5 Steps to Ensuring Hospital Data Security

Written by Jerry Kaner, CEO

Hospitals and health systems face increasing regulation for protecting the security of patient health information; yet, data breaches remain common in the industry. Health system leaders must make data security a priority. Here are five initial steps to ensuring data security in your organization.

1. Conduct a HIPAA risk analysis

Risk assessment is an important task for any healthcare organization. Since the HITECH Act amendments to the Health Insurance Portability and Accountability Act took effect in February 2010, both covered entities and their business associates are required to complete risk assessments about threats and risks to protected health information. After conducting the risk assessment, the organization must develop and implement safeguards to manage the identified risks. While HHS has not published a specific template for conducting a HIPAA risk analysis, it has referenced as a guideline the standards set by the National Institute of Standards Testing in itspublication 800-30. According to the NIST standard, the key purposes of risk assessments are to identify "relevant threats" to the organization, including "vulnerabilities, both internal and external," and the "likelihood that harm will occur." The NIST standards also call for all organizations, large and small, to designate a compliance officer. The officer should undergo needed HIPAA training and assume responsibility for end-user education about standards.

2. Implement encryption for all data as recommended by the AMA

The American Medical Association and many security experts recommend that physicians encrypt all protected health information. In its white paper, "HIPAA Security Rule: Frequently Asked Questions," the AMA notes that if a provider organization suffers a breach of protected health information, it must notify all the patients impacted unless the data (e.g., in a laptop or disk drive) was encrypted. In that case the data is considered "indecipherable," and no expensive notification is required. According to the AMA, physicians should encrypt "any systems and individual files" containing PHI. This includes electronic medical records, medical images, claims payments and emails containing PHI. The AMA notes that secure encryption systems use a "key," which can be a piece of data inside a software program or a small physical device (usually the size of jump drive). It is called a key because it "unlocks" the encryption formula to unscramble the data.

3. Choose the highest level of encryption without the lag

The AMA recommends that physicians use the "best available encryption algorithm" which is contained in the advanced encryption standard. The AES was selected by NIST in a competition and is stronger and faster than earlier encryption standards. The newest encryption standard, AES 256-bit encryption, is unbreakable by brute force or by or criminals using computers. An encryption algorithm takes the original message, and a key, and alters the original message mathematically based on the key's bits to create a new encrypted message in 0s and 1s. In AES 256-bit encryption, the keys use a list of AES 256-bit 0s and 1s. It is exponentially more secure than earlier algorithms that used AES 128-bit keys. In previous years, providers using first-generation encryption systems on older, low-capacity computers sometimes encountered slow or delayed data access. Advanced encryption storage devices now on the market can transfer at the rate of 1,000 mbps over a 10 GB network environment. This is fast enough to provide instant viewing of large medical images. There is virtually no performance or capacity impact. For example, a 2 megabyte CT scan will be transferred and displayed in one second. With advanced encryption systems in place, information is stored securely and the encryption process is invisible to users. Many devices and software programs claim to be encrypted. It is important to determine exactly what form of encryption they use and how reliable it is. For example, some popular operating systems offer encryption. However, if the operating system itself is vulnerable to hackers, the encryption system it contains may not be sufficient.

4. Secure laptop data with encrypted portable storage devices

Laptops remain a major concern for PHI security. A $300 laptop that is lost or stolen can potentially result in a $500,000 penalty. One simple, affordable option is to store PHI on a portable, encrypted external hard drive instead of storing data directly on the laptop. For example, a small external hard drive (about the size of an iPhone) that is hardware encrypted cannot be accessed without the physical key and the content wouldn't be able to be accessed if lost or stolen. Mobile devices (e.g. tablets, smart phones) should either be encrypted or configured so they do not store any PHI. Security experts point out that webmail services are not currently encrypted and secure. Sending patient information via text messages is an increasingly common HIPAA violation since many physicians and nurses are sending medical communications on their cell phones outside of an encrypted EHR system. In addition, all portable storage backup discs (such as those connected to a server) should be encrypted, whether or not they are in a secured area. Note that in 2012, Blue Cross and Blue Shield of Tennessee was fined $1.5 million by HHS after a thief stole 57 hard drives containing unencrypted information on one million plan members.

5. Make sure you have disaster recovery and business continuity plan

Disasters range from power outages, floods, fires, storms, equipment failure, sabotage, terrorism (such as the events of 9/11) and earthquakes. Under HIPAA, both covered entities (e.g., hospitals, medical groups, clinics) and business associates are now required to plan for disaster recovery including natural disasters and loss of electricity. The HIPAA rules recommend that the covered entity should prepare a comprehensive, usable, and effective disaster recovery plan, which will involve the entire workforce to help restore or recover any of its crucial operations. By having a plan, an organization can reduce the potential headaches involved with disaster recovery and, in turn, ensure business continuity. Part of any reliable disaster recovery plan is making sure your data storage system company offers solutions that are redundant, secure, robust and deliver WAN optimization. Advanced portable storage devices enable large amounts of data to be encrypted and stored in rugged, lightweight units. For example, a five-drive unit smaller than the size of a shoebox and weighing 14 lbs. can store 20 terabytes of data, enough to store some 2 million medical images. These units can be easily carried by individuals in the event of an evacuation. In addition, the data storage units can be placed in water-resistant storage cases to provide protection against storms and flooding.