Ten Healthcare Data Items That Can Fall Through the Cracks (United States)

Today's technology driven world is constantly changing and evolving. Although innovations are advancing the healthcare field, technological changes necessitate increased attention to security. Technology makes data more accessible, but in a healthcare setting where that data often contains sensitive Protected Health Information ("PHI") and/or Personally Identifiable Information ("PII"), a set of unique risks arises. Those with access to such data should be aware of a number of healthcare specific causes for data loss in day-to-day operations.

 

Selecting security measures for a business is a balancing act between security and usability. An enterprise network may be made completely secure - impenetrable even - but that impenetrability would extend to the intended users and the network would be rendered worthless to the organization. The more moats built around a castle, the more difficult it becomes to access and live in the castle and while, arguably, the castle is more secure as a result, that security counts for little if the castle is not available for its intended purpose. The same concept holds true for businesses seeking to create usable, yet secure systems around data. If too many moats exist, employees may look for easier ways into the castle. Many workplaces and employees will sacrifice security as a means of increasing "efficiency"—for example, saving a system login password, failing to secure files, or neglecting to engage a time-consuming encryption program. While these shortcuts certainly allow employees to work faster, they simultaneously compromise network and enterprise data security and, in the long run, may cost the organization far more than the time that would have otherwise been spent by the employee to secure the organization's data.

Alternatively, a castle containing sensitive data that has too few moats, will leave that sensitive data at risk. In the short term, fewer security measures will increase usability, but, in the long term, the system may be compromised by a variety of data security breaches, which will ultimately have a profound negative effect on usability. This balancing act of security and efficiency is often difficult to master, and organizations are tasked with continually weighing security measuring against cost, usability and other business-specific concerns to reach a solution that meets the organization's unique business requirements and risk tolerance.

 

Employee error is now the leading cause of data breaches. Phishing emails sent by third parties are designed to trick employees into giving up their personal information, their employer's business information, and the sensitive personal information of other employees or customers. The moment a single untrained employee clicks on a link or forwards sensitive company information to the cybercriminal, the damage is done. Health companies are especially vulnerable to these attacks because they hold highly sensitive information, including patients' medical information and health records, that would be valuable to hackers.

Employees are increasingly more comfortable sharing their personal information through social media, and as a result, employers must be especially vigilant in considering how to educate their workforce about data security – both personally and professionally. Employees that take their personal data security seriously are substantially more likely to adhere to organizational security. Thus, implementing training measures and awareness programs to educate employees on how to protect data in both their personal and professional lives is fundamental in creating a more secure workplace. Employees should be trained on basic workplace data security measures and basic personal security measures through a comprehensive program. For instance, training an employee to lock unattended computer screens in a physician's office simultaneously with training the employee not to post about an extended vacation on his or her social media site is more meaningful to the employee and therefore more likely to stick. These forms of creative, robust training on cyber threats and security measures can be accomplished using annual training and other ongoing reminders to employees about the types of information that can and will be compromised if the employees do not do their part to act as a "human shield" for the organization, and for themselves.

Since 2010 with the passage of the Patient Protection and Affordable Care Act ("ACA"), healthcare providers are required to devote an increasing level of resources to online records management. Some of the new requirements include quality metrics regarding payments to hospitals and providers that must be entered into the online system on an ongoing basis. This process can be burdensome and time consuming, especially when information is initially collected on paper forms. As a result of the slow process, providers and doctors may delay data entry, causing a back log in the system. This back log leaves PHI waiting to be entered in an unsecured form and thus vulnerable to loss or compromise of the data. Creating systems, protocol and oversight with respect to physical records, and other ongoing data generating sources, will allow organizations to manage regulatory and administrative burdens that leave sensitive information at risk

Hundreds of systems store and manage electronic medical records. Certain systems may exist on premise, while others are housed off-site through remote-infrastructure. Some of these systems are homegrown compilations of record and management systems, whereas other systems are managed by large, specialized companies and intended to interface among every aspect of the organization's operations. The variation in systems can cause problems in the transfer of data among systems that are unable to interface with each other. The process to make silo systems interoperable so data can be exchanged among systems, and effectively accessed and used by the organization, is both time consuming and costly. Instead of paying the often substantial upfront price of migrating to a comprehensive system, businesses often use fast, unencrypted solutions to move data between systems, posing great security risks to the entire network. For example, an employee may print data from one system and scan it into another or an employee may email data to a personal, unsecure email address or personal device. When data is transferred in this manner, the security, integrity and availability of the data is at risk and, therefore, the business itself increases its risk of a data security incident. Not every organization will have the resources or political will to implement overarching systems, and doing so may not be necessary. It is, however, critical, that organizations interacting with sensitive information track the various ways that information flows, or should flow, through its financial and operational systems and remain vigilant about any unauthorized workarounds that may be used by the workforce in an effort to solve interoperability issues.

It's fair to expect that every member of an organization's workforce is continually connected through a mobile device. While mobile computing and communicating are second nature, companies cannot afford to forget that when individuals move with mobile devices, the information stored on, or accessible through, those devices moves with them. As sensitive data is disbursed to and accessible on multiple personal devices, it becomes much more difficult to control access to and use of that data. It is common for workplaces to implement Bring Your Own Device ("BYOD") policies, under which individuals can access workplace e-mails on personal devices, or work remotely from those devices. While BYOD has sensible business benefits, such a policy also subjects employers to the risk that such devices may be lost or stolen, and the data on those devices would be in jeopardy. Appropriate security when using mobile devices for work purposes must be a part of the organizations' comprehensive and ongoing training program when a BYOD policy is in place and companies should maintain agreements with employees that allow remote wiping and confiscation of devices when employees are not following security protocol or to address other security risks. The more employees move, the more data moves, and the more control and oversight is necessary to keep information secure.

