A recent study from Seattle-based Integris Software, which surveyed executives and IT staff at medium and large health care organizations, found that health care leaders felt confident in their data privacy practices. Specifically, they think they have a handle on their protected health information (PHI). Of the survey respondents, 70% were “very” or “extremely” confident they knew where their sensitive data resides, but the study has found that organizations do not necessarily track the data they maintain, transmit, or acquire.
Health care executives appear to understand the need to comply with HIPAA to help reduce breaches, and they are increasingly investing in information security. But the Integris research found that a majority of enterprises needed to access 50 or more data sources to get a full picture of where their data reside. Only half update their data report annually, and only 17% could access data across the most common source types.
The report recommended providers use technology to monitor and map sensitive data across all locations; identify and monitor the data entering and leaving their organization; and create data retention policies beyond HIPAA and state regulations.
“Our survey showed that the vast majority of health care companies simply don’t have the tooling in place to access and monitor the volume, variety, and velocity of personal data flowing in, out and across their organizations,” said Kristina Bergman, founder and CEO of Integris.
Analysis and mapping
Tom Walsh, founder and managing partner of tw-Security, a health care privacy and information security firm in Overland Park, Kansas, said it is naïve to think health information is secure if providers do not even know where it is. “It’s like the parents of teenagers saying, ‘I don’t know where the kids are or what they are doing, but I’m sure they are acting responsibly,’” he said.
The primary way to understand where data are housed is through something each organization is supposed to be doing to comply with HIPAA: a risk analysis. By doing this, a group can determine where PHI is held and where those systems are vulnerable to breaches, said Susan Lucci, a senior privacy and security consultant with tw-Security.
A network diagram is typically the tool used for this task. The diagram maps the flow of patient health information as it travels through the system. For instance, a new patient’s file begins with the intake form from which the staff creates either a paper or electronic medical record (EMR), stored on a server or in the cloud. The information goes to the billing department, insurers, and possibly vendors after the visit.
The trick is understanding where these moving parts connect and ensuring they are all protected. PHI can even be located on equipment like dialysis machines, patient devices, and fax machines, which are sometimes connected to a system’s hard drive, said Jen Stone, senior security analysis with Security Metrics, based in Orem, Utah.
An inventory of systems is not enough, however. Providers need a diagram that helps conceptualize where PHI is created and received and how it flows through a system. Because this takes knowledge of workflow processes and security, mapping data needs to be a collaboration between the office manager and IT staff.
“This is hard, and it takes time,” Stone said. “But they have to work together because each has limited knowledge and understanding, and working separately, they would only get limited solutions.”
As the Integris report found, health care providers have myriad places where data reside and move. To understand these data repositories, the providers must have real-time knowledge of data flow.
“My biggest concern is that if they don’t up their game with regards to their technical data privacy maturity, then we’ll continue to see a disproportionate amount of major data breaches coming from the health care industry,” Bergman said.
Once data are mapped, an IT department can track known vulnerability points along the line.
For example, if patient records are stored in an EMR system or a database, IT personnel can check to see if these are protected. They could ascertain whether patients’ information is viewable via the internet and if the information is password protected. If data are available on different computers in the office, they can ensure that these devices have updated virus protection. Health care providers must ensure that PHI is backed up as well as protected.
Network diagrams need to be updated on a regular basis—annually at least and more frequently if possible, Lucci said. “In a large organization, it’s not unusual for someone to say, ‘We need this new medical device that will save us time and give better diagnostics,’ and it gets added and maybe IT isn’t made aware,” Lucci said. “There are systems and assets that get added and aren’t reviewed for vulnerabilities.”
If the diagrams are updated on a regular basis, new equipment and systems can be added and assessed for risk. “This needs to be reviewed annually because the bad guys don’t use the same tactics to get into systems,” Lucci said. “They are constantly changing and looking for vulnerabilities to get in, so we have to do our part to try and stay ahead of that.”