5 things you can do now to increase patient data security
September 19, 2013
By Derek Brost
This will come as no surprise, though it’s hard to admit: Most U.S. hospitals are currently failing at electronic health data security. Despite the threat of multi-million-dollar fines and even jail time for HIPAA violations, hospital executives are still hesitant to invest financial and human resources in data security because there’s just no clear ROI. Many times, security is seen as a cost-avoidance strategy or “just” an IT function, rather than a necessary factor for growth.
In reality, hospitals that treat data security as a low priority are putting themselves and their patients at high risk for considerable personal and organizational fallout that will take a far greater investment of time, money and expertise to clean up. Aside from the HIPAA crackdown and the penalties that follow it, data breaches invariably snowball into patient care disruption, corrective mandates and a public-relations black eye. Patients, in turn, are particularly vulnerable to stolen identities, ruined credit scores, delayed or even incorrect diagnosis as byproducts of a data breach. In any event, it’s a steep and expensive climb to recovery.
If your hospital is guilty of neglecting data security, I’m not here to condemn or blame. It’s a complex topic, full of rules and regulations, and it’s tough to know where to begin to make changes. The following are strategies you can employ right now to increase your patient data security, at little to no cost:
1) Increase awareness and accountability throughout your organization.
If your organization lacks a program focused on electronic and medical device data security, now is the time to start one. Appoint a leader whose job will be to know the HIPAA Security Rule requirements and your organization’s responsibilities based on those requirements. In fact, having a privacy officer and HIPAA security officer is mandated under current HIPAA rules (though note, these two roles can be combined under one person). This will likely be someone already in the organization (legally, this role cannot be outsourced), and ideally someone with some clinical expertise in addition to business, informatics and/or legal know-how. As I previously mentioned, many times security is pushed off to an organization’s IT/IS group, but it doesn’t have to fall there.
Once you have your privacy/HIPAA security lead in place, give that person the authority to make organizational changes. This might mean they have their own budget, or it could mean they now report to executive management. Don’t make this person a figurehead: Give them the tools, training and title they need to be effective.
2) Create or strengthen your organization’s policies and procedures around data security.
Under current HIPAA regulations, your organization must have policies and procedures in place around electronic data security. In fact, if you were audited, the very first thing the auditor would ask for is your policies and procedures document. You may currently have these, but are they being followed? Are new employees trained in these policies? More importantly, is executive management trained in these policies? Make sure everyone understands their responsibility when it comes to data security, and the potential consequences of their neglect. The only thing worse than having no policy is having a policy you don’t follow.
When crafting or updating your security and privacy policies, it’s important to consider “addressable” vs. “required” specifications, meaning those requiring appropriate assessment and safeguards, and mandatory implementations as stated in the HIPAA Security Rule, respectively. Despite all the talk about encryption recently, it’s not the silver bullet for preventing breaches. Encryption is an “addressable” standard, meaning each hospital should address its applicability to them, taking into account factors like size, possibility of a breach and value of risk associated with a breach. Then decide whether it should be addressed by your hospital. You may have heard of different levels of encryption: 256-bit vs. 128-bit vs. 64-bit (the higher the number, the harder it is to break the code). Some hospitals write 256-bit encryption into their privacy policies when the HIPAA statutes may require far less. Don’t impose impossibly strict self regulation when your privacy policies are adequate at a lower level. If a breach occurs, HIPAA officials may judge your institution based on your own policies if they’re stricter than federal requirements.
3) Know what information is stored in your hospital, and be able to access it.
Back in the day, hospitals had a room (or rooms) full of patient charts. It was easy to identify where the records should be, where they could have moved to, how they were kept secure (usually by locking a door!) and who touched them. Now with most large health systems moving toward electronic medical records (EMRs), keeping patient records secure is a little trickier. A HIPAA auditor would want to see all of your various systems and devices that store electronic protected health information (ePHI), including patients’ EMRs and anyone who has access to them. The HIPAA Security Rule states that any new system entering the building with patient information must be itemized, and the same goes for any equipment leaving the building. You may keep track on a database, or in a spreadsheet — it really doesn’t matter as long as it’s auditable.
