The number of people touching data during its lifecycle contributes to breaches, and a good security program needs cover all potential areas of exposure in order to be effective By Deena Coffman Chief Executive Officer, IDT911 Consulting
The number of people touching data during its lifecycle contributes to breaches, and a good security program needs cover all potential areas of exposure in order to be effective
By Deena Coffman Chief Executive Officer, IDT911 Consulting
As data breaches at healthcare organizations continue to make headlines, IT groups are responding to a notable trend: the number of people touching data during its lifecycle within the organization continues to grow. So, too, does the number and types of mobile devices used. This proliferation of exposure points increases the likelihood of a data breach and makes it more important than ever to prioritize the security of patients’ protected health information (PHI) when it is used by employees and business associates, and transferred to and from mobile devices. A security program must cover all potential areas of exposure. Locking down servers, websites and routers certainly is important. But leaving exposures through untrained medical staff, unmonitored business associates, and uncontrolled use of mobile devices is akin to locking the house doors, but leaving the windows open.
Protecting PHI
The sheer number of individuals, both employees and business associates, with access to PHI in a typical healthcare organization is often much larger than most people realize. And while each of these individuals may have legitimate needs to interact with patient data at various points in time, not all employees and contractors need to access all information, all of the time. Organizations must monitor and control who is able to access patient information that is collected and stored within the organization. Access should be parsed by job functions and only permitted for the time it is needed to provide patient care or related administrative duties. By controlling access levels on a granular level, healthcare providers can greatly limit the amount of data exposed.
As employees and contractors are transferred, promoted or leave the organization, or as contracts with business associates end, it’s important that access levels change accordingly. Take the time to develop, implement and audit procedures that will trigger a review and, if appropriate, a modification to an employee’s access permissions any time his or her job function changes. The same process should include notification to the IT group when an employee or contractor leaves the organization, so their access can be quickly removed. In organizations with frequent staffing changes, a monthly audit of accounts should be performed to verify that all accounts are current and that an outdated account has not been overlooked. Unexpected employee departures are often missed by the normal HR processes and can produce a greater risk of data breach by a disenfranchised former employee who is still able to access information systems. Similarly, contracts with business associates terminate often without notice to HR, so the request to change account permissions is often not triggered. A periodic audit will help locate these instances as well as suggest protocol changes that can catch future occurrences.
Laptops, tablets and smartphones are increasingly used in healthcare settings, but data security practices don’t always keep pace with the changes in technology. Mobile devices are more easily lost or stolen than their weighty desktop brethren, and this sets organizations up for a greater chance of having PHI fall into the wrong hands. A data breach can be something as simple as an employee losing a mobile device, so mobile device management is crucial, especially if those mobile devices log into larger systems with stored credentials. Mobile device management platforms offer the ability to not only remotely remove sensitive data from a wayward device, they also give administrators the ability to enforce strong password requirements, limit the applications that can be used on the device, and control which network assets each device is authorized to access.
A quick word about passwords: Passwords, although not a strong single-line of defense, are still widely used. Because passwords can often be easily “cracked,” robust passwords, an account lockout policy for failed login attempts, and periodic password changes all should be required. Passwords should be changed every 120 days at a minimum to ensure that if a password has been stolen, even in hashed form, or obtained on the black market it is likely to have been changed before a data thief is able to obtain the plain text version and use it for unauthorized access. In addition, administrators may want to consider more stringent security measures, such as two-factor authentication, for the organization’s most critical data assets.
Take time to train
Implementing security technology and establishing protocols is only part of the formula for a well-developed security program. For the technology and processes to be effective, employees must know how to use them and must put them into practice in daily activities. It can be difficult to carve out a large block of time for training, and training delivered only once in a while is limited in its effectiveness. Frequent, brief communication coupled with audits by management to verify program efficacy can work wonders for managing the risk of a data breach. Be sure that employees understand what is required of them any time they access or transfer protected information belonging to patients or employees. Work with employees and business associates to also ensure they are knowledgeable about the role they play in keeping sensitive data safe. Updated training should be provided when an employee’s job function or data access level changes or when new technologies impact how information is stored or accessed.
Additional steps can be taken to make employees’ interactions with PHI even more secure. Instead of providing downloaded data, consider implementing a thin client solution where the data remains on the secure server and the employee or contractor has access to, but does not receive a copy of, the data for use only during the delivery of patient care. This approach significantly limits the amount of PHI that proliferates across a network or that is able to escape the network controls. Encryption is another solution worthy of adoption, especially when sensitive information needs to reside on a mobile device. Encryption can help to protect the PHI stored on a lost or stolen device and may make the difference between having to notify patients that you have lost their personal information and not having to deliver that awkward message.
Follow up with a breach response plan
As part of a strong data protection program, healthcare organizations also should create and implement a breach response plan. These plans are step-by-step strategies that can be put into action as soon as a breach is suspected. They lay the foundation for managing any potential exposure.
Breach response plans don’t need to be exhaustive before they can be launched. In fact, a very simple plan with a few basic steps that everyone understands is better than a robust plan that has not been communicated. The first step in crafting an effective plan is to identify your data assets and determine where in the network they can be accessed, where they can proliferate and escape, and which employees are able to access that data. This inventory will guide decisions relating to what signs of a potential data breach are most likely, when and where they would occur and communication to employees and contractors on how to identify and report such signs.
A breach response plan also should include a thorough and candid assessment of the resources available to your organization should a breach occur. Does your team have the expertise in-house to perform a forensic analysis of a compromised network? Do you have professional communications staff that can manage the message to patients, employees or other affected individuals? What and how you communicate bad news will impact your reputation and relationships with the affected individuals. Is your staff large enough to receive a flood of calls with questions from affected individuals and reporters? Is funding pre-approved so that response is not delayed while contracts are negotiated and spending approvals are sought? A good response plan will provide a guide for decisions to be made during a crisis as well as supply necessary resources for a rapid response.
Once you have the backbone of your response plan in place, be sure to test it periodically. The testing doubles as training that makes response team members function comfortably and confidently in a crisis. When proactive data security measures are supported with a practical and practiced breach response plan, your employees become a crucial first line of defense in protecting patients’ sensitive data and your organizations reputation.
About the author
Deena has broad experience providing guidance to clients adopting technology or building programs relating to data privacy, data security, and electronic discovery. She has led teams of computer forensics, information security and project management professionals, developed global technology and data management standards, negotiating complex technology contracts for cost and risk reduction, and led program audits and security assessments.