorum Health Resources, which manages 300 hospitals in 43 states
• A member of the American Hospital Association, the Colorado Hospital Association, & the Association of Western Hospitals
• Accredited by the Joint Commission on Accreditation of Healthcare Organizations

Key Issues

• To comply with HIPAA requirements regarding the need to secure electronic patient information in transit & storage
• To use email for document sharing, thereby facilitating patient diagnosis, treatment, & management
• To safeguard sensitive financial & corporate information exchanged with partners & third-party providers

PGP Advantages

• A network-based architecture that moves security tools off the desktop, centralizing management & reducing administrative overhead
• Flexible & scalable, enabling policies to be set by domain or even by user
• Does not require recipients of secure emails to purchase or install any hardware or software

Background

Protecting confidential patient information is something the health care industry has done well for many years. "With the advent of regulations like HIPAA, industry champions such as the American Medical Association have begun to promote best practices," explains Bill McClelland, Montrose Memorial's IT director. "We as an industry are adopting protocols that will take advantage of technologies to ensure patient information remains confidential."

As a full-service health care system, the hospital's primary business focus is on the delivery of patient care, which generates a lot of personally identifiable information. Currently, the staff uses fax or postal mail to exchange confidential information about patients, billing, or insurance. Diagnoses and treatment plans are typically exchanged during face-to-face meetings or by telephone.

The hospital also needs to secure customary financial and business information about the organization itself. "If we need to communicate with our attorneys or auditors, for example, that information needs to be secure as well," says McClelland. "In the future, we can email such information if we can do so using a mechanism that keeps it confidential, secure, and protected."

Solutions Considered

The IT Director began looking for an email solution that offered secure messaging that would either replace the hospital's Microsoft Exchange Server or function as an add-on component. "I did a lot of investigatory research and quickly realized that adding a layer on top of our existing email environment was the best approach," he says.

He explored appliances that provided gateway, firewall, anti-virus, and encryption, but was inclined to look for a best-of-breed solution rather than an all-in-one product. Partly because of brand recognition, he began looking for a solution that was similar to PGP® technology.

He considered two email encryption products, a subscription-based solution, and WinZip (password-protected file compression), but none offered the flexibility and ease of use he needed. PGP Universal Gateway Email met the IT Director's requirements for an affordable solution with automatic, two-way policy enforcement and centralized administration. "Most folks are familiar with PGP and comfortable with its tool set," he adds.

Why PGP Universal

"The pace at which the health care industry moves is probably much quicker than other industries," explains McClelland. "Everything is based on patient care needs and outcomes, whether it's purchasing technology, negotiating new contracts, or exchanging information with an insurance company."

McClelland wanted to begin proactively developing policies and implementing technologies to help manage the flow of information, which he saw increasing exponentially. Email use was becoming more pervasive, with the staff generating between 8,000 and 10,000 messages per day. "The hospital wasn't using email to transmit confidential data, however, so it was difficult to justify implementing secure messaging without knowing how effectively we'd use it," says McClelland. "I was looking for a best-of-breed solution and knew PGP was the de facto standard for encryption technology. Choosing PGP Universal from an industry-recognized name will help with the adoption of our secure-messaging strategy in the future."

PGP Competitive Advantages

According to McClelland, the hospital's radiologists take turns being on-call so someone is available 24x7 to respond to medical emergencies. Once the staff x-rays a patient, they digitize the image, and then transfer it through a virtual private network (VPN) session to the on-call radiologist. Currently, radiologists read films, provide an interpretation by phone to the attending physician, and document their findings in a written report.

"The key issue is how to get those reports to the ER physician in near-real-time," McClelland explains. The situation becomes more critical for patients treated at the satellite clinics, which are 60 miles from the hospital. "Email clearly becomes a very valuable delivery mechanism. PGP Universal will facilitate patient care by making the confidential patient information doctors need available more quickly-and doing so securely."

Deployment Plans

The hospital's IT Director describes his secure-messaging vision as "slow and steady" deployment. He plans to take a systematic rather than an all-or-nothing approach. "We'll start with those areas that have an identified need to share patient information but are currently not allowed to do so via email." He will then add domains based on the hierarchy of email traffic he envisions for the future.

McClelland also plans to roll out PGP Universal™ Satellite to the hospital's business partners. In the past, Montrose Memorial used each partner's existing security technology-PGP® solutions or WinZip with password protection-to encrypt everything it sent to them. Now, the IT Director will explore supplementing or replacing these existing methodologies with PGP Universal Gateway Email.