What about equipment storing ePHI that’s being retired? Someone in the organization had better make sure that the equipment’s hard drive is destroyed. Even if you’re unsure whether the device contains ePHI, it’s still best to play it safe and have it destroyed. There are companies you can partner with that will erase hard drives onsite, and give you records for a potential HIPAA audit. This is actually a fairly inexpensive option compared to doing it yourself, which would require hiring staff and getting the necessary equipment.
4) Put Business Associate Agreements (BAA) in place with all of your vendors.
With dozens or hundreds of vendors coming in and out of your organization to service equipment, make deliveries and more, chances are that they’ll come in contact with your ePHI and, if you’re not careful, potentially trigger a data breach. The HIPAA Security Rule states that you must have a Business Associate Agreement (BAA) in place with every single vendor that may be exposed to ePHI. A BAA ensures that your vendor will follow your policies and procedures, or have equal ones of their own. Now, if a data breach occurs because of the actions of a business associate, the hospital is still liable, but it may be able to sue the vendor for damages. More than anything, it’s a safeguard that your vendors care as much about protecting ePHI and sensitive patient information as you do. If you come across a vendor who’s not willing to sign a BAA, they’re likely not worth your time, money and risk.
5) Understand the best practices of peers.
One of the main frustrations with the HIPAA Security Rule is that it’s not prescriptive. Life would be easier if it came with step-by-step instructions, instead of vague statements about requirements. Some hospitals make the mistake of creating their own processes and definitions, which won’t cut it with a HIPAA auditor. Instead, seek to understand industry best practices so you can ensure your hospital’s policies are in line with those around you. In order to do this, attend conferences, seminars and local networking events, read trade publications or look for specific information online.
Adopting these practices will go a long way in strengthening your arsenal and shielding your organization from data security risks.
About the author: Derek Brost is the Chief Security Officer of eProtex, the nation’s first data security company specializing in the hidden risks of connected medical devices.
This will come as no surprise, though it’s hard to admit: Most U.S. hospitals are currently failing at electronic health data security. Despite the threat of multi-million-dollar fines and even jail time for HIPAA violations, hospital executives are still hesitant to invest financial and human resources in data security because there’s just no clear ROI. Many times, security is seen as a cost-avoidance strategy or “just” an IT function, rather than a necessary factor for growth.
In reality, hospitals that treat data security as a low priority are putting themselves and their patients at high risk for considerable personal and organizational fallout that will take a far greater investment of time, money and expertise to clean up. Aside from the HIPAA crackdown and the penalties that follow it, data breaches invariably snowball into patient care disruption, corrective mandates and a public-relations black eye. Patients, in turn, are particularly vulnerable to stolen identities, ruined credit scores, delayed or even incorrect diagnosis as byproducts of a data breach. In any event, it’s a steep and expensive climb to recovery.
If your hospital is guilty of neglecting data security, I’m not here to condemn or blame. It’s a complex topic, full of rules and regulations, and it’s tough to know where to begin to make changes. The following are strategies you can employ right now to increase your patient data security, at little to no cost:
1) Increase awareness and accountability throughout your organization.
If your organization lacks a program focused on electronic and medical device data security, now is the time to start one. Appoint a leader whose job will be to know the HIPAA Security Rule requirements and your organization’s responsibilities based on those requirements. In fact, having a privacy officer and HIPAA security officer is mandated under current HIPAA rules (though note, these two roles can be combined under one person). This will likely be someone already in the organization (legally, this role cannot be outsourced), and ideally someone with some clinical expertise in addition to business, informatics and/or legal know-how. As I previously mentioned, many times security is pushed off to an organization’s IT/IS group, but it doesn’t have to fall there.
Once you have your privacy/HIPAA security lead in place, give that person the authority to make organizational changes. This might mean they have their own budget, or it could mean they now report to executive management. Don’t make this person a figurehead: Give them the tools, training and title they need to be effective.
