Posted by: Jenny Laurello
Data breach, data privacy and security, HIPAA, Informatica, Jay Hill
Guest post by: Jay Hill, Director Product Management, Informatica
Below is a list of the top five things that your executive team needs to know and do to avoid becoming a poster child for the health care data breach flyer.
1. The threats are real. The “bad guys” are out there and they are after your data. The privacy rights clearinghouse at http://www.privacyrights.org/data-breachhas reported over 260 data breaches so far this year including 55 hacks, 36 unintended disclosures and 41 inside breaches. To make matters worse, almost half of all data breaches (at 104) include lost, discarded or stolen documents, computers or other devices. Just in the past two weeks, there were seven reported data breaches affecting health care companies, and the HITECH Act ensures they all end up in the paper and carry steep fines. Whether it is breaches of electronic personal health information or just plain boxes of patient records, the threat is real and there is no reason to believe it will go away.
2. Sensitive data is everywhere.Personal health information is everywhere. With the dawn of the electronic health record, and its secondary use, data proliferation is on the rise and will continue. With the explosion of mobile devices and social media, more and more personal information is readily available. Matching impartial data from a data breach to other publicly available information could give a more accurate, if not complete, picture of the patient. Even if the breach only includes prescription information there still might be enough information to infer the person’s identification based on address or other data. In addition, the transformation in health care is driving huge investments in new applications (like EHR systems) and information sharing. This trend drives more proliferation of production data…most of it is unmasked.
3. Contain the risk.If we think of the explosion of sensitive data in terms of a potential pandemic, a few areas of prevention come to mind. One of those being risk containment. Policies and procedures need to be put in place to ensure sensitive data resides in the fewest number of places as possible and is isolated. Once the sensitive data leaves this containment area, trouble is waiting. Any time a request for realistic data comes in from requesters such as the IT development or QA teams, that request ought to be vetted for criticality and if approved, the sensitive data ought to be permanently masked (e.g., fake patient ID numbers and shuffle names). Data masking ensures that even if a data breach were to happen from production data copies the de-identified data could not possibly be used to match with external information. The challenge is many health care customers have neither the policies nor the technologies to establish such risk containment procedures.
4. Limit what is shared. If real information must be viewed within software applications or displayed within reports either online or printed, ensure that only privileged users have access to sensitive data “in the clear.” All other users ought to see partial information or dynamically masked data (e.g., hide the first seven digits of the patient ID) or only show the initials. The bulk of the more important or insightful information is in the details, and not the actual names or numbers. If these reports either accidentally or maliciously left the organization the limited information would make it harder from someone to make any correlation to other data sources.
5. Password policies: This one is not new but must be mentioned. You know the risk is real and data proliferation is a given. You have put in place policies to contain the risk and limit what is shared and displayed. However, restricting access to sensitive data must be the first line of defense. Put in place password duration policies (e.g., quarterly changes), long and strong password requirements, computer timeouts and ensure all employees are aware of the policy and risks and repercussions of noncompliance.
For more information, please visit www.informatica.com.