Protect Patient Data
Share
With an increasing number of access points to protected health information under attack, the healthcare industry continues to be plagued by damaging breaches. Just yesterday, CareFirst BlueCross BlueShield announced a hack that compromised the information of more than a million of its members.
Not surprisingly, a Ponemon Institute report released earlier this month found that over 90 percent of healthcare organizations have been breached in the last two years, and these breaches are a growing $6 billion annual epidemic that puts millions of patients and their information at risk. The study, sponsored by security software vendor ID Experts, reveals that most healthcare organizations remain woefully unprepared to address the rapidly evolving cyber threat environment and lack the necessary resources and processes to protect patient data.
With cyber criminals actively targeting healthcare, Rick Kam, president and co-founder of ID Experts, argues that the threats to patient data have never been more significant. However, as chair of the PHI Protection Network, a cross-industry collaboration of vendors formed to expedite the adoption of PHI best practices, Kam also believes that there are some critical strategies healthcare organizations can employ to protect patient information.
“Probably the best place to start is really to do a risk assessment,” says Kam. It needs to be front and center as the starting point to help decide and prioritize where, for the most part, a minimal IT security budget might be allocated. What the risk assessment will do is identify those assets and systems where PHI lives.” He views this as an inventory of where an organization’s patient information is stored, not only internally within a hospital or clinic but also with external business associates and partners involved in managing that data.
Specifically, the PHI Protection Network recommends 10 steps necessary to protect patient data:
Demand organizational leadership engagement. Workforce training and safeguards alone will not be practical. Organizational leadership must embrace and champion compliance as it would any other component of the organization’s value chain. Leadership must visibly and actively foster a culture of compliance throughout the organization by setting expectations and holding all workforce members accountable to the same standards.
Find and identify your data. Organizations need to know where their data lives, where it travels, and in what form (encrypted, identified, de-identified, etc.).
Control PHI workflow and minimize necessary access to the workforce. Organizations must find ways to better control PHI workflow within the organization and across external boundaries. This not only includes safeguarding it from impermissible uses and disclosures but also will require integration of HIPAA with other health information protection activities to ensure a single point of control within the organization.
Assess risks. Organizations must have solid processes in place for assessing risk with new systems, devices, services, and partners, and determine how best to utilize their purchasing power to identify those that don’t meet best security practices.
Prioritize third-party vendor management. Organizations will need help with third-party vendor management to strengthen oversight and review processes. Minor business associates are particularly vulnerable, as they often lack sufficient resources to devote to security and compliance and are, therefore, more likely to experience a data breach.
Get proactive. The healthcare industry must take a proactive stance regarding regulations to protect patient health information. Companies that exceed baseline protection requirements will be recognized as industry leaders, and patients will prefer to use their services over others.
Make privacy an integral part of adopting new technology. The pace at which new technology is being introduced into the healthcare industry is increasing, with thousands of new health-related mobile applications available this year, including devices such as Apple Watch and the Internet of Things. However, we have little evidence that patient privacy or security features are being considered. The healthcare industry and its technology service providers need to leverage existing technology, as well as how they design, construct, and deliver new tools.
Measure to Improve. You can’t manage what you can’t measure. The healthcare industry needs to improve its ability to determine key metrics for continuous measurement and improvement of its security posture.
Look for “non-standard” systems as potential repositories of PHI data. In particular, voicemail systems, customer service call recording systems, and closed-circuit television systems could all potentially be storing PHI. Still, they may not be as carefully safeguarded as traditional IT systems such as EHRs and patient billing.
Instill a culture of security. Every employee is a guardian of the customer’s data.
Although employee negligence and lost or stolen devices continue to be primary causes of data breaches, as Kam points out, one of the significant findings of the recent Ponemon Institute report is that criminal attacks are now the leading cause of breaches in healthcare.
While criminal attacks are often referred to as cyber-attacks, they can also include malicious insider threats, according to Kam.
He advises that “instead of trying to protect everything from everyone, the next step is to try to understand better what criminals are doing right now to gain access to data and what is causing the breaches in the type of organization you’re trying to protect.”
Nathan Wenzler, a certified security administrator and network auditor who works for the IT security firm Thycotic, notes that Ponemon’s report on the security incidents experienced by healthcare organizations is almost entirely related to the intentional exploitation of technical systems.
These are not accidental missteps resulting in data loss; 78% of survey respondents experienced web-borne malware attacks, 38% cited SQL Injection incidents, and 88% suffered from spear phishing.