A recent study by the Ponemon Institute showed that not only has the frequency of data breaches increased 32 percent in the past year, but their estimated cost is at $6.5 billion.
Eric Darbe, director of product marketing at Nashua, N.H.-based compliance specialists HiSoftware, believes more organizations can stand to learn a thing or two about working with sensitive data. He suggests six tips for handling personal health information.
1. Create a governance board. Darbe said having buy-in across the organization is key, and that gaining support to address PHI and other security issues is the first step to creating awareness and building a security strategy. “Does everyone agree there’s a problem?” he said. “And [do they know] what that problem is? This [board] should involve all stakeholders in the organization.” Darbe said the board should include IT security folks, but also practitioners and other professionals using the information, “so they understand what the risks are,” he added. And vice versa: IT personnel need to understand what practitioners are trying to accomplish day to day with these tools. “The first thing is to have a cross-functional board that looks at all the various issues around information security risks, while also putting policies down on paper,” said Darbe.
2. Take time to implement policies. It’s not enough to write down your policies, said Darbe. Although defining them is important, he suggests having some sort of automated monitoring in place to make sure policies are being followed. “You need to actually understand what’s happening with that content, and the risk there is to PHI,” he said. Training is another component to implementing policies, and according to Darbe, it needs to take place on automated monitoring tools as well. “It’s understanding, in detail, the risks that require some sort of training as well as the automated monitoring,” he said. “And the automated monitoring shouldn’t get in the way of people doing their job; it should provide reminders to them to not put information into areas they shouldn’t or move it from one spot to another.”
[See also: Breach leaves docs at risk.]
3. Don’t assume everything in your organization is secure. “There are different levels of risk, and firewalls and end-point security are important pieces of the puzzle,” said Darbe. “But what your employees do with that information in your own vaults and having a program in place to understand that is important.” He suggests taking a good look at information and understanding what may contain sensitive data. In turn, this is “getting in front of a potential problem by monitoring how folks are using the information.” Darbe also referenced a recent instance in which a Hershey Medical Center employee was fired after the breach of former college football coach Joe Paterno’s electronic health records. “This is one of those bad things that happens, and it spins out into this whole big controversy,” he said. “That’s an important point: know what you don’t know. Take a look at yourself and don’t assume things are secure.”
Continued on the next page.
4. Don’t be a “Dr. No.” Darbe borrows the name of James Bond nemesis Dr. No to explain how employees will find ways to communicate and share information, whether proper and secure methods of doing so are in place or not. “You can’t be Dr. No – it’s not 1995 anymore, and you can’t say, 'You can only access what I tell you to access,’” he said. “With all the technology available, ultimately, people are on a whole different expectation level and understanding of what’s possible with IT.” He said, for example, that telling a group of doctors not to share information isn’t an option, “because they’ll use Google Docs to do it.” Instead, investing in secure sharing tools is important. A recent example at Stamford University helps illustrate Darbe’s point. A business associate looking for help to convert data into a bar graph posted personal health information online, creating a significant breach for the university. “It was second nature to post it on this homework help site,” Darbe said. “They were trying to do a good job, but there was a breakdown at a training standpoint.” The lesson? “You have to find ways to provide these capabilities to employees, or they’ll find ways to do it. It’s important to make this part of the culture.”
[See also: Data exchange ROI viewed as uncertain.]
5. Take advantage of incentives. Darbe said Meaningful Use and HIPAA incentives help motivate organizations to more carefully use personal health information. “A single doctor in an office can get between $44,000 and $65,000 per year for meaningful use compensation, while an eligible hospital can get up to $10 million,” he said. “In order to really comply with the meaningful use roles and get access to that dollar, it’s more than emailing information.” Ultimately, said Darbe, these incentive programs relate to transferring information in a HIPAA-complaint manner and protecting the privacy of the individual whose information is being moved. “This touches back to the previous points of developing policies and procedures to monitor that compliance going forward,” he added.
6. Have a defensible strategy. To explain the importance of having a defensible strategy, Darbe took a cue from football phenomenon Tim Tebow. “He’s constantly referring to God and all these things, so in the spirit of Tebow mania, there’s a prayer about if Jesus shows up at your door, would you let him in and look around, or would you hide things under the couch?” he said. “Basically, what would they find if Jesus showed up [as] an auditor?” Darbe added it’s not enough to say you have policies in place. Instead, you have to show that day to day, you have systems in place that monitor employees and policies, and if a breach should occur, you report it to authorities. “You don’t want it ending up on a homework help site,” he said. “You have to demonstrate you’re taking this seriously, since you’ve been entrusted with this information.”
Follow Michelle McNickle on Twitter, @Michelle_writes