Not a week goes by without hearing about a data breach in the healthcare industry, it seems. Well-publicized cracks in our healthcare security don’t do much for public confidence in EHRs and other health IT. Appropriately and tightly securing data isn’t necessarily difficult, but there are so many moving parts and considerations that it’s easy to miss something that can make data vulnerable.
Organizations must take a “no excuses” approach to healthcare data security. By “no excuses,” I mean you should accept no excuses for creating solid security procedures designed to ensure that breaches never happen in the first place.
It’s not just the fines that you have to fear. The influx of “big data” is stressing your systems every day; and someday providers will need to seriously consider cloud-based storage as a solution to data management problems. If the cloud is in healthcare’s future, you have to ensure that your organization has the ability to secure your own data when it’s always under your purview. The familiar stories of stolen laptops and putting a server online prematurely clearly demonstrate that the industry isn’t quite ready for cloud-based healthcare data management.
Anatomy of a Crash
I am a big fan of the National Geographic show “Anatomy of a Crash.” The show proves that it’s never just one thing that leads a bridge to collapse or a plane to fall from the sky. It’s a series of small, seemingly inconsequential decisions or actions.
Many years ago I asked my dad — a pilot — what made airplane engines so reliable. After all, you hardly ever hear about plane crashes due to engine failure. If my car’s engine goes out, I just pull onto the side of the road; with an airplane, I don't have that luxury. My dad’s response? “It’s simple: weight, redundancy and usage.” Airplanes are built with better quality metals. There is redundancy within the system, not only multiple engines but multiple fail-safes within the engine. And airplane engines are used fully each time, unlike a car engine that is run hot and cold. Running hot and cold puts additional stress on the lower quality metals used in car engines, causing more breakdowns.
[Related: Mitigating PHI danger in the cloud.]
What can the healthcare industry learn from avionics? Plenty. You have to build redundancy into your systems so that one seemingly inconsequential decision doesn’t expose hundreds of thousands of medical records. When healthcare data gets breached, the damage is already done — you can't just “pull over to the side of the road.” To avoid breaches, you need to ensure that your engine (i.e., data systems) is protected with the best available technologies. You build redundancy in the system to ensure one person or technology isn't able to expose the system. And finally, you have to use the system — the data protection processes that are in place.
People, Process, Technology and Culture
A great way to think about this is the familiar people, process, culture and technology meme.
- People: You have to have people who understand not only your security requirements but also the implications of the requirements in order for them to institute the right policies.
- Processes: Done well, processes can be excellent safeguards. However, organizations should avoid the temptation to overdo it. Security processes should be clear and well documented, with additional steps built in when there is a potential exposure risk to protected health information (PHI).
- Technology: – It can't solve everything, but technology can help put safeguards in place to ensure that it's harder to have a breach.
- Culture: Finally, your organization should have a culture of respect, not fear, of the data that you safeguard.
The people in your organization keep the data safe, either directly or indirectly, through processes and technologies. Not only should you invest in security leadership but you should also ensure that the team responsible for security is given the right authority to accomplish the job right the first time. Your security officer should report up to the C-suite — it’s that important. Your security team should have a formal budget, not just a line item buried in an IT budget somewhere.
The security group should also spend time “marketing” the idea that data is a precious asset. Years ago I worked at a health plan that had posters in the break-room that said “Loose lips sink ships, keep your password safe.” Not the most creative piece of propaganda, but it clearly worked because I still recall it.
[Senior Editor Mary Mosquera weighs in with 8 tips for mobile data privacy and security.]
The security of your data resides with your people. People install technology and follow processes, so spend the appropriate amount of time to make sure that everyone understands the implications of a data breach. Remember, you need to educate anyone in your organization who can hire a consultant, give them a laptop, or provide them access to your data.
When it comes to healthcare security, a strong process strictly followed is your best failsafe. Data security experts have talked for years about the need to secure data at many levels, at the database, at the application and of course your computer itself. If you have each of these levels of security in place, even if a laptop gets stolen it should be encrypted, with access to data only provided to those who need it to do their job, using a separate password for access to data.
Take the time to consider all the ways that data could be exposed. Think about the different levels of data that you can secure and begin by creating processes that ensure that data is safeguarded at every step. Ensure that your data security policies meet the letter of the law, but also the spirit. Just because the regulation doesn’t require you to encrypt data doesn’t mean it isn’t a good idea. The Utah Department of Health and Human Services certainly understands that now, after exposing personal information for nearly 800,000 people. When asked, an official for the department said the information wasn’t encrypted because it wasn’t required by federal law.
The good news is that the technology has advanced to such a degree that encryption, row-level security and application security is something that is easy to come by and relatively easy to implement. But it’s only of use if it’s actually put into practice. New technology, such as mobile devices, can also introduce new risks for data breaches. Smartphones have changed our lives, allowing us to see data and reports regardless of where you are, but securing mobile devices opens up an entirely new can of worms.
[Related: Who doesn't think mobile devices pose security risks? 25 percent of federal IT workers, that's who.]
Unfortunately for those of us that like how easy data is to access on these devices — which makes them more vulnerable — most experts agree that at least a two-stage authentication process must be required for devices to use data. Distinct from two-factor authentication, this means that you must have a password to get into the device and a separate password that allows you to access data. If the device is stolen or misplaced, it’s critical that a remote wipe function has been enabled to allow you to protect it.
Balancing the need for easy access with strong data security is often what drives compromises. A clear doctrine that data security is everyone’s business has to come from the very top of your organization. Every role, from the data analyst to the VP of operations to HR, has to understand that healthcare organizations are the stewards of very personal data and, as such, require that everyone takes that responsibility personally.
It is unlikely that there will ever be a day when data breaches completely disappear. There will always be a risk because of the value of data you guard. What should disappear, however, are preventable instances of data breaches that routine security procedures would have stopped in their tracks.
Laura Madsen leads the healthcare practice for Lancet, where she brings a decade of experience in BI and data warehousing for healthcare, and a passion for engaging and educating the BI community. She also works with key accounts across the country in the provider, payer, and healthcare manufacturing markets. Laura founded the Healthcare Business Intelligence Summit, an annual event that brings together top hospitals, insurers, and suppliers in the healthcare business intelligence space.