12 Tips to Prevent a Healthcare Data Breach

Privacy and security have always been priorities for healthcare CIOs, but changes to HIPAA under the HITECH ACT of 2009 put the issues squarely in the spotlight. Providers that suffer data breaches that affect more than 500 patients must notify the Department of Health and Human Services, which maintains a public list of all breaches, and are subject to fines of up to $1.5 million (on top of mitigation costs). These 12 tips can help you avoid the costly, and embarrassing, consequences of suffering a healthcare data breach.

The HIPAA Security Rule, passed in 2003, required health care organizations to conduct a risk assessment but didn’t penalize noncompliance, so few providers did it. The HITECH Act changed that by making security risk analysis a core, or mandatory, requirement under Stage 1 of the meaningful use of electronic health record software. (Meaningful use provides financial incentives to organizations using EHR by 2014 and penalties to those who aren’t.) The Office for Civil Rights’ guidance on conducting a risk analysis says providers should identify vulnerabilities in information systems or security policies as well as natural, human and environmental threats to the security of protected health information (PHI).

Knowledge is power, after all. Make sure all employees know what personal health information (PHI) can and cannot be shared with patients, caregivers and outsiders—bearing in mind that, in addition to federal HIPAA regulations, individual states have their own rules. This training should happen on a regular basis, not just when an employee is hired. Use high-profile data breaches to illustrate worst practices and discuss what should have been done differently. Set a social media policy that clearly defines what is and is not appropriate, and share it with all employees, whether they see patients or not.

Hackers are responsible for fewer than 10 percent of the healthcare data breaches that have been reported to date. Most, it turns out, are the result or lost or stolen laptops, backup tapes, CDs, thumb drives or other types of portable electronic devices. These devices have been stolen from a physician’s home, taken from a car or misplaced. Yes, it is IT’s responsibility to secure the devices it issues employees—and that will be covered later—but employees need to understand the repercussions of their forgetfulness.

Many providers are ditching paper charts for EHR technology, largely because the HITECH Act requires them to do so. The HITECH Act says nothing about paper records, though. They remain plentiful—and prone to loss, having been involved in one in four breaches. Medical records and X-rays been left on the train;70 miles away. Whether paper records go offsite or stay onsite, visit their location regularly and make sure physical security passes muster. Or take the final step—scan all paper records, import them into your EHR and get rid of paper once and for all.

HIPAA doesn’t require encryption per se, but the HITECH Act states that if encrypted data falls into the wrong hands, the incident does not constitute a data breach. Centrally managed data encryption technology adhering to the Advanced Encryption Standard is the best starting point, since it’s the data that’s most important to thieves and malicious hackers. Be sure to encrypt data in transmission, too; only decrypt data after a user has been authenticated, and encrypt it again once it arrives at its destination (Side note: When you’re engaging in health information exchange, get patients’ permission to send and receive data—and consider letting them opt out if they feel the process threatens their privacy.)

Remember those lost laptops from the fourth slide? They’re why you shouldn’t solely settle for data encryption. Lock up the servers your data sits on, the mobile devices employees use to move data around and the network endpoints through which data is exchanged. Store encryption keys for backup tapes separately from the tapes themselves, and don’t lose the keys. Same goes for the transparent data encryption product you’re using on your database. Consider “on-the-fly” server encryption as a way to encrypt and decrypt data before it’s loaded or saved and unbeknownst to the end user. Finally, don’t forget about medical devices that regularly collect and transmit data. If they’re too old to be encrypted, either replace them or shore up network security.

If patients can get free Wi-Fi at McDonald’s, they’ll expect it when they’re at the hospital. The key, of course, is to give patients what they want without exposing PHI and other sensitive information. Subnetting, or creating subnetworks, is the best way to do this. Set aside part of your network for public use; limit guest activity to the browser. Use separate, more secure subnets for business applications, any app that touches PHI and any app that’s involved with credit card transactions. Another subnet for those old medical devices may be a good idea, too. As stated, encrypt each subnet in accordance with Wi-Fi Protected Access 2 protocols, and change WPA2 keys frequently.

Many people, with many different job titles, need access to patient data. What a physician needs to see will differ dramatically from what an attending nurse, bill collector or fundraising coordinator needs to see. Use IAM technology to give employees access to only the data that’s relevant to their role within the healthcare organization. Automate this process, so all the new residents who start July 1 have individual accounts. Make it easy for one user to log off a shared machine and another user to log on, too. That way, employees actually use their own login credentials, which makes audit trails easier to follow, and applications aren’t carelessly left unattended just because no one logs off when they walk away from a computer.

Mobile devices such as the iPad will make their way into healthcare facilities whether you like it or not. It’s only a matter of time before doctors want access to PHI on them. In your BYOD policy, prevent users from storing data locally, lest the device fall into the wrong hands, and insist upon bidirectional authentication to verify a password and a token whenever access to PHI is requested. (An extra step, yes, but it ensures that the correct person is viewing the data.) Consider measures that prevent devices from connecting to healthcare apps beyond a certain distance from the medical campus or after a certain length of time. Finally, maintain remote wipe and autolock capabilities and forbid the use of cellphone cameras.

The cloud is an increasingly attractive option for healthcare organizations that need to archive years’ worth of patient data but lack the space (or expertise) to do it onsite. If you go to the cloud, keep several things in mind. Your SLA should clearly state that you, not the cloud service provider (CSP), own your data. The SLA should also spell out how the CSP will comply with HIPAA, PCI DSS and relevant state data privacy laws and how you will be granted access to your data. Examine the provider’s backup, disaster preparedness, disaster recovery and uptime guarantees carefully. This is especially true if you’ve decided to move mission- and life-critical data to the cloud, as this places a premium on application recovery.

Under revised HIPAA rules, HIPAA business associates are held to the same standards as HIPAA covered entities when it comes to protecting patient data and being fined for failing to do so. Update your business associate agreements to reflect this—and do so regularly. Force business associates to create processes for discovering and reporting data breaches to you. Work with them to explicitly state who’s responsible for what in the event of a data breach, and remember that state breach notification laws may differ from HIPAA. Make your BAs responsible for their subcontractors’ actions, since a healthcare data breach caused by the subcontractor will eventually get back to you.

If you do suffer a breach, expect to hear from the Office for Civil Rights within the U.S. Department of Health and Human Services; the OCR investigates and hands out fines for HIPAA violations. Expect to hear from lawyers representing patients, too. Law firms see big money in healthcare breach cases, which isn’t surprising since there have been more than 500 since 2009—many of them preventable. Proving negligence can be difficult, though, since even organizations in full compliance with the law have suffered a breach. Whatever happens, play nice. Cignet Health, recipient of the largest HIPAA violation to date ($4.3 million), was hit so hard because it withheld patient records and didn’t cooperate with OCR.