PHI Protection: Data at Rest, Data at Risk

Twitter icon
Facebook icon
LinkedIn icon
e-mail icon
Google icon

Joe DegatiSince the Health Information Technology for Economic and Clinical Health (HITECH) Act went into effect in February 2010, regulations regarding health-care data security have become more stringent than ever before. For instance, the DHHS secretary is required to publish the names of covered entities that have experienced any data breach involving 500 or more individuals. This list of breaches is publicly available on the HHS website, and it now includes more than 200 covered entities.

Though the rules governing patient health information (PHI) become ever stricter, many radiology practices are likely to be unfamiliar with the HHS classification of electronic PHI data and the steps required to protect them properly. For example, data in motion refers to data that are transmitted between physical locations, either for storage and archiving purposes or for sharing between clinicians, according to Joe Degati, chief technology officer for Medical Management Professionals, Inc (MMP), Atlanta, Georgia.

Even less familiar are the steps necessary to protect data at rest—the information stored within a practice’s own servers, hard drives, portable devices, and even USB drives, as well as any information stored as hard copy.

“Any data in motion need to be encrypted, so that if they get into the wrong hands, they can’t be deciphered,” Degati explains, “but the same thing goes for data at rest—any PHI that is stored on electronic media. While there may be different interpretations of how to satisfy the rules and regulations, the general rule of thumb is encryption. No longer is it acceptable to have a document containing PHI protected by a password. It needs to be encrypted.”

The consequences of insufficiently protected PHI can border on disastrous, Degati notes. “No one wants to be on the HHS naughty list. This gets published on a website for everyone to see, and the more events you have, the more it shows you are not taking information security very seriously. That is a list you do not ever want to be on,” he says.

Enforcement Through Education

Degati recommends that practices educate all employees and stakeholders on information security, and that they issue frequent reminders about best practices. At MMP, for instance, “We require all of our employees to go through an annual online training course, and to make sure they are not just glancing through the information, we provide a short quiz at the end,” he says. “If you have not taken the course or have failed it and retaken it multiple times, notifications are sent to your supervisor and department head.”

Degati offers examples of data-security measures of which practices might not be aware, or in which their staff members might not be consistently participating. “When you are traveling, of course, you know you should keep your laptop in your sight. Your laptop, however, also should contain some form of encryption software or appliance. When not in use, your laptop should always be powered off, not just left in sleep or hibernate mode. Remember, it is no longer acceptable to have your data protected by password alone,” he says.

Staff members who have laptops, he continues, “should never leave them in the office unattended or in plain view. Instead, they must be taken with the person or locked in a cabinet, and the use of flash drives should be discouraged unless they are encrypted—they could easily be lost or stolen.” Degati adds, “At MMP, we take the security of data at rest so seriously that we also have encrypted all of our desktop computers, in addition to our laptops.”

Employees should be educated about protecting themselves—and, by association, the practice—against social-engineering threats and hackers. A single employee can create the right conditions for a data breach simply by responding to the wrong email, Degati says. “We have had cases where people will say, ‘I just got this note from the help desk asking for my password.’ Our help desk would never ask an employee to divulge that information,” he says.

He adds, “Other emails may seem to have been sent by a local financial institution, asking the employee to give his or her name, password, Social Security number, and date of birth—all of this information. Many people think it is legitimate and actually do it. If the hacker can trick one person, he or she can get to the rest of the network.”

To address this issue, Degati says, employees should be notified of the risk and should send any suspicious