Balancing Security and Access to Information
Prevention and detection are important components of data access controls.
One of the biggest security threats in a medical practice is staff. A good training program can help prevent an employee from letting in a virus into the practice's computer system or faxing health information to the wrong number. But practice managers also need to consider that some internal breaches are deliberate.
Breach reports from the US Department of Health and Human Services show that some employees in medical offices have nefarious intent. For example, an employee at the Neurology Foundation in Providence, Rhode Island, copied patient information and kept it on a home computer. A staffer at Berkeley Medical Center wrote down the information of more than 7400 patients and used it to get driver's licenses, insurance, and Social Security cards.
Catching these kinds of breaches can be challenging. The first thing a practice needs to do is evaluate the risk to determine the cost of investing in internal controls. “If your data is only worth $10,000, and you would need to spend $15,000 to make it safe, it doesn't make financial sense,” said John Avery, information security consultant with Synoptek, a managed IT services provider with headquarters in Irvine, California.
Medical practices need to understand what local, state, and federal laws require in terms of security to determine the potential cost of protecting the records. It may cost a small office with barebones protection only about $2,000 to implement security. Larger offices with greater coverage may have to spend upwards of $50,000.
Breaking it down to a per-record estimate can help determine the cost of protection versus a breach. According to the HIPAA Journal, the average cost of a breach in 2017 is $380 per patient record. Costs include credit protection for those who had records breached as well as state and federal penalties and the cost of an auditor, if required.
If a practice has demonstrated due diligence, such as closely monitoring of employee use of electronic medical records systems, the practice may be levied a lower fine or even get a “slap on the wrist,” Avery said. The opposite is true if risks are ignored. “They [HSS] often want to make an example of organizations that don't do enough,” Avery said.
Striking a balance
The major challenge with employees and information security is walking the line between making it so secure that employees are unable to access information they need to do their job, or relaxing it so much they are able to walk off with data.
A core principle of information security is ensuring separation of duties. Practice managers should check job descriptions to ensure employees' access to information is based on the functions they serve within the organization.
Kennet Westby, chief strategist at Coalfire in Westminster, Colorado, which provides cybersecurity advisory services, recommends that medical groups start by reviewing overarching data access controls and privilege structures and amend them as needed. If a practice is concerned that access controls will hinder workflow, it can set up an easy override process to minimize that risk while highlighting access anomalies, Westby said.
Organizations are often resistant to implement security controls for fear of impeding the process of health care delivery, Westby said. Many medical groups end up with an over-privileged environment relying on an out of date risk analysis and older job descriptions.
Prevention is an important part of access controls, but detection is even more so, Avery said. “Many people place emphasis on breach prevention, but you really can't prevent what you don't know exists,” he said.
Myles Musser, a cloud architect with Online Tech in Ann Arbor, Michigan, said all employees should have their own individual login information. This will enable practices to track who is accessing information and the information that is being accessed. That information can then be extracted to create an audit trail and observe trends.
Most record management systems should have that level of logging and reporting capability, Westby said. Practice managers will need to work with their vendor to ensure the functionality is available and the monitoring tools and reports created are easy for staff to understand. “A doctor or administrative staff have to be responsible for doing an ongoing review process of the information,” Westby said. “Having data and nobody looking at it is no better than not having it at all.”
The final point to note about detecting data misuse is to inform staff that security measures are in place to prevent it. Most employees will voluntarily adhere to information-access protocols, and some may follow procedure only if they know they are being monitored. For the few individuals who are not deterred by the possibility of getting caught, detection will go a long way in tracking their movements.