As CMS' Medicare and Medicaid Electronic Health Record Incentive Program drives EHR adoption, hospitals are increasingly focusing on protecting patients' electronic information from being exposed. Some politicians are voicing their concerns about hospitals' ability to safeguard patients' information on EHRs. Furthermore, the Office of Civil Rights is beginning the HIPAA Audit Program this month to ensure compliance with HIPAA privacy and security rules and breach notification standards. The pressure to secure data requires hospitals to prioritize how they will mitigate the risk of data breaches. Kim Holmes, assistant vice president of Chubb Specialty Insurance, shares four top tasks hospital risk managers should tackle to ensure health data security.
1. Build a culture of security. The first step in reducing the risk of a data breach is to build a culture of security. "[Data security should be] embedded in the culture so that it is part of the organization's day-to-day operations — not something on the shelf, but an alive and breathing process in place so all employees are part of the solution of preventing a data breach or responding to one if it does happen," Ms. Holmes says. C-suite leadership in security initiatives can help create this culture. Driving a commitment to data security from the top down will help create an environment where employees and physicians are attuned to the organization's security policies and procedures.
Hospitals can enforce this culture by developing an incident response plan that gives responsibilities to key stakeholders and emphasizes all employees' role in protecting sensitive data. "Make it a priority in terms of vesting everybody at different focal points in the organization, be it risk management, IT or individual managers, with a specific role in the response plan framework," Ms. Holmes says. "A response plan that incorporates key stakeholders, almost in a playbook fashion, will minimize the chance of a mistake or error when executing that plan when the chaos and stress of a data breach actually happens." A response plan should outline in chronological order the steps the organization needs to take after a data breach and who is responsible for each step. Ensuring correct chronology in the response is important for compliance with government and state regulations. In addition, Ms. Holmes says some insurance products require notification to the carrier before certain response steps are taken.
2. Encrypt data. All mobile devices should be encrypted, Ms. Holmes says. "It should be a key item of concern, not only because it makes practical sense, but also [because] under the HITECH Act, encryption of data may exempt organizations from federal notification requirements as they evaluate their response to a data breach. While corresponding state laws may still require notification after a data breach, encryption can help hospitals to prevent data breaches and minimize damage if a breach does occur.
3. Develop written indemnification agreements with third parties. Hospitals and health systems need to have written indemnification agreements in place with third-party service providers and vendors as a means to possibly mitigate financial losses if a data breach occurs at a third-party vendor. "There is a common misnomer that organizations can contract away their liability for a data breach," Ms. Holmes says. "While some states may allow an organization to contract away (to a third party service provider) the requirement to notify after a breach, the liability for a data breach always remains with the owner of the data, so it is very important that those indemnification agreements be in place."
4. Manage the provider-vendor service relationship. Healthcare organizations should require or confirm their vendors have appropriate security measures in place to prevent a data breach. "They should review vendor and service provider security protocols to make sure they are commensurate with their own," Ms. Holmes says. Hospitals should continually monitor the vendors' security controls to identify risks and improve security. One strategy for reducing the risk of a data breach at a third-party vendor is to require that the vendor or service provider procure cyber security liability insurance. Ms. Holmes suggests vendors and other service providers to healthcare organizations may need to acquire cyber security liability insurance at some point in the future to remain competitive in their market.
Hospitals can help bolster vendors' security by educating them on the frequency of breaches, how they occur and their costs — not only financially, but in terms of the relationship with the hospital, Ms. Holmes says. Educating the vendor and reviewing their policies are important because "indemnification agreements are only as good as [vendors'] ability to make good on them," she says.
However, hospitals should be aware that indemnification agreements will not relieve hospitals of all the burdens of a data breach at a third-party vendor. "Turning and pointing a finger at the vendor may give some recourse in terms of money, but not reputation or exposure," Ms. Holmes says. "The fact that [a breach] needs to be reported and all the other response measures that go into motion internally when an organization has a data breach — none [of that] is mitigated by the fact that the third-party vendor needs to be able to make good on [the] losses."
