As someone who walks the line between finance and health informatics, I read with many of you last week the news of a data breach affecting Valley View Hospital, a facility here in Colorado. First, we have the Target credit card debacle, and now, one more in what seems a litany of attacks against healthcare providers. Sadly, it does not look like the threat will go away any time soon.
Further, the expansion of health IT under the American Recovery and Reinvestment act (ARRA) has created another attractive target for the criminal element. If we haven’t realized it already, the data-rich environment we live in is equally attractive in many ways to the cash-rich environment of health care. The difference is simply the nature of the theft. Events like the one in Colorado should be a reminder to us to look at IT processes and perhaps take a moment of introspection to see that we are doing everything we can to avoid becoming the next “data breach” headline—and the next client of one of those credit monitoring companies we have to retain when a breach is detected.
Because so many of us in finance work (and supervise) the IT function in our organizations, the onus may likely fall to us to show what we are doing to protect our valuable data assets. The task is further complicated for us right now as we prepare for the ICD-10 conversion looming later this year. IT processes can both save and sink our data security efforts.
Here are some things to consider as we look at our defensive posture against data intrusions.
Have you had your defenses tested against attack? Believe it or not, there are hackers out there who are on our side. The “certified ethical hacker” makes a living out of trying to break into our systems and then telling us where our weaknesses are. I have seen investments in these sorts of services pay big dividends in closing data breach vulnerabilities before they are exploited. This sort of penetration testing is also recommended under HIPAA.
Does IT shut the door behind users? So many data vulnerabilities arise from within our own organizations from our own users. Has IT implemented basic protocols such as mandatory password changes (usually every 60-90 days)? What about mandatory inactivity time-outs where a terminal is “locked” after a period of time if the user isn't doing something? Do we have mechanisms in place to ensure that any time an employee leaves the organization, his or her user access to our systems is immediately terminated. That last point is an easy one to forget, because it requires communication between human resources and IT. But the consequences of such a lack of communication can be dire. I have seen situations where employees who have been gone from an organization for nearly a year still have active user access to systems. Scary, isn’t it?
Are we working with IT system vendors to ensure that they are providing timely and adequate security updates as new vulnerabilities are identified? We can only do so much to protect ourselves. The systems we use have to be updated as well. Vendors don't have sole responsibility for system security; we have to be sure that the IT hardware and networks we have are secure. That’s where those ethical hackers can come in handy. But the systems we use must be up to the challenge.
Do we have a plan in place for responding immediately to a breach? This is one of those things that HIPAA tells us to do. But far too many organizations settle on a “cookie cutter” approach for a plan that ultimately is found to be irrelevant to the unique characteristics of a breach. I recommend taking time to do what I was taught when I got my pilot’s license: Plan for the worst, prevent what problems you can, and be prepared to act on that plan. You never know.
These points are easy to overlook in the hustle of month-end close, budgets, and cash flow hassles. But when it comes to safeguarding date, the ounce of prevention can be worth far more than the pound of cure you might need later.
Jeffrey Helton, PhD, FHFMA, CMA, CFE, is assistant professor, Metropolitan State University of Denver, and a member of HFMA’s Colorado Chapter.
Publication Date: Tuesday, March 25, 2014