Guest Column | December 18, 2017

When It Comes To Sharing Patient Information, Can You Do it Securely?

By Marianna Prodan, Director of Healthcare Solutions, Accellion

Data Security

The healthcare IT systems used to collect, store and share confidential patient information are under constant attack. The Identity Theft Resource Center reports the healthcare industry experienced 179 breaches in just the first half of this year, accounting for nearly a quarter of all breaches in the U.S. The Dark Web is a thriving marketplace for packages of protected healthcare information (PHI) that thieves can use to steal identities or file fake medical claims. Reversing this trend and demonstrating compliance with the industry regulations and laws governing the protection of PHI requires healthcare organizations to have full visibility into where patient data and other sensitive information sits within their networks.

The frequency and scope of data breaches in the healthcare industry have grown as providers and payers continue their years-long efforts to digitize all paper medical records. By the end of 2017, over 90 percent of office-based clinicians will replace their legacy paper files and folders systems with electronic medical records (EMR) systems.

But if these systems are cumbersome to use, medical staff may take it upon themselves to start using public cloud applications like Google Drive, Dropbox and Evernote to store and share patient information. The propensity for users to do so without IT’s permission (or even knowledge) has given rise to the “Shadow IT” trend.

On the one hand, using a consumer-grade public cloud solution makes it easier for healthcare professionals to collaborate with colleagues, partners and patients. On the other, they lack the adequate security features to properly mitigate the risk of data loss. These solutions aren’t just ill-equipped to transfer terabytes of information, they are also insecure. In addition, they cannot provide IT with full visibility over the movement of files across the network. IT must know who has access to a patient file, whether the file has been changed or modified in any way and whether the file has been shared (and with whom). In the event of a data breach, that information is critical to identifying the cause and which files may have been exposed. To be clear, full visibility into file access and activity isn’t just a security requirement. Healthcare organizations need to demonstrate these capabilities in order to comply with HIPAA.

That is why healthcare organizations should consider deploying a secure file sharing solution that strikes a balance between improving user productivity, and reassuring the CISO that PHI is being shared securely. Ideally, the solution can integrate with the disparate systems that store patient information, not just EHR systems but also CRM, ERP and ECM systems like Salesforce, Oracle, and SharePoint, respectively. Additionally, if the solution has a familiar look and feel to every day applications, like email for example, employees are more likely to adopt it and incorporate it into their workflows.

For maximum security, healthcare providers should ensure that a file sharing platform includes several key capabilities, including: encrypting files at rest and in transit, performing anti-virus scans and sandboxing processes on all file uploads to prevent ransomware or other malware from infecting the network, and integrating with data loss prevention (DLP) technology to identify content that is restricted from entering or leaving an organization.

Furthermore, when mobile devices are used to store PHI, the solution should include a way to segregate patient information from other information on the device and even remotely delete it should the device be lost, stolen or compromised by an unauthorized user.

Implementing effective controls and policies for the secure access and sharing of PHI will enable an organization to also demonstrate compliance with industry regulations and laws, most notably HIPPA and HITECH. This is exceptionally important following a data breach, as IT can quickly identify the root cause of a breach and what files may have been exposed, and present those details in an auditable format to internal auditors, forensic teams, and government regulators. 

Healthcare organizations need to be able to secure patient information. Patient privacy is at risk when PHI is stored in the network, transferred with a patient to another facility, and shared with external doctors, researchers, and insurance providers. If a healthcare organization can provide its staff with the tools to access and share patient information securely and efficiently, it’s possible to protect patient privacy and demonstrate compliance with HIPAA. And if a healthcare organization can do this, everyone benefits.

About The Author

Marianna Prodan is the Director of Healthcare Solutions at Accellion. She is responsible for the Company’s healthcare strategy, including market research, positioning, messaging, content development, sales enablement and lead generation. Marianna has extensive product marketing, marketing and business development experience with technology companies including NextPlane, Cloudplace, and TeliaSonera. She holds an MBA from Cass Business School of the City University of London.