Data security is becoming a growing concern for healthcare organizations, and for good reason. Many CIOs now list it as one of their biggest concerns. According to the U.S. Department of Health and Human Services' recent annual report on data breaches, 207 breaches involving 500 or more individuals occurred in 2010, and these breaches affected more than 5.4 million individuals. Furthermore, it seems that prestigious organizations are no more immune from data loss as are lesser-known facilities. Early in September, for instance Stanford Hospital & Clinics in Palo Alto, Calif., reported that the medical records for 20,000 emergency room patients had been publicly accessible online for nearly a year. There are steps hospitals can take, however, to minimize the risk of breaches of protected health information. Mac McMillan, CEO of health IT security firm CynergisTek, discusses 10 best practices for securing health data.
1. Develop a culture of security. "When [I] think of best practices, [I] think of organizations that have implemented either processes, technologies or procedures that make security an integral part of how they do business each day," Mr. McMillan says.
Building a culture of security starts at the top with the executive leadership and board. First, the hospital should create a security position, if it does not already exist, and then appoint someone in the role who has expertise in the area, Mr. McMillan says. "It's a big enough responsibility, particularly with the new rules and the complexity involved with the different regulations — both at the federal and state level — that you really need somebody paying attention to [security] on a regular basis," he says.
2. Implement a risk management program. "One of the basic principles of good security is first understanding where your risks are. You can't do that unless you conduct a risk analysis and assessment of the environment to identify where potential gaps are," Mr. McMillan says. He suggests conducting a risk analysis at least every year or whenever there is a major change in the environment. Hiring a third party to do the assessment is best, he says, to ensure the analysis is objective.
3. Manage relationships with vendors and business associates. Hospitals need to develop business associate agreements that proscribe policies for appropriately managing data. Mr. McMillan says hospitals should create vendor questionnaires for both the selection and contract negotiation processes. A questionnaire that determines vendors' data sharing practices and understanding of HIPAA can help hospitals choose a vendor. Then, when negotiating the contract, the hospital can give the vendor a questionnaire that evaluates more closely its data security practices. Mr. McMillan says the questionnaire should include items such as "Do you use appropriate encryption to transmit data? Do you have a security manager? Are your employees trained on proper security? Do you outsource any of your services?" The contract should require the vendor or business associate notify the hospital before they transfer any sensitive data to another vender or location.
4. Create an incident response process. Hospitals need to ensure employees understand the proper response to data incidents, including reporting and documenting requirements. In situations where hospitals are not obligated to report breaches, because the risk threshold was not met or an exception applied, they still need to document their precautions and response. "Just because you don't have a formal responsibility to notify under the breach rule doesn't mean you shouldn't document the incident or your response," Mr. McMillan says. Documentation should include information such as investigative findings, the risk analysis outcomes, employee training and any notification of patients, HHS or other authorities.
5. Audit and monitor the environment. Hospitals should implement automated technology to track user and system activity in real-time, Mr. McMillan says. "The days of reactively [and] manually reviewing logs to know what went on in an average healthcare environment is just not practical anymore," he says. Security incident event management solutions can provide alerts that allow the hospital to proactively stop behavior before it escalates and leads to a breach.
6. Manage the enterprise. Mr. McMillan says hospitals should create a process for maintaining up-to-date software, creating hardened configurations, applying patches to systems on a regular basis and testing both the network and systems to ensure integrity. "Most hacks, outages and incidents today are still caused by poorly managed systems or user error, not by some sophisticated attack," Mr. McMillan says. "Recent exploits of medical devices due to mismanaged wireless security demonstrates the dangers associated with not securing the network properly."
7. Encrypt data. "Organizations that are getting it right are [those] that understand that encryption is just one element of an integrated security architecture," Mr. McMillan says. "It is one control among many that is used to create a strategy of protecting information." Data encryption is important for two main reasons, according to Mr. McMillan: Encrypting data in transit over open networks is required by HIPAA, and encryption can be used to create a safe harbor for breach notifications under the HITECH Act. Encryption should be applied everywhere from email to storage devices to mobile devices. Encryption is not fail-safe, however. "Don't put an overreliance on encryption, because at the end of the day, like any other control, it is still reliant on the integrity of the architecture or system, as well as the behavior of individuals," Mr. McMillan says. "It's not a panacea, but it should be part of an overall security strategy."
8. Monitor the database. In many cases a database analyst can be a significant threat because he or she can access the database directly, Mr. McMillan says. Hospitals should directly monitor the database to track the analyst's activity, which could otherwise go unrecorded by the application. Database insecurity is one of the weaknesses of the electronic health record certification rules, Mr. McMillan says. The rule requires certified EHRs to log and monitor system activity, generally through application security features, and ignores the risk of accessing the data directly through the database.
9. Build data awareness. Hospitals can mitigate the chances of data breaches by knowing where protected health information resides in the network and applying appropriate rules and protections, according to Mr. McMillan. Building data awareness requires the use of technology, such as data loss prevention solutions, that can accurately map and enforce policies around data. Automating this process can help hospital leaders stay apprised of where data truly is within the enterprise, where it's going and who is accessing it, and then create policies for where data should be stored, transmitted and who should be accessing it. This practice will help eliminate opportunities for exploitation or compromise, Mr. McMillan says.
10. Educate users. Robust security awareness training for care givers and employees is critical for protecting confidential information. "At the end of the day, with all of the security in the world that one can apply to a network or device, the user who has authorization to get on the system is still by and large the biggest risk we have," Mr. McMillan says. "The smarter [users] are in terms of knowing what they should or shouldn't do in a system, the more effective security is likely to be because they can be part of the solution as opposed to part of the problem."
