Information governance for offsite healthcare data security

2.5 quintillion bytes.

According to IBM, that's the amount of data generated every day—the equivalent of 57.5 billion 32 GB iPads. What's more, 90 percent of the data in the world today was created in the last two years.

Businesses are taking note. Organizations of all kinds are scouring data for insights and finding data-driven ways to offer superior products and services. In healthcare, this abundance of data is being used to improve quality of care and prevent and cure diseases. However, living in a data-rich world presents a unique set of challenges.

While new tools such as telehealth and electronic health records (EHRs) leverage healthcare data and offer tremendous upside, these technologies also create privacy concerns that require a sophisticated, organization-wide approach to data security.

Managing Security Challenges
The rise of clinical and consumer-facing technology poses unique challenges for the healthcare system. Although both providers and patients stand to benefit from cloud-based technologies, extra care must be taken to ensure these tools aren't compromised by ransomware, advanced persistent threats (APT), social engineering, or any other kind of attack or hacking technique. Providers must collect security intelligence to track newer system vulnerabilities hitting the industry and take appropriate proactive measures to manage these risks.

While computerized technology allows providers to access patient health records and offer better treatment options, it requires the storage of protected health information (PHI)—an enticing target for hackers.

A 2015 Ponemon Institute study found healthcare data breaches in the United States are up 125 percent since 2010—a rate predicted to increase as more healthcare systems adopt the latest digital technology. The study also found cyber attacks cost the U.S. healthcare system over $6 billion annually.

Even more, healthcare organizations must follow federal, state, and local privacy rules mandating specific administrative, physical and technical safeguards. While there are numerous challenges, with the right strategy, providers can protect patient data and limit exposure to cyber attacks by implementing the following best practices:

Technical Safeguards
A robust approach to protecting your facility from a breach starts with putting technical safeguards in place. The Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act require providers to utilize a certified EHR system for exchanging electronic PHI. Encrypting all electronic PHI exchanges ensures transactions are not tampered with.

Providers must document that PHI in their possession has not been altered or destroyed in an unauthorized manner. Successful facilities typically use checksums, digital signatures and message authentication—all approved measures under the data authentication HIPAA regulation.

Beyond HIPAA and HITECH regulations, providers should strongly consider using two-factor authentication (secure hard tokens and SMS soft tokens) as well as encrypted e-mail accounts. Also, providers should disable screen capture, video recording, USB storage, printing, and external disc drives where not required for business processes.

Physical Safeguards
Keeping electronic PHI secure requires regulating the addition and removal of hardware and software from network devices. A successful approach to physical security also requires proper placement and visibility of workstations, which allows administrators to monitor employee computer usage.

And for providers who require additional security measures, consider the use of physical location requirements to limit coding and other operations to designated delivery centers. Requiring coders to store personal electronic devices and bags in lockers and using security guards and video monitoring can be very effective.

Emergencies can and do happen. Providers are encouraged to have a plan in place that gives the information security team access to any servers housing PHI.

Administrative Safeguards
No approach to information security is complete without proper administrative safeguards. As such, providers should maintain detailed written policies and procedures encompassing all aspects of information security. Topics to cover include: anti-malware requirements; application considerations; identifying a designated privacy officer and communicating the same to all employees; business continuity and disaster recovery plans; policies for registering, tracking and resolving security incidents; consistent approach to disciplinary process for security incidents; and breach notification.

Under the HITECH Omnibus Final Rule, any cloud-based service provider processing or storing PHI must be considered a business associate. For this reason, it is important that the Business Associate Agreement (BAA) is signed by cloud provider(s) if PHI is processed or stored.

Ensuring HIPAA and HITECH regulations are followed means employees with access to PHI should receive regular information security training. Also, site administrators should include information security best practices in every stage of the employee lifecycle. Onboarding training, refresher assessments, newsletter articles from senior leadership, and poster campaigns are all effective ways to keep employees current with the latest regulations.

Regular Audits Important for Ensuring Security Compliance
Successfully enforcing information security policy compliance requires regular internal audits. But it doesn't stop there. A site compliance team—including certified auditors—should document the scope, frequency, procedures, and results of all internal audits.

Additionally, successful practices often implement human resources policies targeted at enforcing compliance. And beyond these measures, regular risk assessment is essential. Some providers require independent cross-functional risk assessments, abide by ISO/IEC 27001:2013 and SSAE 16/ISAE 3402 standards, and schedule regular third-party audits.

Network vulnerability and penetration testing (VAPT) will help to find system vulnerabilities proactively so that appropriate corrective actions can be taken to fix the vulnerabilities. VAPT finds IT infrastructure and application weaknesses and provides practices with a detailed, comprehensive view of data security threats, enabling providers to shield electronic PHI from data breach.

As providers increasingly hire outside firms to cut costs while still providing first-rate care, it's imperative that all partners follow these information governance best practices. When evaluating a potential business partner, providers should ask their IT security officers to perform a high-level security assessment. If a candidate's security practices are in doubt, this should play a role in the selection process. Inadequate information security controls can damage an organization's bottom line and reputation.

Putting a comprehensive plan in place is just the first step in ensuring a facility is protected from a data breach. Equally important is regularly assessing ongoing security and privacy challenges for both an organization and its partners. Staying current with the latest information security threats is a daunting task, but a well-defined plan will reduce the chance of a breach and increase profitability by making data security best practices second nature.

The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.​

© Copyright ASC COMMUNICATIONS 2017. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

 

Top 40 Articles from the Past 6 Months