Learn more about Chubb Specialty Insurance.
5 Steps to Minimize the Risk of Data Breaches
10 Best Practices for Securing Protected Health Information
1. Build a culture of security. The first step in reducing the risk of a data breach is to build a culture of security. "[Data security should be] embedded in the culture so that it is part of the organization's day-to-day operations — not something on the shelf, but an alive and breathing process in place so all employees are part of the solution of preventing a data breach or responding to one if it does happen," Ms. Holmes says. C-suite leadership in security initiatives can help create this culture. Driving a commitment to data security from the top down will help create an environment where employees and physicians are attuned to the organization's security policies and procedures.
Hospitals can enforce this culture by developing an incident response plan that gives responsibilities to key stakeholders and emphasizes all employees' role in protecting sensitive data. "Make it a priority in terms of vesting everybody at different focal points in the organization, be it risk management, IT or individual managers, with a specific role in the response plan framework," Ms. Holmes says. "A response plan that incorporates key stakeholders, almost in a playbook fashion, will minimize the chance of a mistake or error when executing that plan when the chaos and stress of a data breach actually happens." A response plan should outline in chronological order the steps the organization needs to take after a data breach and who is responsible for each step. Ensuring correct chronology in the response is important for compliance with government and state regulations. In addition, Ms. Holmes says some insurance products require notification to the carrier before certain response steps are taken.
2. Encrypt data. All mobile devices should be encrypted, Ms. Holmes says. "It should be a key item of concern, not only because it makes practical sense, but also [because] under the HITECH Act, encryption of data may exempt organizations from federal notification requirements as they evaluate their response to a data breach. While corresponding state laws may still require notification after a data breach, encryption can help hospitals to prevent data breaches and minimize damage if a breach does occur.
3. Develop written indemnification agreements with third parties. Hospitals and health systems need to have written indemnification agreements in place with third-party service providers and vendors as a means to possibly mitigate financial losses if a data breach occurs at a third-party vendor. "There is a common misnomer that organizations can contract away their liability for a data breach," Ms. Holmes says. "While some states may allow an organization to contract away (to a third party service provider) the requirement to notify after a breach, the liability for a data breach always remains with the owner of the data, so it is very important that those indemnification agreements be in place."
4. Manage the provider-vendor service relationship. Healthcare organizations should require or confirm their vendors have appropriate security measures in place to prevent a data breach. "They should review vendor and service provider security protocols to make sure they are commensurate with their own," Ms. Holmes says. Hospitals should continually monitor the vendors' security controls to identify risks and improve security. One strategy for reducing the risk of a data breach at a third-party vendor is to require that the vendor or service provider procure cyber security liability insurance. Ms. Holmes suggests vendors and other service providers to healthcare organizations may need to acquire cyber security liability insurance at some point in the future to remain competitive in their market.
Hospitals can help bolster vendors' security by educating them on the frequency of breaches, how they occur and their costs — not only financially, but in terms of the relationship with the hospital, Ms. Holmes says. Educating the vendor and reviewing their policies are important because "indemnification agreements are only as good as [vendors'] ability to make good on them," she says.
However, hospitals should be aware that indemnification agreements will not relieve hospitals of all the burdens of a data breach at a third-party vendor. "Turning and pointing a finger at the vendor may give some recourse in terms of money, but not reputation or exposure," Ms. Holmes says. "The fact that [a breach] needs to be reported and all the other response measures that go into motion internally when an organization has a data breach — none [of that] is mitigated by the fact that the third-party vendor needs to be able to make good on [the] losses."
Learn more about Chubb Specialty Insurance.
Related Articles on Data Security:
3 Steps for Hospitals to Fulfill Meaningful Use Risk Assessment Requirement5 Steps to Minimize the Risk of Data Breaches
10 Best Practices for Securing Protected Health Information