Learn more about CynergisTek.
3 Strategies for Securing Health Data
HHS Reports Data Breaches of Protected Health Information in 2009-2010 to Congress
1. Develop a culture of security. "When [I] think of best practices, [I] think of organizations that have implemented either processes, technologies or procedures that make security an integral part of how they do business each day," Mr. McMillan says.
Building a culture of security starts at the top with the executive leadership and board. First, the hospital should create a security position, if it does not already exist, and then appoint someone in the role who has expertise in the area, Mr. McMillan says. "It's a big enough responsibility, particularly with the new rules and the complexity involved with the different regulations — both at the federal and state level — that you really need somebody paying attention to [security] on a regular basis," he says.
2. Implement a risk management program. "One of the basic principles of good security is first understanding where your risks are. You can't do that unless you conduct a risk analysis and assessment of the environment to identify where potential gaps are," Mr. McMillan says. He suggests conducting a risk analysis at least every year or whenever there is a major change in the environment. Hiring a third party to do the assessment is best, he says, to ensure the analysis is objective.
3. Manage relationships with vendors and business associates. Hospitals need to develop business associate agreements that proscribe policies for appropriately managing data. Mr. McMillan says hospitals should create vendor questionnaires for both the selection and contract negotiation processes. A questionnaire that determines vendors' data sharing practices and understanding of HIPAA can help hospitals choose a vendor. Then, when negotiating the contract, the hospital can give the vendor a questionnaire that evaluates more closely its data security practices. Mr. McMillan says the questionnaire should include items such as "Do you use appropriate encryption to transmit data? Do you have a security manager? Are your employees trained on proper security? Do you outsource any of your services?" The contract should require the vendor or business associate notify the hospital before they transfer any sensitive data to another vender or location.
4. Create an incident response process. Hospitals need to ensure employees understand the proper response to data incidents, including reporting and documenting requirements. In situations where hospitals are not obligated to report breaches, because the risk threshold was not met or an exception applied, they still need to document their precautions and response. "Just because you don't have a formal responsibility to notify under the breach rule doesn't mean you shouldn't document the incident or your response," Mr. McMillan says. Documentation should include information such as investigative findings, the risk analysis outcomes, employee training and any notification of patients, HHS or other authorities.
5. Audit and monitor the environment. Hospitals should implement automated technology to track user and system activity in real-time, Mr. McMillan says. "The days of reactively [and] manually reviewing logs to know what went on in an average healthcare environment is just not practical anymore," he says. Security incident event management solutions can provide alerts that allow the hospital to proactively stop behavior before it escalates and leads to a breach.
6. Manage the enterprise. Mr. McMillan says hospitals should create a process for maintaining up-to-date software, creating hardened configurations, applying patches to systems on a regular basis and testing both the network and systems to ensure integrity. "Most hacks, outages and incidents today are still caused by poorly managed systems or user error, not by some sophisticated attack," Mr. McMillan says. "Recent exploits of medical devices due to mismanaged wireless security demonstrates the dangers associated with not securing the network properly."
7. Encrypt data. "Organizations that are getting it right are [those] that understand that encryption is just one element of an integrated security architecture," Mr. McMillan says. "It is one control among many that is used to create a strategy of protecting information." Data encryption is important for two main reasons, according to Mr. McMillan: Encrypting data in transit over open networks is required by HIPAA, and encryption can be used to create a safe harbor for breach notifications under the HITECH Act. Encryption should be applied everywhere from email to storage devices to mobile devices. Encryption is not fail-safe, however. "Don't put an overreliance on encryption, because at the end of the day, like any other control, it is still reliant on the integrity of the architecture or system, as well as the behavior of individuals," Mr. McMillan says. "It's not a panacea, but it should be part of an overall security strategy."
8. Monitor the database. In many cases a database analyst can be a significant threat because he or she can access the database directly, Mr. McMillan says. Hospitals should directly monitor the database to track the analyst's activity, which could otherwise go unrecorded by the application. Database insecurity is one of the weaknesses of the electronic health record certification rules, Mr. McMillan says. The rule requires certified EHRs to log and monitor system activity, generally through application security features, and ignores the risk of accessing the data directly through the database.
9. Build data awareness. Hospitals can mitigate the chances of data breaches by knowing where protected health information resides in the network and applying appropriate rules and protections, according to Mr. McMillan. Building data awareness requires the use of technology, such as data loss prevention solutions, that can accurately map and enforce policies around data. Automating this process can help hospital leaders stay apprised of where data truly is within the enterprise, where it's going and who is accessing it, and then create policies for where data should be stored, transmitted and who should be accessing it. This practice will help eliminate opportunities for exploitation or compromise, Mr. McMillan says.
10. Educate users. Robust security awareness training for care givers and employees is critical for protecting confidential information. "At the end of the day, with all of the security in the world that one can apply to a network or device, the user who has authorization to get on the system is still by and large the biggest risk we have," Mr. McMillan says. "The smarter [users] are in terms of knowing what they should or shouldn't do in a system, the more effective security is likely to be because they can be part of the solution as opposed to part of the problem."
Learn more about CynergisTek.
Related Articles on Health Data Security:
Keeping Data Out of the Wrong Hands: 10 Tips for Hospital Data Security Training3 Strategies for Securing Health Data
HHS Reports Data Breaches of Protected Health Information in 2009-2010 to Congress