Data security: Questions every healthcare organization should be asking
Data security issues are becoming a greater and greater concern for healthcare entities. Healthcare data is one of the most valuable types of data on the black market, and healthcare organizations are increasingly being victimized by hackers who want that data. At the same time, the potential liabilities for healthcare organizations are also increasing. Government agencies at both the state and federal levels have actively been imposing penalties under HIPAA and state privacy and security laws, and private persons have started regularly bringing individual and class action lawsuits seeking damages for breaches even when no actual damages are known. Even if you exclude potential fines and penalties, the costs of handling a breach alone can easily exceed $100,000.
To mitigate these risks, healthcare providers should ask themselves several critical questions:
What information do we store and where do we store it?
It is impossible to secure information that you don’t even know exists. In today’s complex technology, data resides in many different locations. There are obvious locations such as electronic health records and payment systems, but there are many other common locations in a healthcare organization. For example, many items of medical equipment, such as imaging equipment and medication dispensing units, can maintain sensitive, identifiable information that must be protected and disposed of properly. Copy machines are another common repository of sensitive information that often is overlooked. Also, it is important to be aware of what third parties may have access to the healthcare organization’s information and take appropriate steps to ensure that information remains safeguarded in the third party’s hands.
As an initial step in this regard, healthcare organizations should map out the flow of data inside and outside the organization. The organization should then identify all places that the information resides and all systems utilized to transmit the information. Special attention should be paid to locations and systems that maintain and/or transmit protected health information under HIPAA. Once all of the locations have been identified, the organization should work closely with its IT staff to implement appropriate safeguards for the information.
How would our workforce respond to a phishing attack?
A common method of obtaining information from healthcare organizations is for hackers to send “phishing” emails to members of the organization’s workforce that purport to be from an internal source and request that the workforce member provide his/her system login credentials. Once the hacker has those credentials, he/she can freely move about the organization’s information systems and obtain large amounts of sensitive information in a short time. Because the hackers access the system through legitimate credentials, they often are able to do a lot of damage before they ever are detected.
The key to avoiding a successful phishing attack is to establish policies and procedures that clearly define the limited instances in which a workforce member may provide his/her credentials or click on hyperlinks in email messages. Then, the organization must effectively train and continually retrain the workforce on those policies and procedures. Organizations also should consider controlled testing of workforce compliance with these policies and procedures through social engineering, where the organization creates a fake phishing attack to identify employees that may need additional focused training or reminders on these matters.
How will our organization react when a breach occurs?
For healthcare organizations today, the question is not if a breach will occur but when. It is thus essential for such organizations to be ready to act immediately upon learning of a breach. In these situations, healthcare organizations do not have the luxury of time. There are internal pressures to identify the cause of the breach, stop it and mitigate any potential damages arising from it. There also are external pressures from state and federal breach notification laws that require notice of a breach within a short time of becoming aware, sometimes within as little as 72 hours. Healthcare organizations should do as much in advance as possible to make it more agile and responsive when the breach actually occurs.
One key advance step is to prepare a breach response plan that sets forth the procedures that the organization will follow when it becomes aware of a potential breach. A thorough plan will address a variety of aspects, including investigation, mitigation and communication. The healthcare organization also should identify an internal breach response team that will be responsible for implementing the breach response plan. That team should not be too big but should at least include representatives from administration, IT, privacy/compliance, public relations and legal. The healthcare organization also should identify the external resources that it will utilize in response to a breach. Outside resources may include IT forensics firms, outside legal counsel, mailing and call center vendors and insurance companies. Healthcare organizations should involve outside resources as soon as possible so that the organization does not take actions that could compromise important analysis or assistance that an external resource could provide.
Once a healthcare organization has developed a breach response plan and identified its internal and external team members, it would be beneficial to prepare for a breach by engaging in a breach simulation activity. These tabletop exercises can help an organization identify any deficiencies in its plan and help define every participant’s role so that the process will go smoothly when an actual event occurs.
How would our organization fare in a HIPAA audit?
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is scheduled to begin a full-time audit program of HIPAA-covered entities and business associates in 2015. OCR conducted a round of pilot audits and generally found that covered entities consistently were not meeting the requirements of HIPAA and particularly the HIPAA Security Rule. The full-time audits will assess compliance with the HIPAA Privacy, Security and Breach Notification rules in detail. The audits are not intended to be punitive in nature, but it is possible that OCR could impose penalties against a healthcare organization that is found through an audit to be noncompliant with HIPAA. It is thus important for healthcare organizations to take steps to prepare for an OCR HIPAA audit.
One way to prepare is to conduct a mock HIPAA audit utilizing the OCR audit protocol. Through a mock audit, the healthcare organization can not only assess its compliance with the technical requirements of HIPAA, but also can assess its ability during an audit to produce the documentation that OCR will request in a timely and organized manner. It will be important in any OCR audit that the organization demonstrate that its HIPAA documentation is orderly and readily producible.
Another way healthcare organizations can prepare for an OCR audit is to ensure that they have made good faith attempts to comply with the baseline requirements of HIPAA. Examples of such baseline requirements include having policies and procedures in place, conducting regular workforce training, performing an IT security risk analysis and designating privacy and security officials. OCR is more likely to impose sanctions against health care organizations that have failed to take material steps toward compliance with such baseline requirements than they are for more technical violations that regularly occur.
Healthcare data breaches are likely to increase in number and sophistication over the next several years. By asking these few questions of themselves, facilities will be better able to prevent such breaches and to be better prepared to address them when they do occur.