HIPAA rules expect health organizations to protect and secure a wide variety of personal data
The healthcare industry has a data breach problem. In a recent study conducted by the Ponemon Institute, only 12% of organizations surveyed were able to say they had not experienced a data breach that required notification in the previous 24 months. Practical and affordable approaches to mitigating the risk of a data breach are possible for companies of nearly any size, assuming that leadership supports the effort and communicates an expectation of compliance across all levels of the organization.
An information security program begins with knowing where important data resides, how it replicates and then migrates to, through and from your organization. Just like any other asset, you have to know what you have and where it is in order to protect it. Also, it’s important to include the Personally Identifiable Information (PII) and Protected Health Information (PHI) that may be entrusted to third-party vendors for billing, processing and other tasks.
Once you have an inventory of your information assets, you can begin to understand how your organization is vulnerable to a data breach. It’s possible to conduct a risk assessment with an eye toward exposures to data theft and loss.
Remember that sensitive data exists in both physical and digital formats. To pull together the most comprehensive picture of the current landscape, don’t limit this process to your IT or records management staff. Talk with clinicians, administrative personnel, marketing and operations-anyone who connects to your network and accesses or receives sensitive data.
One of the most effective, no-cost tools for identifying data risks is to simply walk around the organization’s building and offices with a keen eye to observe data that may be exposed. Conduct a periodic check of how computer media-hard drives, copiers, backup tapes, etc.-or paper records, including containers labeled with patient names, are disposed.
Often it can be a reminder of the sensitive data that gets exposed through a simple lack of awareness or attention. Healthcare facilities often focus solely on protecting patients’ PHI. They may neglect large volumes of PII or Personal Financial Information (PFI) for patients and medical staff. Payment Card Industry (PCI) data contractually requires specific security measures.
An experienced consultant and the right technology can help save time and costs by helping you hone in on what is important and using automation to identify sensitive or protected data.
Take care to avoid crossing over inventory and corrective efforts, which can lead to delays. Keep the project’s momentum by focusing first on creating the inventory of sensitive or protected data sets and their locations. Consider how and where they can proliferate and migrate.
Then from that perspective, design a customized, prioritized corrective plan. If your project team tries to address each gap as it is discovered, it is likely the assessment will lose focus and momentum, and the project will ultimately go unfinished.
Common vulnerabilities exist across the healthcare sector, so pay particular attention to these while assessing your risk areas. Mobile devices are one example of prime exposure points. They can store large amounts of PHI, they sometimes transmit sensitive data through potentially unsecured networks such as local coffee shop or employees’ home Wi-Fi, and personal devices are often outside the tight controls IT and security put around other corporate technology assets.
Remember to also include laptops, tablets and employee remote access in any mobile device review. Another exposure point is physical patient records that are in the process of being digitized into electronic medical records.
The processes and execution around the combination of collecting, scanning, and disposing of the physical records can be a major risk exposure that does not receive a commensurate level of oversight. This process often introduces temporary employees and third-party vendors working under limited supervision to significant volumes of sensitive data. In the absence of appropriate controls, this data is exposed to improper handling, loss, and potential criminal compromise.
As you work to improve your systems and processes, be sure to evaluate any external partnerships entrusted with your information assets and patient information.
Even well-known service providers have been caught using default passwords. These default account credentials or abandoned employee network account IDs can create backdoor access to your network that even a novice hacker could exploit.
This is just one example of the many exposures seen when using third-party providers for services that require network access or the exchange of sensitive or protected information. If your organization relies on outside providers or utilizes a managed information technology service, the information security policies and procedures for these services should be reviewed by an independent party to ensure the policies are adequate and followed in practice.
Business associates-which under the new omnibus rule include subcontractors-previously did not need to be aware of HIPAA requirements. Now they must follow the entire HIPAA Security Rule. The newly announced changes also include subcontractors used by subcontractors.
Many of the service providers have limited previous experience and knowledge of HIPAA requirements because they were insulated prior to this year from the requirements. As a result, they are unlikely to have the personnel, protocols and systems in place to be compliant in short order. All healthcare providers should be aware that they bear risk of noncompliance under these circumstances. The risk does not simply transfer to the service provider.
Once you have identified where your data protection strategy holds risk, evaluate the probability and potential impact of each risk. Prioritize the steps toward remediation so they may be planned within schedule and budget limitations.
Remediation plans must be carefully created to not disrupt the employees or business processes. The best plans quickly fall apart when ignored by employees, so after each change that is implemented, conduct a review to see that the changes were adopted as anticipated and have had the desired outcome. If that’s not the case, regroup and institute an alternative to reach the goal.
Employee training is an important component of your data risk management plan. Training employees on security best practices doesn’t have to be difficult, even in busy healthcare organizations where patient-focused activities are the priority. The most effective training isn’t the annual PowerPoint presentation that is quickly forgotten.
An interactive approach works best, one that delivers information when the employee is actually performing the function that requires attention to security. The payoff for a truly effective training program can be significant in terms of reduced exposure to a data breach. Finally, an overall information security program must have support from leadership and management. Management must model the desired behavior to convey the importance of protecting patient information to everyone-from the newest employee to the most seasoned leader. It is imperative that leadership communicates expectations, walks the talk and enforces policies.
Deena Coffman is Chief Executive Officer of IDT911 Consulting and the Information Security Officer for Identity Theft 911