PHI Protection: Data at Rest, Data at Risk
Joe DegatiSince the Health Information Technology for Economic and Clinical Health (HITECH) Act went into effect in February 2010, regulations regarding health-care data security have become more stringent than ever before. For instance, the DHHS secretary is required to publish the names of covered entities that have experienced any data breach involving 500 or more individuals. This list of breaches is publicly available on the HHS website, and it now includes more than 200 covered entities. Though the rules governing patient health information (PHI) become ever stricter, many radiology practices are likely to be unfamiliar with the HHS classification of electronic PHI data and the steps required to protect them properly. For example, data in motion refers to data that are transmitted between physical locations, either for storage and archiving purposes or for sharing between clinicians, according to Joe Degati, chief technology officer for Medical Management Professionals, Inc (MMP), Atlanta, Georgia. Even less familiar are the steps necessary to protect data at rest—the information stored within a practice’s own servers, hard drives, portable devices, and even USB drives, as well as any information stored as hard copy. “Any data in motion need to be encrypted, so that if they get into the wrong hands, they can’t be deciphered,” Degati explains, “but the same thing goes for data at rest—any PHI that is stored on electronic media. While there may be different interpretations of how to satisfy the rules and regulations, the general rule of thumb is encryption. No longer is it acceptable to have a document containing PHI protected by a password. It needs to be encrypted.” The consequences of insufficiently protected PHI can border on disastrous, Degati notes. “No one wants to be on the HHS naughty list. This gets published on a website for everyone to see, and the more events you have, the more it shows you are not taking information security very seriously. That is a list you do not ever want to be on,” he says. Enforcement Through Education Degati recommends that practices educate all employees and stakeholders on information security, and that they issue frequent reminders about best practices. At MMP, for instance, “We require all of our employees to go through an annual online training course, and to make sure they are not just glancing through the information, we provide a short quiz at the end,” he says. “If you have not taken the course or have failed it and retaken it multiple times, notifications are sent to your supervisor and department head.” Degati offers examples of data-security measures of which practices might not be aware, or in which their staff members might not be consistently participating. “When you are traveling, of course, you know you should keep your laptop in your sight. Your laptop, however, also should contain some form of encryption software or appliance. When not in use, your laptop should always be powered off, not just left in sleep or hibernate mode. Remember, it is no longer acceptable to have your data protected by password alone,” he says. Staff members who have laptops, he continues, “should never leave them in the office unattended or in plain view. Instead, they must be taken with the person or locked in a cabinet, and the use of flash drives should be discouraged unless they are encrypted—they could easily be lost or stolen.” Degati adds, “At MMP, we take the security of data at rest so seriously that we also have encrypted all of our desktop computers, in addition to our laptops.” Employees should be educated about protecting themselves—and, by association, the practice—against social-engineering threats and hackers. A single employee can create the right conditions for a data breach simply by responding to the wrong email, Degati says. “We have had cases where people will say, ‘I just got this note from the help desk asking for my password.’ Our help desk would never ask an employee to divulge that information,” he says. He adds, “Other emails may seem to have been sent by a local financial institution, asking the employee to give his or her name, password, Social Security number, and date of birth—all of this information. Many people think it is legitimate and actually do it. If the hacker can trick one person, he or she can get to the rest of the network.” To address this issue, Degati says, employees should be notified of the risk and should send any suspicious emails to the IT department for validation. “It is scary out there,” he notes. “These threats come faster than virus protection and spam filters can prepare for them. It is a numbers game for hackers. You have to educate people constantly about it.” Built-in Defenses To strengthen their defenses against data breaches, practices should implement protocols such as requiring that computer passwords be changed after a certain length of time. “That is a strict requirement for us. We make sure our passwords are very strong—at least eight characters, including one number, one capital letter, and at least one additional symbol. Passwords expire every 45 days, and they cannot be anything easily remembered or figured out by anyone who knows you. Passwords can now be hacked much more easily than ever before,” Degati says. The contents of desktop computers, like the data on laptops, should be encrypted to safeguard against theft—and they are not the only equipment that is at risk, Degati says. “Most copiers and scanners, these days, actually retain images of the documents you have scanned, and those documents could very well contain PHI,” he notes. “If the equipment ever breaks or gets traded in, you have to be sure to wipe those internal drives clean before they leave your premises.” Degati recommends that practices consistently reinforce the importance of these practices through ongoing education and reminders. MMP, for instance, routinely contacts its employees via email about the best practices for security. “We do it around the holidays, especially, when folks are traveling, and also when new topics or regulations pop up,” he says. “We take this very seriously—it is one thing to be aware of this stuff, but it is another actually to do it.” He concludes, “A lot of this is common sense, but HITECH ensures we are all accountable. It forces you to be more aware of PHI security because if you are not, you could be faced with having to publish your breach, which could truly hurt your business.” Cat Vasko is editor of and associate editor of Radiology Business Journal.