Using unsecure methods to transmit sensitive data, including webmail, social media, or text messages, poses a significant data security risk to the data and the company. To limit this risk, some businesses implement data loss prevention systems ("DLP") or encrypted file transfer protocols ("FTP") when transmitting data. A DLP system prevents sensitive data from being transmitted by censoring PHI and PII before a communication is transmitted. An encrypted FTP session gives only the sender and the recipient the ability to open and close the channels for data transmission. Organizations should note that some common FTPs such as Google Drive and DropBox are not secure servers, yet employees will continue to be drawn to these methods of file transfer because they are user-friendly and well known. As a result of these readily available, but unsecure, communication methods, employers are even more pressured to create secure communication methods and train employees on how to take advantage of those methods. While communications within the healthcare industry in particular are often transferred through an electronic data interchange ("EDI"), not all EDI communications are encrypted, which can still pose a security threat. Other portable methods used to share information, such as removable media, like thumb drives and hard drives, can hold large amounts of data but are very hard to control access. After all, anyone can come in contact with the removable media, and the data contained on it will be especially easily to steal or access if the device is unencrypted. Similarly, these devices can transfer malicious code to an organization's network, putting the entire data security ecosystem at risk. Sensitive data in transfer should always be encrypted to protect the security and integrity of the data during the transfer.

Even sophisticated systems are not immune from bad actors. In February 2016, anonymous hackers froze a Los Angeles hospital's computer network until the hospital paid $17,000 in ransom for its release. The CEO of the hospital remarked that paying the hackers was "the quickest and most efficient way to restore our system and administrative functions." Despite regaining control of the internal network and system, the ransomware software used to freeze the network was not removed after the ransom was paid. Thus, the hospital incurred additional costs to restore and bolster security for the computer network.

Disgruntled employees with access to sensitive information can wreak havoc on a business's network security. For example, a vengeful terminated employee may improperly transmit sensitive data in order to sabotage the business. Cautionary measures may be taken to limit this type of retaliation such as monitoring the terminated employee prior to his/her departure or electronically locking him/her out of systems containing sensitive data prior to or simultaneous with separation of employment. Still, the risk exists for the employee to take the sensitive information he or she has access to and sell it to outsiders. The buying price for a celebrity patient's PHI or a confidential business strategy can be lucrative for a hospital employee looking to make some extra money. While these risks are challenging to monitor and control for, organizations must be vigilant, and must acknowledge and understand what type of data an employee has access to and the temptations surrounding that data.

The Health Insurance Portability Act ("HIPAA") does not provide guidance on methods to store and transfer ePHI. The government merely requires that organizations take reasonable and appropriate precautions, with no guidance for determining what constitutes a "reasonable and appropriate precaution" in any particular circumstance. Businesses are therefore free – and challenged – to develop security measures and protocols simultaneously with technological advances. However, the lack of regulation in the area of data protection has led to problems. Inconsistency among entities has led to great variation in employee practices. Many organizations use the ISO 27001 or NIST standards and test the effectiveness of their controls through SOC 2 Type II audits. However, many other organizations do not adhere to such stringent controls, or do not use objective measurement tools, leaving the sensitive information at risk for exposure. Information security professionals within an organization, together with executive leadership, must, for the time-being work to determine what is reasonable and appropriate with respect to the business, the data, and the risks. The resources of a business and the sensitivity of data must be accounted for in making these critical decisions. A wholly reasonable solution implemented one year may no longer be appropriate to an organization the next as a result of technological advances, increased resources, or other considerations, and therefore an organization must invest in continual self-assessment to ensure it is maintaining sufficient practices with respect to data security in the larger commercially and technology ecosystem.

As the modern workforce becomes more mobile, so too does the data that travels within it. Additionally, data is generated at an increased speed through a number of different forms of technology. The Internet of Things, for instance, was largely non-existent five years ago and now the data generated from it – frequently sensitive health information – has become a routine element of many institutions' data ecosystems. All parties involved are exchanging information with each other, and data is changing hands quickly—whether that be among primary care physicians, specialists, patients, clinics, pharmacies, or insurance companies. With such rapid and mobile data transfer, it becomes increasingly difficult to track the movement of every piece of information. If an organization does not know where or the extent to which its data has moved—how can the data truly be secured? To regain and retain control, it is becoming increasingly necessary for organizations to implement controlled methods for tagging and categorizing data from the moment it is generated, and throughout the data's life cycle of interacting with the organization's systems and users.

There is seemingly no bottom to the well of creativity utilized by hackers and other malicious actors when it comes to seeking out and exploiting sensitive data and, as a result, there is no limit to the risks that organizations face with respect to generating and processing sensitive information. As a result, the best positioned organization is an agile one that is continually assessing, training, implementing improved practices, and repeating all of the foregoing on at least an annual basis. With more advanced technology comes new and more complex options for data security, and with the availability of those options, the responsibilities of healthcare organizations dealing with sensitive information necessarily shifts as well. In order to navigate the evolving world of data security, it is fundamental that organizations stay knowledgeable about data security innovation, and continually assess and improve to find the right balance between the moats and the castle.

___

The authors wish to thank summer associates Alexandra B. Shalom and Paige M. Moscow for assisting with the preparation of this article.