By J. Stuart Showalter
Information security breaches are serious problems. Here are two tactics you can employ to ease your data breach worries.
This is a sample article from HFMA's Legal & Regulatory Forum, a subscription-based discussion community that encourages networking and sharing among healthcare compliance, legal, and finance professionals.
Learn more and join the Legal & Regulatory Forum
I was watching TV recently and saw the very clever Travelers Insurance ad called "Prized Possession"-the one with the cute little dog fretting over how best to protect his bone. The background music is Ray LaMontagne's song, "Trouble," and when I listened carefully to the lyrics, I realized what a good theme song it would be for compliance officers:
Trouuu-buuull. Trouble, trouble, trouble, trouble.
Trouble been doggin' my soul since the day I was born.
Worrr-reee. Worry, worry, worry, worry.
Worry just will not seem to leave my mind alone.
When I mentioned this to a compliance officer recently, he asked, "You know what troubles and worries me? Copy machines. They keep me awake at night. Copy machines and multifunction peripherals … those scanner/printer/copier devices attached to your PC."
So I got to thinking: every digital copier, scanner, printer, or fax machine has some kind of memory capability. These machines keep images of the things they've copied, scanned, printed, or faxed:
- Every page of every lab result, consultation report, census sheet, or CMS-1500 form
- Every incident report, attorney/client fax transmittal, or psych eval
- Every cost report, audit committee agenda item, or patient bill
In short, if the hard drives on these machines are large enough-that is, if the machine doesn't use just RAM that is continually overwritten-there is a huge information security breach waiting to happen.
This prompts one to worry about where all the information is and who's guarding it.
The financial risks associated with information security breaches is high. In 2009, U.S. companies (across all industries) paid an average of $204 per compromised record and averaged $6.75 million in per incident costs, according to a recent study by Ponemon Institute. And the impact of HITECH fines is not included in Ponemon data. The Office of Civil Rights can levy fines of up to $1.5 million for each violation, but potential costs go beyond federal fines.
(See the sidebar, Data Breaches on the Rise, for specific examples.)
Tactic 1: Develop a Policy
Having strong preventive measures in place against data breaches is obviously the best course of action. But you need to be prepared in advance with a policy on how to deal with any breach that does occur.
This policy should outline:
- Who will conduct the investigation (one person should be in charge of a breach response team)
- How to involve attorneys and consultants
- Whether and to which government agencies a notice must be made
- Whether, when, and how to notify affected individuals
In addition, the policy should indicate how an incident-specific communication strategy will be developed, how customer and media contacts will be handled, and who will be in charge of remediation planning if systemic improvements are necessary.
Forum members: Have you developed a data security breach policy that you'd be willing to share with other members? Please e-mail the Forums editor.
Tactic 2: Address Potential Leaks
A second preventive strategy is to identify-and plug-potential data leaks. Preliminary risk assessments are required for HITECH compliance, and guidance from HHS lays out federal expectations. (See related article for more on this.)
But I encourage compliance officers to brainstorm all the potential possibilities for leaks. Here are some things to ponder-and address:
___ In addition to machines and peripherals, how many "smart phones" are there in your organization? How many laptop computers, external hard drives, and removable storage devices ("thumb drives")?
___ How many payment card devices are there, and do they comply with "PCI DSS"?
___ How many people have remote access to your clinical information systems or business systems?
___ What vendors have access to perform service on the various devices?
___ Are the hard drives erased before the devices are retired from service?
___ If they have not been erased in the past, can you now locate the machines that were sold, sent back to a vendor, or donated to another organization so the hard drives can be purged of sensitive data?
___ In the case of hand-held devices or laptops, are they retrieved before the individuals leave the organization or when they no longer have a job-related need for them?
___ If you cannot identify and retrieve any of those devices, must you now report a security breach?
___ Do you allow personal laptops or hand-held devices to be used for business purposes, and if so, what controls do you have over them?
___ Have you identified all vendors/contractors whose functions involve the use or disclosure of protected health information (HIPAA standard)?
___ Since the HITECH act makes HIPAA rules directly applicable to those firms, do you have business associate agreements with all of them? How do you know for sure?
___ Is there a central repository or data base of BAAs, and if so, who monitors it?
Leave Nothing to Chance
As LaMontagne's song says, "Seems like worry is my only friend," and compliance officers have plenty to worry about regarding breaches of data security. The best advice echoes the tag line from the Travelers ad: "Leave nothing to chance."
Forum members: Please share other possible sources of data leaks. E-mail the Forums editor with your ideas, and we'll add them to this list.
J. Stuart Showalter, JD, MFS, is a contributing editor to HFMA's Legal and Regulatory Forum.
- White, A., CFOs: Has Your Hospital Done the Risk Assessment Necessary for HITECH Compliance? HFMA's Strategic Financial Planning, Fall 2010. (Subscription required.)
- Withrow, S.C., How to Avoid a HIPAA Horror Story, hfm magazine, August 2010. (HFMA membership required.)
- A list of state security breach notification laws
- A February 22, 2010 FTC news release warning of dangers of peer-to-peer file sharing.
- HHS Office for Civil Rights, Health Information Privacy page.
- Notice of Proposed Rulemaking to implement HITECH Act modifications, July 14, 2010.
- Breach notification rule.
Publication Date: Wednesday, December 29, 2010