There are tremendous opportunities when it comes to electronically storing and sharing patient information; health systems can leverage ePHI to shed light on a patient’s medical history or add context to their health.
There are also opportunities, however, for PHI to leak, whether it’s through personal devices or other devices that fall outside the purview of the IS department, according to Rich Temple, CIO at Deborah Heart and Lung Center.
“It seems like ePHI is percolating in ways it might not have years ago,” he said during a panel discussion with James Case (CISO, Baptist Health) and David Ting (CTO and Co-Founder, Tausight). And although organizations “jump through hoops to keep a tight rein on it,” the reality is that there are “so many paths it can travel down,” whether it’s PACS systems, devices, scanners, or printers. “There are so many places it can live.”
Even with encryption software in place, “I can’t say with 100 percent certitude that it always works,” Temple noted.
As a result, security teams may rely on manual efforts, said Case, adding that before Baptist Health partnered with Tausight, the strategy was to “just make sure every device is encrypted. “We were rabid about our compliance with device encryption, because that was the only tool in the box.” The focus, he said, was on “making sure that if a device is lost or stolen, we can prove it’s encrypted.” And, of course, educate users on how to properly store PHI and passwords.
To be sure, these measures are important — but when it comes to securing PHI, they’re not sufficient, “particularly as more organizations migrate to the cloud,” said Temple. “With the explosion of the cloud and of use cases that take PHI beyond the walls of the hospital, it becomes trickier.” Although Deborah’s interface engine provides a detailed map of where PHI flows, both inbound and outbound, “there are a lot of use cases within departments where PHI flows out. We have to make sure we’re staying on top of that,” especially given the fact that not all organizations have the same safeguards in place.
When sharing information with collaborating organizations, “you have to make sure everything is encrypted from end to end,” he added. Staying on top of that by building process maps and flows that show which data are moving from point A to point B — along with where they’re moving to and why — plays a critical role.
And when non-compliance is detected, Case’s team intervenes and removes the PHI to lower the risk. The next phase entails tracking movement, applying learnings, and then pivoting to determine whether policies or education need to be adjusted.
Visibility into data
A key component in this, according to Ting, is having the right tools in place. And although he believes the majority of cybersecurity solutions are more than adequate when it comes to fortifying physical security and ensuring leaders know what’s happening at the hardware or network layer when data is being transitioned, “you don’t have visibility into where the data resides, who is using it and how, and which applications it’s touching,” he said.
Each of those steps has different policies that can be applied to ensure all use cases are covered. “Are those policies being followed? What are the exceptions? How do I augment policies or controls to start to reign in these behaviors? These are all critical,” he added.
With Tausight’s PHI Security Intelligence Platform, leaders are able to trace user sets and access important information such as which machines were used and what content was accessed and moved to personal devices. The biggest offenders, noted Ting, are unencrypted laptops containing PHI.
What’s just as vital as having visibility into data and having the right tools, according to the panelists, is having a culture in which violators are held accountable. Failing to do so can have serious consequences, as even seemingly minor infractions can “mushroom into large systemic issues,” said Temple.
At Deborah, which relies heavily on referrals, one of those issues is the use of SMS texting to communicate information about patient transfers. “You have to use secure texting,” noted Temple, whose team has run into resistance from physicians who don’t want to download another app.
Although it might be easier from a user perspective, standard texting is far too risky — and leaders have to make that clear. “If you don’t enforce it and just repeatedly tell people they can’t do that, it becomes a culture unto itself,” he added. “And you run the risk of large-scale leaks, and you run the risk of people being cavalier about sharing sensitive information. Those little things can wind up being big things if you’re not keeping a very watchful eye on it and tamping that down right at the outset.”
Of course, the responsibility doesn’t lie solely with one department. As CIO, Temple works closely with privacy, compliance, and legal to ensure policies include input from other key stakeholders. “It’s one thing for the information systems department to say, ‘We’re going to do X, Y, and Z,’ but you need to have universal buy-in,” he said. “You need to have universal understanding, and you need to extend outward to make sure people know what the policies are, why these policies exist, and that we have to have the wherewithal to monitor compliance with those policies. And that’s not something one department can or should do. It needs to be an interdepartmental approach.”
Case also advocated partnering with privacy, audit, risk, and compliance, noting that PHI security is part of the larger issue of data loss prevention, and should be treated as such. Although he took the lead in developing policies, it was a team effort involving several departments. As a result, they were able to “navigate that together and work through controls and talk about risks category by category, policy by policy, or framework by framework.” Doing it this way also helps ensure “it’s not just an IT decision; it’s a business decision with input from IT.”
As with so many priorities, protecting ePHI requires walking a fine line; in this case, it’s balancing risk-informed, risk-based decision making with maintaining strong relationships. One way Case hopes to achieve this is through weekly touchpoints with his CMIO, during which they discuss the security-associated pain points for users — and how they can be addressed.
Ensuring everyone has a voice, he added, is critical. “We always trying to balance that because there’s no perfect solution. “If we go too far right, that’s bad. But if we swing too far the other way, that’s bad too. It’s a constant line.”
“Education at every turn”
The final — and arguably most important — component of successful ePHI security is in education, which must be consistent and multifaceted, according to Temple. At Deborah, this is done through a number of methods, including mandated computer-based learning, orientation and onboarding sessions, and fake phishing campaigns.
And it’s not enough to merely run tests; leaders need to talk about the consequences of clicking on links. “Anything that runs the risk of exposing ePHI is something that could be potentially devastating,” he said. Therefore, “we need to have education at every turn. We need to have monitoring at every turn. It’s never-ending. You have to have all those things in concert to have an effective plan.”
To view the archive of this webinar — Follow the ePHI: Keys to Protecting Your Most Sensitive Data (Sponsored by Tausight) — please click here.