Posted by: Jenny Laurello
Behavioral Health, data privacy and security, Data security, HIPAA, PHI, Touchstone Behavioral Health
A couple of weeks ago I had the chance to spend some time talking with Steven Porter, CIO for Touchstone Behavioral Health, an Arizona-based non-profit dedicated to working with at-risk patients across the state.
Whenever organizations handle sensitive information, there’s always a tug-of-war between the conflicting priorities of providing easy access to everyone who needs the information and ensuring that data is protected, blocking access to people who shouldn’t.
Touchstone Behavioral Health handles sensitive information, yet the nature of their work is remote and distributed access is often a day-to-day part of the job. Case workers may be literally sitting in someone’s home yet need to quickly call up case-notes and medical data, accessed easily through the internet.
As Porter pointed out, the first priority for Touchstone is that they protect the information of the people for whom they provide services – “To have one of our program participants turn 18 and realize that somebody’s been using their credit report for the last seven years would just undermine everything that we’ve done as an organization.”
So the challenges are particularly acute. Porter has had to walk a fine line between access and protection, and he spoke about both the challenges and the successes they’ve experienced.
What really stood out, however, was the fact that when the two needs of access and security are in conflict, security has to win out – yet draconian measures are unacceptable. Instead, Porter started by gaining support at the highest level of the organization for patient data security. He then backed it up by ensuring at every step that the security processes and controls in place didn’t interfere with case-workers’ access. Instead, he drives constantly for “transparency” in security tools. It is far better, Porter said, to educate them on the importance of why security is there, and strive to keep it as simple and seamless as possible.
He also argued for layered defenses. That is because you never know when or where a breach will occur. For example, even though policy forbids storing any sensitive information on a laptop, Touchstone nevertheless encrypts every device, including removable media. I have one more layer of protection, and from my perspective, security really is about layered protection,” Porter said regarding encryption for each device.
It is this kind of thinking — and a commitment to helping users stay focused on what they do best — that has enabled Touchstone to become a trusted institution among the community members that the organization was founded to help.