By Chad Boeckmann, Secure Digital Solutions
March 29th, 2016
The recent outcome at North Memorial Healthcare in Minneapolis, MN should be a stark reminder to all companies the importance of secure and practical end-point provisioning processes.
Let’s take a look at what just occurred with the North Memorial Healthcare case1. North Memorial Healthcare was recently fined $1.5M because a third-party consultant lost a laptop provisioned by North Memorial that contained Protected Health Information (PHI) on an unencrypted hard drive. So what went wrong?
Lessons Learned from North Memorial Healthcare
First, there are five best practices that we can use as key takeaways from this million-dollar lesson.
- Ensure all third-party’s accessing any electronic system have a Business Associate Agreement in place. In the case of North Memorial Healthcare this did not occur between Accretive, third-party who lost the assigned laptop, and North Memorial Healthcare according to Federal Regulators. A Business Associate Agreement is a requirement within the HIPAA Final Rule.
- Only redistribute end-point devices to others by first wiping the hard disk of any existing/residual data. In many instances, healthcare particularly, IT teams are short staffed, have not been trained and have not taken time to assess all processes supporting asset distribution and asset management. To ensure compliance with HIPAA and data security of PHI it is an industry best practice to wipe all end point devices before provisioning to another person or entity.
- Encrypt the hard drive. With the numerous data breaches it seems as though everyone understands the importance of encryption. There is still a disconnect between principal and practice.
- Restrict PHI from leaving the protected network. This includes any endpoint that has the ability to leave the building. Sound unreasonable? If you think so then you may want to assess current processes that allow PHI to be saved to hard drives, mobile devices and the like. By omitting PHI from devices that leave the protected environment you reduce the opportunity for data theft and compromise and thus decrease the risk substantially of a data loss event occurring.
- Assess third-party risk today. Vendor risk assessments are an increasing trend and something not many organizations even considered performing five years ago. With pressure to adapt using online medical record systems introduces a higher than normal acceptance of risk during this season of change as new processes are created and new users are trained. A major component to make these changes include engaging with third-parties at an exponential rate when compared to historical levels of third-party vendors in healthcare. Introducing additional vendors to the mixture automatically requires a look at the risk landscape. How many U.S.-based data breaches is a result of third-party relationships in the past five years? Too many, reduce risk and be vigilant with third-party risk assessments.
Combatting Data Loss
Over the last several years and as a result of the Affordable Care Act, healthcare has been under immense change. These changes have primarily taken the form of reduced margins (competitive pricing models) and large investment of new technology (Electronic Medical Record systems). The pressure to change (or adapt) introduces a higher than normal acceptance of risk during this season of change. In addition now we have PHI in electronic format and everyone wants to pursue the golden arrow of the perfect report. Drafting new business intelligence through multiple database queries to harvest information of the patient community and create trending reports for the Chief Medical Officer. Wait; did anyone consider security or privacy (access control, encryption of data in transit and at rest, storage of PHI-reports on endpoints, etc.) as an integral design requirement of this new business intelligence capability? I’m simply raising the challenges that those of you in the healthcare space know all too well and are constantly chasing as a result of EMR’s introduction. I’ll revert back to my simple rule: prevent PHI from leaving the premises (your controlled environment) to truly manage the security and privacy of the data. Many solutions are available to implement this type of control and monitoring. Other healthcare organizations have done exactly this approach and so far have been successful at keeping their name off of the main page of the latest news post.
Summary
Two key items to note about this example given to us by North Memorial Healthcare. If the laptop employed full disk encryption this incident would not have turned into a data loss event. Also, once more if the laptop did not contain PHI the stolen laptop would have not made a headline in the Business Journal or ignited the necessity to write about it in this blog.
Learn more about assessing current IT and business processes and the security of those processes by reading about the MAPP methodology here.