What was this person doing in our data center parking lot, looking around nervously and clicking on her smartphone? Was she just looking for directions or was she scoping out our building to launch a data hack? Although we try to take a light-hearted approach whenever possible, we take data security very seriously, and there was something very odd about this gal’s behavior.
Turns out, the makers of Pokémon Go had placed a “Poké Stop” next door to our data center and corporate headquarters, and this gal was tracking down a virtual critter. We promptly notified the game maker and requested they move the location away from our building.
As a software company that routinely handles protected health information (PHI), we closely follow the HIPAA and HITECH statutes and related Code of Federal Regulations (CFRs), and use the Office of Inspector General’s stringent guidelines that provide guidance on actions we need to take. The OIG guidelines deal with everything from the policies and procedures that should be in place to how to respond to potential privacy or security incidents.
The Office of Civil Rights recently began a second wave of healthcare audits and has been cracking down on companies that suffer data breaches because the financial impacts can be so great. According to the Ponemon Institute, a data breach costs more than $2.2 million for a healthcare organization and more than $1 million for a business associate.
Data security is serious business and should be an integral part of the culture of any business that handles PHI. But that doesn’t mean you should browbeat employees to get your message across. What we’ve learned at Alpha II is to be vigilant, be diligent, be consistent and try to have a little fun while maintaining data privacy and security.
The OIG has identified seven basic elements considered fundamental to any compliance plan. Below you will find how Alpha II addresses each tenet:
Implementing written policies, procedures and standards of conduct. This step is the baseline compliance piece: you have to have a documented and implemented plan. Our plan covers both locations, the data center and the computing environment of our remote employees. It incorproates training, how to handle PHI we receive inadvertently and potential employee sanctions for not complying with our policies.
Designating a compliance officer and compliance committee. At a recent Workgroup for Electronic Data Interchange (WEDI) conference, I heard about a Texas company that was fined $50,000 for not having a compliance officer (aka privacy officer). While there was a compliance officer named on the org chart, no company official could actually name that person.
Designating a compliance officer must be more than lip service. We have a compliance officer at each location, as well as an information security officer (aka security officer) who’s responsible for network security. Even though we work in secure buildings, our compliance officers are actively walking the halls – enforcing policies such as the one where employees are to always lock their computers when they leave their desks. Even our remote employees are required to lock their computers when leaving their desks and have a paper shredder on site.
Conducting effective training and education. In addition to new employee training, we have required annual training for all employees on data privacy and security. Yes, it’s basically the same information every year (with some updates), so while it can get repetitive, we try and make it fun. One year, we gave out pens that looked like maracas with logos for the four main topics: privacy, security, HR and compliance. The presentation was even spiced up with a rap song. We also have weekly all-hands staff meetings (including remote workers) that frequently include privacy and security information.
Developing effective lines of communication. In addition to the weekly meetings, I send friendly security reminders each week. Each email contains articles, security concerns we’ve noticed and other things, but I try and dress them up with clip art and have a little fun with them.
Recently the front door was sticking at my location, which could have been a security issue until maintenance fixed it. So in the meantime, I recommended a buddy system where everyone checked to make sure the door locked properly. I dressed that up with art of an eye in the sky to represent the buddy system.
My contact info is on every reminder, and the contact information of the compliance officers is on the company intranet site should anyone have questions.
Conducting internal monitoring and auditing. You can’t let the day-to-day enforcement of security policies make you lose sight of the need for longer-term monitoring and auditing. We have two accreditations from the Electronic Healthcare Network Accreditation Commission (EHNAC), including: 1) the Data Registry Accreditation Program (DRAP), and 2) the Healthcare Network Accreditation Program (HNAP) that include onsite visits every two years—more frequently when we have sentinel events.
Each year, we review changes in state and federal law that could impact our disaster recovery plan, contingency/continuity plan and risk analysis plan. But we don’t review all plans at the same time. Instead, we have them on a schedule that we try to make fun. For instance, disaster recovery plans are reviewed in October because disasters can be scary like Halloween. For risk assessments, we use a Valentine’s Day theme because love can be risky. And, we review our contingency/continuity plan in July to make sure we don’t have any fireworks going off due to lack of planning.
We plan and run mock scenarios to test our plans, which must be dynamic to reflect not only changes in the industry but also changes within our company.
Enforcing standards through well-publicized disciplinary guidelines. We will terminate employees for failing to adhere to our privacy and security policies, but that’s a drastic measure we’d prefer not to take. We have three levels of sanctions: 1) verbal warning, 2) written warning, and 3) termination, but they don’t necessarily need to follow that order. Depending on the incident, an employee could be terminated on their first offense.
Executive support is so important to our successful efforts to safeguard PHI. During the issue with the sticky entrance door, for example, an email to all employees was followed by a notice to managers to closely monitor the situation and strong support was received.
Responding promptly to detected offenses and undertaking corrective action. We have never experienced a data breach, but we have plans and templates in place should that ever occur. Potential incidents are witnessed very infrequently, but when they occur, it is usually when we receive emailed PHI from clients with patient information such as a Social Security number. We have secure methods to receive sensitive information from clients. Our company policy is to never email PHI.
Receiving PHI through an inappropriate channel sets off a chain of events:
- The sender is notified that PHI was received via email and is asked not to send PHI to support staff in a non-secure manner.
- The email is deleted.
- The deleted file is deleted from the server.
- IT staff ensures the file is gone before the daily data backup.
- The compliance officer at that location is notified, who then notifies the security officer and second compliance officer.
- The incident is logged with the date/time that PHI was received, along with other details and how the risk was mitigated.
The OIG looks for dynamic data security plans that get reviewed and tested, not those that sit on shelves. Although no company can anticipate every possible data security or privacy event, effective, continual education goes a long way toward creating a security-first mindset among your employees and managers.
And having a little fun with it certainly can help, especially when those pesky virtual creatures invade your parking lot!