The virus is a new variant of a Trojan horse program called coreflood and is designed to steal data from an infected computer and send it to a server controlled by a hacker. Coreflood captures passwords and data the user of the computer accesses.  The virus was active from May 15 to 29 before it was detected and removed.

AHS identified two groups who are potentially at risk. Patients whose health information was accessed in Netcare through an infected computer and employees who accessed personal banking and email accounts from work using an infected computer. AHS is sending letters to the 11,582 patients whose information may have been exposed and has notified all affected employees.

Commissioner Frank Work says this does not necessarily mean Netcare itself has been infected by the virus; rather the virus may have captured patient data accessed through Netcare from an infected computer and sent it to an external party. While it appears the risk to patients is low, viruses don’t discriminate and this is an important message to everyone about the need to run up to date anti virus software, says the Commissioner.

The Commissioner’s office is investigating. In the meantime Work is expecting a full forensic report from Alberta Health Services on how this happened and what steps will be taken to prevent future breaches. Work says AHS responded quickly when the virus was detected and that steps have been taken to notify users and patients with advice on what they should do to protect personal and health information.

With approximately 320 employees, the CareCenter provides care for some 500 terminally ill patients across 13 counties. The organization maintains close ties with local communities and offers grief counseling to any resident in the area, frequently working with children struggling to cope with bereavement. In mid 2007, the CareCenter decided to move to an electronic medical records system (EMR) that would enable its approximate 120 nurses, social workers and chaplains to use laptops to access the patient database, enter data in real time, and see the most up to date information on each individual patient as they move from home to home.

The overriding concern of the CareCenter was to secure the system to ensure compliance with HIPAA regulations and maintain patient confidentiality. They turned to Secure Designs (SDI), their managed security services provider for more than seven years, to find the most efficient yet simple way to effect the change.

Guided by SDI’s Chief Technology Officer Ron Culler, the CareCenter decided to implement a user friendly secure remote access system based on the SSL-VPN 2000 appliance with NetExtender from SonicWALL (Nasdaq: SNWL). At the heart of the network are SonicWALL PRO Series firewall appliances, paired to ensure redundancy and continual uptime. The CareCenter’s remote offices are connected via TZ 180 small office appliances. The entire security network is monitored and managed from SDI’s network operations center in Greensboro, NC.

Troy Chappell, Network Administrator at the CareCenter, oversaw the project and championed the adoption of a new IT-aware mindset among nursing and other staff. “It was a great implementation,” he commented. “There was not one hiccup with the SonicWALL system. The system has been fault free for a year and a half and we haven’t had to touch it since then. The SDI team takes care of monitoring and maintenance of the SonicWALL systems, so I don’t need to worry about those issues.”

Learning curve
Chappell added, “The initial learning curve was a challenge for some of the clinical staff. Some of our clinical people were not technically oriented. Luckily, the SonicWALL SSL-VPN with NetExtender is a very easy solution. After getting the staff set up the first time, there has been no problem. ”

Chappell and his staff addressed the issue of training by working with small groups over a period of 9 months. The IT training focused on helping staff to understand practices such as basic laptop usage, login procedures, security protocols, remote connection, patient database usage and synchronization.

Benefits
For the first 90 days after training, remote workers were required to come into the office every day to sync their assessments. This allowed management to check that procedures were being followed correctly. Clinical staff were then trained and allowed to synchronize remotely. The EMR system is now delivering real benefits to the organization, its staff and especially to the patients.

Kathy Cecil, Vice President of Finance and Operations for the CareCenter, explained, “We are achieving savings on printing, copying and mileage costs. Prior to the EMR project, paperwork had to be filed in the patient’s chart after staff returned their information to the office. Time sheets were filled out manually by clinical staff and data entry done by an administrative person. Our new EMR provides us with near-real time data and we are far more efficient, since assessments and time sheets are all completed electronically and synchronized throughout the day.”

Staff have benefited from the additional flexibility in their schedules, which has improved clinical satisfaction and retention. Seamless transfer of knowledge between Hospice staff has proved very popular with patients and their families. The benefits of the system are especially evident when an accelerating case calls for rapid medication and dosage changes and clinical staff have access to up to date information readily available.

“We believe this has put us ahead of the curve,” said Cecil. “Regulations will require electronic documentation in the near future and we are already there.” Another benefit has been the ease of auditing the clinical documentation for both internal sources and external regulatory bodies. Hard charts are still maintained for paperwork requiring original signatures or copies of pertinent information from outside medical facilities. All other clinical information is secured in the patient data base system.

For Troy Chappell, the IT challenges of the project have been eased by SDI’s technical expertise and hands-on approach. He commented, “They worked with us through the project, found answers to our questions, and made adjustments promptly. Post-implementation has been very smooth. SDI’s monitoring spots problems before we know they exist and helps us avoid downtime. By being proactive themselves, SDI has helped us stay proactive too.”