Planning for a data breach

With covered entities doling out more than $25 million for HIPAA violations, and with more than 30 million individuals affected by data breaches since 2009, organizations need to plan ahead to safeguard their protected health information, said Peter Paulli, CISA, executive consultant at Strategic Advisory Group, during a Beacon Partners webinar.

“Electronic data is an asset and all organizations should protect it,” he said.

A number of factors are increasingly putting data at higher risk of unauthorized access. “I think we are at a crossroads, more technology is being deployed, we are increasing data collection and use of analytics, and with that we are increasing the sharing of data,” he said. “All this sharing of data also increases the risk of information being disclosed without authorization.”

Currently, 84 percent of adults believe that providers have reasonable protections in place to protect data in EHRs, he said, citing a 2012 study by the Office of the National Coordinator for Health IT. “We need to make sure we maintain that trust, to keep information secure and private,” he said but added that, at the end of the day, “there is no guarantee that a breach won’t happen.”

Also, stronger privacy and security requirements in Meaningful Use Stage 2, which mandate more robust encryption and security of data sources, also means that organizations need to put in place risk management practices.

The first step to protecting protected health information is knowing where it is created, maintained, transmitted and received. This entails building an inventory of systems containing protected data, and understanding their flow within an organization. This could include a desktop in a warehouse, or just a paper spreadsheet with a patient list. “It’s like an Easter egg hunt.”

Unencrypted USB drives are a growing threat to data security. “This has become one of the biggest challenges in the organizations I’ve worked in,” he said, suggesting that healthcare organizations have an amnesty day for employees to bring in devices and ensure they are properly encrypted and protected.

Also, organizations need to have a risk analysis, which includes the identification of threats and vulnerabilities such as human error, technical programs (i.e., bad software) and non-technical issues. They also should conduct a risk assessment to determine impact priority, impact value and likelihood of occurrence, he said.

Training the workforce is vital to the whole process, and this can entail ensuring orientation and in-service training is current; that department-level training is available if needed; establishing expectations, including disciplinary measures; and sending reminders to the workforce about policies and procedures to reinforce an organization’s expectations, he said.

Also, the workforce must understand the need for timely reporting and provide details of the incident, and the organization must ensure business associates understand their responsibility to provide information in accordance with BA agreements, he said.

Underscoring all these efforts must be executive leadership. “When you promote a culture of compliance, executives really need to set the tone,” he said, adding that they need to support both the clinical as well as the business objectives of an organization.

Also, if a security incident does occur, organizations should use it as an example to drive home the point of following their security policies. “If you have a corrective action plan, it’s good to go back and reevaluate the plan to make sure it is effective.”