It was only four days ago that we wrote about the data security issues facing health plans and provider organizations, including the recent ruling in Connecticut that consumers can sue over medical record breaches—More & Larger Health Care Databases Mean More Data Security Concerns. But I was struck over the weekend with all of the “new” security breach headlines:
- $17M Settlement Agreement Reached in Aetna Data Breach Case
- Hackers Access Patient Data At Oklahoma State Facility
- Allscripts Still Working To Resolve Ransomware Attack
- Another Indiana Hospital Hit By Ransomware Attack
- Greenfield Hospital Pays $55000 Ransom; No Patient Data Stolen; Hackers Demanded Bitcoin
- Massive Data Breach Hits Norway And Over 3 Million People’s Healthcare Data Feared Stolen By Hackers
These headlines (and the very unsettling number of data breaches in 2017—The 10 largest data breaches Of 2017) make data security issues a “top of mind” concern for health and human service organizations. My colleague, OPEN MINDS Senior Associate Jim Gargiulo, had some concrete advice for our health and human service organization customers. He recommends a seven-point approach for managing and securing consumer health information:
- Be aware of the data security issues
- Build a transparent policy for data sharing
- Build a culture focused on security
- Develop a strong information technology infrastructure
- Create clear policies around data security
- Empower staff to better manage data security
- Manage enterprise vendor relationships to mitigate risk
Executives need to understand the importance of maintaining, protecting and managing the disclosure of information. The potential financial and legal risk of a data breach is significant and I don’t know of a single executive director or chief executive officer who wants their organization in a headline announcing data losses, ransomware attacks, or security breaches. The costs are not insignificant. In addition to fines levied by state or federal governments for violations, State Supreme Courts in Connecticut, New York, and Missouri have ruled that consumers can additionally sue for damages in the event of unauthorized disclosures.
Data sharing and transparency
As part of the enrollment process, as people come into care, they should be made aware of how information about them may be disclosed, how it may be used and then provide explicit permission for such disclosure. Standard and compliant processes exist for this, and every organization should make disclosure part of the intake or enrollment process. In the event of a breach, organizations should have clear communications strategies and plans in place that take immediate action to protect consumers from further disclosures, help them monitor any subsequent access to their information, and provide legal recourse.
Establishing a security culture—with training and enforcement
Protecting personal information needs to be top of mind for everyone in the organization. All staff should be required to complete online HIPAA training at orientation, and once every year. These sessions are available in the public domain or through a number of different e-learning companies. More importantly, inappropriate disclosure of information should be considered cause for immediate termination, and this includes paper, as well as electronic files. Staff who inadvertently leave records in the back seat of their car, on a table at home, or on a smart phone need to know the risk of such practices and how they impact consumer confidentiality.
Leveraging technology infrastructure capabilities
Nowhere is the importance of a strong information technology infrastructure more apparent than in the protection of personal data. Leveraging tools and proven processes can ease the burden of secure data management. Best practices exist—they are just not frequently put in place.
Credentialing policies and protocols
It is the role of the chief information officer (CIO) to develop and enforce strong practices, developing standards for data access, password structures, and their frequency of change. Developing policies that focus on the “need to know”, credentials should be set in a way that allows people to do the work they are paid to do, with secure access to information that is needed to provide services.
Security empowerment through the use of proven IT tools
As users of technology, all of us are burdened by a plethora of security credentials, each more complicated than the last. In one organization I work with, staff may be required to have separate credentials for the EHR, payroll, email, travel, and CRM systems. A good IT group leverages tools like Active Directory to map multiple passwords to a master credential, thereby easing logon issues and offering added protection. Additionally, many companies are using biometrics (such as facial recognition and thumbprints) or two-level schemes to ensure only the right people are accessing confidential data.
Finally, digitally-stored personal information is under constant attack by outside actors of bad intent, seeking ways to disrupt or steal information, perhaps as part of an extortion or other ransom-ware plan. Entire health systems have been disrupted by persons who have found ways to hold consumer data hostage, often through poor password protections, user carelessness, or known access points in the software. Solid IT infrastructures ensure all security holes are plugged, operating system updates are installed in a timely way, and system access is constantly monitored. A strong CIO, who has the vision and imagination to understand all threats to data security and integrity, is key to security strategy and its deployment.
Enterprise vendor management/coordination
Organizations don’t need to manage security risk on their own. Technology vendors who are partners share in the responsibility to protect consumer information that comes into their systems. Contracts (and related business associate agreements) with all vendors whose systems store consumer and staff data should be reviewed in the context of their security processes. Whether storage occurs in the cloud or onsite, these systems must offer minimum protections and be able to show evidence that they comply with HIPAA and related regulations.
At the end of the day, however, the ultimate responsibility for protecting consumer and staff information is with the organization providing the service. Best practices encourage managers of organizations to make consumer confidentiality part of the company culture, leverage the role of the CIO in building safe systems, and work with their vendor partners to ensure information is used appropriately.
His final observation—it all comes down to culture. Specifically an organization’s data culture. Executives create the “attitude” and the tone for data security. He explained:
Managing and securing personal information is critical for any organization serving people with complex conditions. Especially for companies that are part of a broader network, where integration with physical health services and population health management are key parts of the program, disclosure and protection of a person’s identify has legal and financial consequences. As a result, data security needs to be an “attitude”, not an afterthought for all health and human service organizations.
For more on this conversation, join me on October 23, 2018 at The 2018 OPEN MINDS Technology & Informatics Institute for my session, “The Challenges Of Data Management In A Digital World: An Executive Discussion On Security, Privacy, & Consumer Control.”