A couple of weeks ago, my colleague Sharon Hicks took a hard look at the state of digital security – specifically how high-level demands for interoperability and health information exchange (HIE) are challenging our sense of privacy and security (see Digital Security Isn’t Where It Needs To Be). You may have passed right by that issue, thinking it is a relatively low priority.
But, then we had the massive Equifax data breach, in which financial records on 143 million people are now on the loose (see Equifax Announces Cybersecurity Incident Involving Consumer Information, How Equifax “Bungled” Its Response To Massive Data Breach, and Equifax’s Massive Data Breach Focuses Attention on Symantec’s LifeLock).
I initially had two responses. First, if a large company like Equifax can’t keep its records secure, what about much smaller organizations? And, second, more legislation and more penalties are sure to follow. Based on the press coverage (see Equifax Data Breach Focuses Washington’s Attention On Security Of Sensitive Personal Information and Utahns Sue Equifax For $5B Over Data Breach), I think that second point is a sure bet.
So what are the prudent actions that executive teams should take regarding data security? First, someone in your organization needs to be in charge of data security, whether that is a full-time employee or a contractor. What does that person do? That person is responsible for creating and managing a security plan that includes both internal and external elements. To satisfy these needs, this person must be well versed, both now and in the future, on requirements and regulations that affect protected information. Internally, this person must understand what responsibilities the organization has in managing protected information, create the internal processes to ensure staff and systems are protecting that information, and create/manage the Breach Notification Policy that is used by the organization if a breach occurs. Externally, this person must understand third party responsibilities of the organization’s protected information, ensure that appropriate agreements are in place to hold these third parties accountable, and manage all current and future third party agreements regarding data security. All business associates are required to notify the organization if a breach occurs at or by the business associate.
Health care organizations must also have a defined and compliant process in managing a data breach which includes notifying their consumers. A Breach Notification Policy is required by the HIPAA Breach Notification Rule which states that HIPAA covered entities and their business associates must provide notification following a breach of protected health information (see HIPAA Fines & HIPAA Audits On The Rise). Following a breach, organizations must provide notification to affected individuals, the Secretary of the U.S. Department of Health and Human Services (HHS), and, in certain circumstances, the media.
Finally, there is the issue of your technology contractors. Provider organization executives must have confidence in and appropriate agreements in place with their IT vendors – electronic health record (EHR) and other hardware/software vendors that maintain or manipulate “data at risk” – who must share the burden of security.
For a deeper dive into this important topic, check out these resources from the OPEN MINDS Industry Library:
- Will Security & Interoperability Shape Our Health Care Future?
- ‘Smart Tech’ Can Protect Patient Privacy
- What Is ‘Blockchain’ & What Will It Mean For Your Tech Strategy?
- After ‘Reinventing’ The CFO, It’s The CIO’s Turn
- Tips For Using Direct Secure Messaging
- Bad IT At Your Organization? Blame The Executive Team
In a market that understands it is under informed, provider organizations need to look for technology partners to help them ensure compliance and mitigate risk. This will continue to push the burden and enhance the risk to the tech companies supplying these services.
For more, join me at The 2017 OPEN MINDS Technology and Informatics Institute on November 7 for my session, “Telehealth Best Practices: How To Build A Successful, Sustainable Program.” And for more on the challenges, as well as the opportunities in sharing data, join Ms. Hicks on November 8 for her session, “Behavioral Health Data Sharing: The Opportunities & Challenges In Health System Information Exchange.”