Finding Patient Data to ProtectDetecting Where Information Resides is a Challenge
Healthcare data cannot be adequately safeguarded to help prevent breaches unless an organization knows where the information resides. And that's a difficult challenge.
Personal information may reside in files outside core electronic health record systems and other clinical information systems. Such data may also be found in text documents, spreadsheets, e-mail attachments and slide presentations.
The importance of tracking down where patient information resides was brought into the spotlight by a recent breach at Memorial Sloan-Kettering Cancer Center. In that incident, unencrypted patient information was embedded into PowerPoint slides that were available on the websites of two professional organizations (see: How to Avoid Exposing Patient Data).
"You cannot properly protect data if you do not know what you have and where and how it is stored," says Melodi Mosley Gates, an attorney specializing in cybersecurity and healthcare regulations at law firm Patton Boggs LLP.
HIPAA and the HITECH Act require healthcare organizations to provide reasonable safeguards for patient information, Gates says. "But you cannot properly assess risk if you are not aware of what data you hold and where and how it is stored."
Creating a data inventory is an essential information security practice, Gates stresses.
"Organizations may find it fairly straightforward to inventory and review data that is stored in central databases or managed systems and applications," she says. "But as the large number of breaches resulting from lost end-user devices and other media show, it is also important to look further and locate and manage data stored in other forms, especially user-created documents and files like those often found on end-user devices, network drives or other resources."
That's why some organizations are using specialized technologies to help locate where patient information resides and, in some cases, encrypt it before it's transmitted.
Tracking Down Data
Franciscan Health System, a five-hospital system in Washington state affiliated with Catholic Health Initiatives, is using an e-discovery tool from DeepDive Technologies to identify sensitive information in user files, says Gregg Braunton, regional information security officer.
"The e-discovery tool looks across the network for unstructured data on the network and gives us the ability to index content," he says. That enables searches for files containing Social Security numbers, dates of birth or other sensitive information, he says.
The tool helps to identify where sensitive information resides in user files, such as text documents, spreadsheets and slide presentations. Using reports pinpointing this data, Braunton and his team can take action to remove or protect the data or prevent files containing sensitive information from being shared or e-mailed.
Braunton says the e-discovery tool helped him identified a presentation that only had eight slides but was enormous in its data size. It turned out that embedded in the presentation was a spreadsheet with 10 years worth of data. The data was removed from the user's presentation and a placeholder, or message, was added to the file indicating that data was deleted.
Protecting Data In E-mail
Too often, sensitive patient information is included in e-mails or attachments, where it may be vulnerable.
That's why Health Quest System, which operates several hospitals and physician practices in the Mid-Hudson Valley area of New York, is using an appliance-based tool from ZixCorp to scan outgoing e-mail and attachments. If any patient information is detected, based on a lexicon of health terms and rules, the data is automatically encrypted before the e-mail is transmitted, says David Sheidlower, Health Quest's chief information security officer.
"People often forget what they're sharing, and this prevents inadvertent disclosures," he says. "It's another data leak protection."
The ZixCorp software-as-a-service technology automatically scans outgoing email for sensitive information, based on content and an organization's policies, and encrypts it.
Other Steps To Take
Technologies such as those being used by Health Quest and Franciscan Health can prove helpful in locating information so it can be safeguarded, Gates says. But in addition to using technology to pinpoint where sensitive data resides, organizations should also survey users to collect data inventory and risk information, Gates says (see: Practical Encryption Tips).
"Assigning clear ownership to network drives and other shared resources can also help, along with regular auditing and reviews," she says.
Also, individuals who have access to patient information should be trained and regularly reminded of their duty to protect such data and why it is important not to download or store such information in ways that may create more risk, she adds.
Gates also suggests that access control processes that limit the ability to view or download sensitive data to only those with a specific need to know provide a foundation for data loss protection, "along with audit logging to determine who is interacting with data and when and how those interactions are taking place."
The BYOD Issue
Because more healthcare organizations are allowing physicians and staff to use personally owned tablets and smart phones to access patient information, they must also be on the lookout for protecting patient information on those devices, says Brian Evans, principal of Brian Evans Consulting, an IT consulting firm in Columbus, Ohio.
For example, organizations should scan outgoing data on personal devices when they are connected to an organization's network, Evans says.
"Often times, organizations lack control over data on personal devices, and many certainly contain PHI [protected health information]," he says. Warning users that personal devices are subject to data wipes if the devices are lost or stolen is another important step, he adds.