*This article originally appeared on HealthITSecurity.com
When it comes to protecting their data, healthcare organizations are increasingly finding themselves caught between the proverbial rock and a hard place.
On the one hand, healthcare reform has not only led to organizations generating vast amounts of electronic data, but has also driven the exchange and integration of this information among providers and payers on an unprecedented scale. All of this creation and sharing of electronic health information is aimed at improving patient care, realizing greater efficiencies and lowering overall costs.
On the other hand, the million-dollar question or make that the $5.6 billion question according to the Ponemon Institute’s fourth annual Patient Privacy & Data Security Study is what happens when a healthcare organization discovers its data has been compromised, whether it be protected health information (PHI), payment card details or personal employee information?
Protecting data within the organization and along the supply chain is a major challenge for healthcare entities. Most are already stretched by pressures unique to their industry i.e., the move from paper to electronic records; the implementation for the ICD-10 code set; Meaningful Use requirements; and the HIPAA Omnibus Rule on privacy protections released last year. Add in issues commonly experienced by most businesses today e.g., lean staffing, financial stresses and it’s easy to see how healthcare organizations can find it difficult to dedicate the time to develop an effective information security program and proactively assess and mitigate risks.
Compounding the problem is the sheer number of touchpoints where information is vulnerable to loss or breach. For example, early in 2014, a California hospital sent paper records to a contractor for digitization. Upon arrival to the contractor, some of the cartons were discovered to be unsealed, and on further inspection 133 patient charts were found to be missing. However, the hospital notified more than 2,500 patients of the breach because it could not ensure that the records from the unsealed boxes had not been compromised.
Within any healthcare organization, a mix of employees, vendors and other business partners routinely have access to sensitive information. This can include caregivers across numerous specialties; vendors whose equipment may integrate with the hospital’s larger electronic network, such as a laboratory information system; and third parties that handle billing or claims processing.
Last but not least, healthcare delivery is undergoing a paradigm shift as it moves from a volume model to one based on shared responsibility for care. We are finding that many medical centers that used to maintain patient records themselves are trying one of two ways to work with the new health information exchanges and ACOs:
- Set up networks where members can push their data
- Leverage ACOs in conjunction with local and regional setups to work with providers for the region’s patients in a collaborative way
Ultimately, Patient Privacy Rights, a bipartisan, nonprofit organization, estimates that over four million businesses, agencies and individuals handle PHI electronically. The risk doesn’t end there, however. HealthITSecurity.com reported in December 2013 on a mind-boggling case in its annual list of the year’s most significant healthcare data breaches: “An anonymous HIPAA-covered entity in Southern California is suing 15 Internal Revenue Service (IRS) agents for a March 11, 2011 ‘unlawful search and seizure’ after the agents allegedly accessed and took medical records from 10 million Americans more than 60,000,000 records were thought to be stolen without cause”.
How to balance information sharing with patient data protection in the supply chain
While the HIPAA Omnibus Rule requires business associates (BAs) to comply with information security and privacy standards, the covered entity bears the brunt of the fallout from a breach, including reputational damage. This negative reaction can be significant; a recent study finds that after a healthcare data breach, 30 percent of consumers would avoid doing business with the breached provider.
Because of the scope of the problem, working with a trusted advisor is an efficient way for the organization to build its “risk profile” as it applies to third parties. This in turn helps the board of directors or trustees determine where it needs to prioritize attention and resources.
Conversely, many clinical providers are relying on vendors hosting EHRs in the cloud. While these types of organizations are essential to the new business models, providers no longer have practical control over their data. In these cases, it is essential for those providers to understand exactly how the vendor will protect data as well as its policies and procedures in the event of a breach.
Five best practices for strengthening information protection in the healthcare supply chain
- Identify all business associates and third parties by auditing each functional area within the healthcare organization and mapping what individuals and entities have access to PHI as well as Personally Identifiable Information (PII).
- Prioritize resources on managing third party risk based on:
- How important is the third party to patient safety or the financial health of the covered entity?
- Who is storing information? There is often a greater risk associated with the third parties that are storing information than with those who only have access to it.
- Ask third parties about their measures in place to protect confidential information and detect/respond to security incidents. Request third party security audit reports from critical vendors and/or create a security assessment process for evaluating and managing this risk.
- Ensure third parties are in compliance with HIPAA Security and Privacy Rule protection requirements and that they are aware that any subcontractors used are also held to these standards.
- Integrate this vetting methodology in the standard onboarding procedures for new vendors and third parties. Also, third parties should be continuously evaluated, at least annually, but especially in the event of an ownership change such as a merger or acquisition.