Kusserow on Compliance – The challenge of protecting PHI

The challenges of securing sensitive information which is stored electronically, has become extremely difficult in the face of legal requirements to do so, and every day there are new reports of data breaches in the health care sector. Few would argue that it is likely that this kind of threat will continue to grow. There are some positive news on this front. According to Risk Based Security’s recent first quarter 2018 data breach report, the number of data breaches in the first quarter of 2018 marked a four-year low with a total of 685 breaches. This number is down from 1,444 breaches in the first quarter of 2017 and 1,153 in the first quarter of 2016. Overall, businesses saw the most reported breaches at 50.4 percent during the first quarter while medical breaches came in at 10.2 percent, according to the report. Within the health care sector, practitioners’ offices saw 43.4 percent of the data breaches while hospitals saw 30.2 percent and medical facilities were at 17.1 percent.

However, health care providers, managed care organizations, and others having access to patient data remain extremely vulnerable to cyber and ransom attacks because information is critical to operations and the need to share data among multiple parties creates opportunities for attack. Many organizations rely upon outdated software and lack controls over those with access to the systems. Not being able to access patient data can shut an organization down. Those desiring data for criminal use can find the needed identifiable data in patient records that include name, date of birth, Social Security Number, family information, and often credit information.

Dr. Cornelia Dorfschmid, PhD is an expert in this area and noted that there are many different measures available to take preventative measures to protect PHI, beginning with encryption that is the most basic method used. She offered a number of steps and tips that health care organizations can take to mitigate their exposure and risks to hacking:

1. Ensure patient data is stored in an encrypted database
2. Maintain close control and encryption over any removable media
3. Have multi-levels of passwords to access any database storing PHI and change passwords frequently
4. Periodically run background checks and sanction-screening on those handling PHI
5. Make sure malware detection software is running on servers and workstations
6. Ensure that your firewalls are up and secure
7. Review and implement standard network security controls
8. Protect PHI and other sensitive information wherever it is stored sent or used
9. Control against shifting data from one device to another external device
10. Restrict the downloading of data
11. Shred all the files and folders before disposing of any storage equipment
12. Ban unencrypted devices, including laptops and other portable devices
13. Use solid passwords for any access and change them from time to time
14. Limit accessibility to those who are working on company’s sensitive data
15. Provide privacy and security training to all employees and others with access to data
16. Establish a breach response plan to trigger a quick response to data breaches to limit harm
17. Develop and maintain a disaster recovery plan should a breach occur
18. Be on the lookout for any suspicious network activity
19. Track movement of data within the network
20. Use automated systems to regularly check password settings, server and firewall controls
21. As part of ongoing monitoring, periodically check security controls

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.