By J. Stuart Showalter

Information security breaches are serious problems. Here are two tactics you can employ to ease your data breach worries.

This is a sample article from HFMA's Legal & Regulatory Forum, a subscription-based discussion community that encourages networking and sharing among healthcare compliance, legal, and finance professionals.   

Learn more and join the Legal & Regulatory Forum  

I was watching TV recently and saw the very clever Travelers Insurance ad called "Prized Possession"-the one with the cute little dog fretting over how best to protect his bone. The background music is Ray LaMontagne's song, "Trouble," and when I listened carefully to the lyrics, I realized what a good theme song it would be for compliance officers:

Trouuu-buuull. Trouble, trouble, trouble, trouble.

Trouble been doggin' my soul since the day I was born.

Worrr-reee. Worry, worry, worry, worry.

Worry just will not seem to leave my mind alone.

When I mentioned this to a compliance officer recently, he asked, "You know what troubles and worries me? Copy machines. They keep me awake at night. Copy machines and multifunction peripherals … those scanner/printer/copier devices attached to your PC."

So I got to thinking: every digital copier, scanner, printer, or fax machine has some kind of memory capability. These machines keep images of the things they've copied, scanned, printed, or faxed:

  • Every page of every lab result, consultation report, census sheet, or CMS-1500 form
  • Every incident report, attorney/client fax transmittal, or psych eval
  • Every cost report, audit committee agenda item, or patient bill

In short, if the hard drives on these machines are large enough-that is, if the machine doesn't use just RAM that is continually overwritten-there is a huge information security breach waiting to happen.

This prompts one to worry about where all the information is and who's guarding it.

The financial risks associated with information security breaches is high. In 2009, U.S. companies (across all industries) paid an average of $204 per compromised record and averaged $6.75 million in per incident costs, according to a recent study by Ponemon Institute. And the impact of HITECH fines is not included in Ponemon data. The Office of Civil Rights can levy fines of up to $1.5 million for each violation, but potential costs go beyond federal fines.

(See the sidebar, Data Breaches on the Rise, for specific examples.)  

Tactic 1: Develop a Policy

Having strong preventive measures in place against data breaches is obviously the best course of action. But you need to be prepared in advance with a policy on how to deal with any breach that does occur.

This policy should outline:

  • Who will conduct the investigation (one person should be in charge of a breach response team)
  • How to involve attorneys and consultants
  • Whether and to which government agencies a notice must be made
  •  Whether, when, and how to notify affected individuals

In addition, the policy should indicate how an incident-specific communication strategy will be developed, how customer and media contacts will be handled, and who will be in charge of remediation planning if systemic improvements are necessary. 

 Forum members: Have you developed a data security breach policy that you'd be willing to share with other members? Please e-mail the Forums editor.

Tactic 2: Address Potential Leaks

A second preventive strategy is to identify-and plug-potential data leaks. Preliminary risk assessments are required for HITECH compliance, and guidance from HHS lays out federal expectations. (See related article for more on this.)

But I encourage compliance officers to brainstorm all the potential possibilities for leaks. Here are some things to ponder-and address:

___  In addition to machines and peripherals, how many "smart phones" are there in your organization? How many laptop computers, external hard drives, and removable storage devices ("thumb drives")?

___  How many payment card devices are there, and do they comply with "PCI DSS"?

___  How many people have remote access to your clinical information systems or business systems?

___  What vendors have access to perform service on the various devices?

___  Are the hard drives erased before the devices are retired from service?

___  If they have not been erased in the past, can you now locate the machines that were sold, sent back to a vendor, or donated to another organization so the hard drives can be purged of sensitive data?

___  In the case of hand-held devices or laptops, are they retrieved before the individuals leave the organization or when they no longer have a job-related need for them?

___  If you cannot identify and retrieve any of those devices, must you now report a security breach?

___  Do you allow personal laptops or hand-held devices to be used for business purposes, and if so, what controls do you have over them?

___  Have you identified all vendors/contractors whose functions involve the use or disclosure of protected health information (HIPAA standard)?

___  Since the HITECH act makes HIPAA rules directly applicable to those firms, do you have business associate agreements with all of them? How do you know for sure?

___  Is there a central repository or data base of BAAs, and if so, who monitors it?


Leave Nothing to Chance

As LaMontagne's song says, "Seems like worry is my only friend," and compliance officers have plenty to worry about regarding breaches of data security. The best advice echoes the tag line from the Travelers ad: "Leave nothing to chance."

Forum members: Please share other possible sources of data leaks. E-mail the Forums editor with your ideas, and we'll add them to this list.  

J. Stuart Showalter, JD, MFS, is a contributing editor to HFMA's Legal and Regulatory Forum.


Additional Resources



Publication Date: Wednesday, December 29, 2010