In a healthcare environment that promotes patient engagement, making sure information remains confidential is paramount. Whether information is shared between physicians or with the patient themselves, measures must be taken to insure both the security and integrity of the data.
Every vendor in the healthcare sector offers various levels of security, but how much is enough still has yet to be defined. Hacker attacks increased 600% in the first 10 months of 2014 versus the prior year, and data breaches occur almost daily. Data security is an issue of extreme importance.
The HIPPA Security Rule, which is a subset of the HIPAA Privacy Rule, requires implementation of three types of security safeguards: 1) administrative, 2) physical and 3) technical. These address both the access and confidentiality of the data.
Access means the ability or the means necessary to read, write, modify or communicate data / information or otherwise use any system resource. Confidentiality means that data or information is not made available or disclosed to unauthorized persons or processes.
Administrative safeguards are administrative actions, policies and procedures to manage the selection, development, implementation and maintenance of security measures to protect ePHI and to manage the conduct of the Covered Entity’s workforce in relation to the protection of that information.
Physical safeguards are physical measures, policies and procedures to protect a Covered Entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards and unauthorized intrusion.
Technical safeguards mean technology and the policy and procedures for its use that protect electronic health information and control access to it.
The combination of all of these safeguards are designed to reasonably and appropriately protect the data. Unfortunately there is no clear cut definition of what constitutes “reasonable and appropriate” nor is there a definition of what can be considered “necessary”. This leaves facilities to implement whatever they feel are satisfactory measures.
Sadly, the security used is often not enough, especially given the plethora of breaches that have been publicized, including the latest the Premera record breach that affected up to 11 million records. Given that HIPAA penalties can be as high as $10,000 per record, any breach is one too many and 11 million can be considered catastrophic.
Endpoint encryption provides the most basic level of data security, and most healthcare companies provide some degree of end-to-end packet level encryption in all data transfers. Interestingly though, more than 41% of healthcare organizations do not use endpoint encryption, even though approximately one-third of employees work remotely at least once a week.
Many vendors provide encrypted URL’s within the integration of a secure EMR as well as optional encryption for additional data. A few companies go several steps further though and provide encrypted passwords throughout the ecosystem. Vendors wishing to have their systems used within the federal government (VA hospitals, etc.) need to adhere to a much higher standard. This often entails using the Federal Information Processing Standard (FIPS) 140-2 that provides four increasing, qualitative levels of security intended to cover a wide range of potential applications and environments. An even higher standard is the one mandated by the Department of Defense known as DIACAP (DoD Information Assurance Certification and Accreditation Process) which has since been replaced (in 2014) by the DoD’s Risk Management Framework (RMF) for DoD Information Technology (IT) standard.
So how much is security is enough and how much is too much? A recent study by the Ponemon Institute noted that 43% of security breaches across all industries occurred within the healthcare industry. That is scary.
There are tradeoffs with each security approach. If you make data easily accessible to both clinicians and patients without unduly restricting access, you open up the chance that an unauthorized party may also have access to it. Make data too restricted and it becomes a logistical nightmare to try obtain. Biometrics may provide a cost-effective answer, as may other advanced technologies under development. Until then, each facility needs to conduct its own risk analysis to determine if the security in place meets the minimum standards and protects not only itself, but its patients as well.