Speakers at the PHI Protection Network's recent forum in Cambridge, Mass. offered HIPAA data breach prevention strategies for health care IT leaders and privacy officers in attendance.
We should not expect any organization to never have a data breach.
principal, Booz Allen Hamilton
First, understand that while you're building a culture of health data privacy and security, expect data breaches will happen. The goal of IT leaders, in concert with compliance staff, is to reduce the number of breaches, as well as act quickly to minimize consequences after the fact.
"We should not expect any organization to never have a data breach," said Debbie Wolf, principal at Booz Allen Hamilton. "I think that there are incidents happening every day … if you can use technology to minimize the risk, minimize the breaches, get them down to the lowest possible number [of breaches and patients affected], you're doing due diligence. If you have the expectation that you're going to shut things down, shut the door and it will never happen, I think you're being unrealistic."
Allison Dolan, privacy project specialist at Massachusetts General Hospital (MGH), said it's important to understand the threats. People steal personal health information (PHI) and financial information not just for the usual identity theft reasons, but also for a new strain of fraud: medical identity theft. In this scenario, patients pose as someone else to access services from their insurance plan. Be on the lookout for strangers stealing patient data, as well as friends and family of patients.
MGH, Dolan told SearchHealthIT, has seen increasing incidents among the latter group as health insurance and care becomes more expensive, combined with dismal economic conditions for some patients. When these are discovered, she said, it becomes a fraud issue and not a privacy issue. Yet the often difficult task of untangling false data from real data in the victim's electronic record can involve IT sleuthing, as well.
IT leadership needs to enroll senior leadership to get physicians on board, said Meredith Phillips, chief information privacy and security officer for Henry Ford Health System in Detroit. She said physicians at Henry Ford felt entitled to engage in risky behaviors IT security-wise, such as using insecure thumb drives and setting up wireless access points in their offices.
The bring-your-own-device (BYOD) phenomena taking over workplaces everywhere, not just health care, exacerbates HIPAA risks. That idea lead to another of Phillips' tips: Review BYOD policies and enforce data encryption.
"[Physicians think], 'Because I'm a physician and because I have a professional development account, I'm going to spend my own money and get reimbursed and go to Best Buy and buy a laptop. I want the standard. I'm not going to encrypt it; I'm not going to protect it. … I'm a physician and you're not going to tell me I can't do that. And I'm not going to contact IT, and I'm going to be reimbursed by Henry Ford,' which then makes it my asset, and I don't even know about it," Phillips said. "You have to change the [entitled] mindset."
That brings us to perhaps the top strategy for CIOs trying to prevent a HIPAA data breach. As the omnibus rule updates patient data security for the digital medical records era while, at the same time, BYOD is taking over their IT environments, CIOs must implement technology to inventory and constantly monitor all devices on the network. And of course, they should have policies and procedures in place to lock out rogue devices and deal with their owners, be they enemy hackers trying to steal data or the people who Phillips said keep her up at night -- the 31,000 employees under her watchful eye.