Access Denied: Avoiding Patient Data Disasters

The best way to avoid data breaches is to lock down everything. We wish. While that’s not possible, data encryption and strong—established, known and enforced—policies can certainly help.

When a data loss or theft occurs, most facilities are reluctant to discuss it beyond what is required to comply with breach disclosure regulations. But better data security may ultimately depend on having this conversation. The problem is growing:  
  • Laptop theft is the leading cause of PHI breaches affecting more than 500 people, according to the Department of Health and Human Services, which has been tracking data breaches by healthcare organizations since the Breach Notification Rule of the Health Information Technology for Economic and Clinical Health (HITECH) Act was issued in August 2009.
  • Data breaches of patient information cost the healthcare industry $6 billion annually, according to Privacy researcher Ponemon Institute’s “Benchmark Study on Patient Privacy and Data Security,” published in November 2010.
  • A total of 225 breaches of protected health information affecting more than 6 million individuals have been recorded since August 2009, says a breach report by Redspin, an IT security auditing firm. (The report does not include recent breaches reported in New York and Oklahoma, which potentially affected close to 1.8 million patients and others.)

Systems behind discovery

In one recent case, the University of Iowa Hospitals and Clinics (UIHC) disclosed a potential data breach involving 13 University of Iowa football players’ EMRs. The incident resulted in negative publicity and ultimately led to the termination of several employees. Yet, the event is also an example, to some degree, of a system that works. UIHC had policies and IT in place that enabled the fast discovery of the breach and quickly prevented it from expanding to additional patients.

“The critical component in this scenario was our clinical information systems,” says Lee Carmen, CIO and associate vice president of IT at UIHC. The organization, which includes an adult and children’s hospital, as well ambulatory clinics, uses an EPIC EMR systemwide. UIHC handles more than 900,000 outpatient visits and more than 30,000 hospital patients annually. “Everything about the patient is recorded in the EMR. The application has extensive auditing capabilities. And it has somewhat robust functionality to limit access,” says Carmen.

UIHC uses a “break the glass” policy for access control when a person of interest comes into the facility, he says. At the highest level, access is restricted until a central authority, usually the organization’s compliance or privacy group, deems the request appropriate, he says. At a lower level, when a staff member tries to access patient information when break the glass has been set, a warning appears on the screen asking if the user wants to proceed. “If he or she says yes, access is granted for 24 hours, and that access spools off to a log that is immediately visible to compliance people, which makes it very easy for them to see who’s getting in and doing things,” Carmen says. In the case of the football players, a lower setting, which allows access for 24 hours with high visibility, was in place, he adds.

In addition, “we can go [into the EMR] and say ‘show me everybody who accessed patient John Smith’s record from January 2008 to today,’ and it will show all those accesses—the name of the staff member, what service or department the staff member belongs to. It will tell us date and timestamp, and will even give us indicators as to … what functionality they were trying to execute within the system,” he says.

“All staff are educated about the confidentiality of patient information and are required to annually sign an online attestation, saying ‘this is the policy and I’m aware of the policy,’ ” Carmen says. “Often, if we have people of interest in-house, we’ll communicate through an enterprise email broadcast. We’re modifying the EMR login screen to include text that says ‘please respect the privacy of our patients.’ ”

UIHC has hardware protections in place for laptops, such as hard drive data encryption. “Thumb drives get to be a little difficult for us. As an academic medical center, [a] good portion of our physicians also are active investigators, so we have controls in place in terms of electronically extracting data out of the enterprise system. But it becomes challenging” in terms of preventing someone at a workstation from transposing information into a spreadsheet or Word document, he says.

“Although we do a lot of education, that’s more of an enforcement by policy just because today’s technology has so many different ways somebody could do something. We plug the holes as we identify the holes, but it’s an ongoing challenge.

“The thing I’m proudest of is that we are very transparent in how we approach patient privacy. We treat everybody the same, so if there’s a potential breach, the rules and repercussions are the same for a clerk as they are for a nurse, as they are for a physician. We don’t have different rules depending on who you are in the organization.

“Although it’s somewhat of a problem—there are marketing implications to having the newspaper writing stories about people inappropriately accessing the system—we still feel it’s the best thing possible to communicate to both our customers and our own staff that we take patient privacy very seriously and we’re very transparent in what we’re doing.”

Keeping the ‘Protected’ in PHI
HIPAA’s rules for security and privacy safeguards were extended by the HITECH Act, but gaps still exist and can cause security breaches, according to Raj Chaudhary, leader of the Security and Privacy practice at Crowe Horwath LLP, an Oak Brook, Ill., public accounting and consulting firm.

Chaudhary suggests that providers evaluate their risk of compromising all forms of protected health information (PHI) for improper use or disclosure, loss of data and breach of confidentiality.
Providers should take the following steps to protect the security and privacy of PHI:

  • Safeguard data from unauthorized individuals. Users often leave computers logged in while they are away from their desks. Also, some onsite security guards and physical controls fail to prevent unauthorized access to restricted areas. A walk-through, during and after business hours, can help providers identify if unauthorized people can physically gain access to protected data.
  • Monitor controls on key systems and check for inadequate logging. Every time system users access computerized records, they leave an electronic footprint, or log, on the information systems. Most healthcare organizations rely on access controls to help ensure compliance with the HIPAA Security Rule. However, security gaps occur when providers use antiquated systems that don’t allow logging, update to new systems without enabling logging or simply don’t adequately monitor logged activities.
  • Protect access control. Providers should confirm that passwords are required to access all of their systems, databases and applications that house PHI. All required passwords should meet complexity requirements, such as including a combination of numbers, symbols, uppercase and lowercase letters, and be reset on a regular basis. Accounts should be locked after a series of failed log-in attempts, and a log should be made of all failed log-in attempts so accounts that are being targeted for compromise can be more easily identified.
  • Create strong vendor management functions. Most providers do not maintain a comprehensive list of Business Associate (BA) agreements that include the type of data being shared with the BAs. The HIPAA Privacy Rule requires that the “minimum necessary” standard be applied to any data shared with vendors. Vendor management has a lifecycle of its own and should be viewed and managed as such in order to appropriately protect PHI.
  • Develop business continuity management and incident response plans. Many providers have a disaster recovery plan that provides guidance on how patient care should continue in the event that IT systems are unavailable. This approach leaves a gap with regards to the prioritization and recovery efforts of systems in the event of an incident. An information security-specific disaster recovery plan should be part of this plan, while a computer security incident response plan should also be developed in case of a breach.

Around the web

The tirzepatide shortage that first began in 2022 has been resolved. Drug companies distributing compounded versions of the popular drug now have two to three more months to distribute their remaining supply.

The 24 members of the House Task Force on AI—12 reps from each party—have posted a 253-page report detailing their bipartisan vision for encouraging innovation while minimizing risks. 

Merck sent Hansoh Pharma, a Chinese biopharmaceutical company, an upfront payment of $112 million to license a new investigational GLP-1 receptor agonist. There could be many more payments to come if certain milestones are met.