2) Create or strengthen your organization’s policies and procedures around data security.
Under current HIPAA regulations, your organization must have policies and procedures in place around electronic data security. In fact, if you were audited, the very first thing the auditor would ask for is your policies and procedures document. You may currently have these, but are they being followed? Are new employees trained in these policies? More importantly, is executive management trained in these policies? Make sure everyone understands their responsibility when it comes to data security, and the potential consequences of their neglect. The only thing worse than having no policy is having a policy you don’t follow.
When crafting or updating your security and privacy policies, it’s important to consider “addressable” vs. “required” specifications, meaning those requiring appropriate assessment and safeguards, and mandatory implementations as stated in the HIPAA Security Rule, respectively. Despite all the talk about encryption recently, it’s not the silver bullet for preventing breaches. Encryption is an “addressable” standard, meaning each hospital should address its applicability to them, taking into account factors like size, possibility of a breach and value of risk associated with a breach. Then decide whether it should be addressed by your hospital. You may have heard of different levels of encryption: 256-bit vs. 128-bit vs. 64-bit (the higher the number, the harder it is to break the code). Some hospitals write 256-bit encryption into their privacy policies when the HIPAA statutes may require far less. Don’t impose impossibly strict self regulation when your privacy policies are adequate at a lower level. If a breach occurs, HIPAA officials may judge your institution based on your own policies if they’re stricter than federal requirements.
3) Know what information is stored in your hospital, and be able to access it.
Back in the day, hospitals had a room (or rooms) full of patient charts. It was easy to identify where the records should be, where they could have moved to, how they were kept secure (usually by locking a door!) and who touched them. Now with most large health systems moving toward electronic medical records (EMRs), keeping patient records secure is a little trickier. A HIPAA auditor would want to see all of your various systems and devices that store electronic protected health information (ePHI), including patients’ EMRs and anyone who has access to them. The HIPAA Security Rule states that any new system entering the building with patient information must be itemized, and the same goes for any equipment leaving the building. You may keep track on a database, or in a spreadsheet — it really doesn’t matter as long as it’s auditable.
What about equipment storing ePHI that’s being retired? Someone in the organization had better make sure that the equipment’s hard drive is destroyed. Even if you’re unsure whether the device contains ePHI, it’s still best to play it safe and have it destroyed. There are companies you can partner with that will erase hard drives onsite, and give you records for a potential HIPAA audit. This is actually a fairly inexpensive option compared to doing it yourself, which would require hiring staff and getting the necessary equipment.
4) Put Business Associate Agreements (BAA) in place with all of your vendors.
With dozens or hundreds of vendors coming in and out of your organization to service equipment, make deliveries and more, chances are that they’ll come in contact with your ePHI and, if you’re not careful, potentially trigger a data breach. The HIPAA Security Rule states that you must have a Business Associate Agreement (BAA) in place with every single vendor that may be exposed to ePHI. A BAA ensures that your vendor will follow your policies and procedures, or have equal ones of their own. Now, if a data breach occurs because of the actions of a business associate, the hospital is still liable, but it may be able to sue the vendor for damages. More than anything, it’s a safeguard that your vendors care as much about protecting ePHI and sensitive patient information as you do. If you come across a vendor who’s not willing to sign a BAA, they’re likely not worth your time, money and risk.
5) Understand the best practices of peers.
One of the main frustrations with the HIPAA Security Rule is that it’s not prescriptive. Life would be easier if it came with step-by-step instructions, instead of vague statements about requirements. Some hospitals make the mistake of creating their own processes and definitions, which won’t cut it with a HIPAA auditor. Instead, seek to understand industry best practices so you can ensure your hospital’s policies are in line with those around you. In order to do this, attend conferences, seminars and local networking events, read trade publications or look for specific information online.
Adopting these practices will go a long way in strengthening your arsenal and shielding your organization from data security risks.
About the author: Derek Brost is the Chief Security Officer of eProtex, the nation’s first data security company specializing in the hidden risks of connected medical devices.