To secure Protected Health Information first get your people to respect it
If you use your imagination you can get your workforce and management to understand the importance of Protected Health Information and the risks associated with handling it. Patient data is as valuable as gold and the devices it is stored on should be treated as if they were 10lb gold bars. Why? Using today’s prices a 10lb gold bar is worth over $ 250,000. Six bars total $ 1.5 million, the same as the fine paid last year for a single lost laptop. So, every time you think of ‘patient data’ think of six gold bars. Think of one patient record as an ounce of gold.
Having just attended both the HIMSS health care IT conference in New Orleans and the RSA IT Security conference in San Francisco, my mind is filled with pitches from vendors who are offering everything from secure user access to fast access to data. How can you have both? Before you buy anything you need to make sure your staff understands security and respects the risks associated with patient data. You need to get your management to recognize its value and give you a budget for adequate protection. Don’t forget that training your workforce can protect patient data when your security systems and processes fail.
Today everyone wants access to anything, from anywhere, on any device. This is a long way from when you had to be in front of a terminal screen wired directly to a hospital’s mainframe. It takes a lot of work to secure portable devices, and there are already many places Protected Health Information can leak out of a provider’s network.
After reviewing the security at several health care organizations, I wonder how some attested to Meaningful Use considering they should not have passed the Security Risk Analysis, and they certainly did not mitigate critical security deficiencies—as required— before or during the reporting period. What stands out the most is a cavalier attitude towards the value of Protected Health Information (which is any combination of a patient’s name with a diagnosis or treatment.) It can be all over the place—not just in an EMR system, but in reports, letters, e-mails, spreadsheets— and in any form—written, voice, or images. Do you treat your dictation files and faxes sent to e-mail addresses like gold?
If your staff thought of their laptop that stores Protected Health Information as gold would they treat it differently? I think so. Would they store gold on a thumb drive that is so easy to lose? If they were a courier transporting gold, and it was lost, what would be the effect on their career? Make your staff understand that losing patient data carries the same risk (assuming your Sanction Policy has enough ‘beef’ to enforce HIPAA compliance.)
If your workforce thinks of Protected Health Information as gold…
- They will think hard before removing it from the safety of your facility.
- They will understand why you are worried about even a small amount being left in an unsecure location
- Instead of leaving it on the seat of the car they will make the effort to lock it in the trunk.
- They will take the time to connect a $ 25 security cable to lock it to a hotel desk.
- A doctor will pay the difference to buy a laptop with a secure operating system instead of the consumer version on sale in a Sunday advertisement.
These are minor inconveniences compared to the potential penalties if Protected Health Information is lost or stolen.
If your management thinks of patient data as gold will they spend the money to protect it better? Probably. It is ironic that the $ 1.5 million fine assessed last year for a lost laptop, and the $ 1.7 million fine for a lost hard drive, each would have been avoided with $ 150 for encryption software. If you are a practice manager or IT director you should use the Massachusetts Eye and Ear Infirmary and Alaska Department of Health and Social Services penalties to get your management to approve the deployment of encryption software on all portable devices. Or, follow the best practices of Arnot-Ogden Medical Center and encrypt your data wherever it is, even servers and local desktop computers.
Make sure your IT staff or outsourced providers (and their subcontractors) treat your patient data like gold. When a hard drive is upgraded, or a system retired, make sure they take the time to properly erase all Protected Health Information and physically destroy the drive. (These procedures should be properly documented in case of an audit or data breach investigation.)
With the new HIPAA Omnibus Final Rule all Business Associates and their subcontractors must implement compliance programs by September 23, 2013. Many are complaining because they think of Protected Health Information as data, not gold. The government gets it. They want patient data protected like gold in a bank vault— restricted access, secure processes for storage and transport, educated users who recognize the risks associated with its loss, and serious penalties for non-compliance. Get everyone to think of your data center as a bank and they may be more careful about who gets in and whether the door gets propped open.
Patient data is like gold. Store it securely. Transport it very carefully. Invest in its protection.
"originally written for 4MedApproved"