As a healthcare provider or any organization in the healthcare industry you already know they’re several partners, people, and institutions who you’re required to share protected health information (PHI) with. Along the ever growing chain of people who interact with the PHI there is greater chance for patient data to be compromised. Regulations such as the Health Insurance Portability and Accountability Act (HIPAA) sought to address this by setting requirements from physical, technical, and network requirements. HIPAA also required log tracking for forensics in the case of a data breach. However, a bad transmission of PHI could be tracked back to you which would cause a fine and mistrust among partners and patients.
However HIPAA doesn’t cover data exchanges with pharmaceutical companies or really any of the research organizations involved in the clinical research value chain. This means for transmission of PHI, your organization may need to do more than the minimum to meet HIPAA requirements. Such considerations will need to take place especially if you deal with healthcare data from anyone from Europe who will now be covered under the General Data Protection Regulation (GDPR), which impacts you too.
Data at Rest vs Data vs Transit
One of the most important things to understand about data protection is the concept of data-at-rest and data-in-transit. Data at rest is data that is currently not moving anywhere and is stored or archived in some format. Data in transit, on the other hand, is data that is is actively in motion and going from one location to another. After you hit send on an e-mail, that data changes from at-rest to in-motion until the email arrives. This concept is important to understand because how you implement security is dependent on how data flows through your organization and how it’s shared.
Whether at-rest or in-transit data is exposed to a variety of risks, which is where encryption comes in for protection. Encryption can be used for both at-rest and in-transit data. For at-rest data encryption often looks the encryption of a hard drive or of a folder. In-transit encryption takes the form of HTTPS, TLS, and SSL which is focused on protecting the channels that the data is going through. The finance industry mentioned earlier has an added layer of encryption in their secure mail format, where the mail is only accessible through a specific app, or from a specific file. Once there, it requires an assigned password to even see the mail. In the financial sector, the data is encrypted along the way and is only accessible after a variety of steps, this is a very secure approach towards data transmission to partners and patients.
Modernizing Your Channels
You may be wondering what are some of the ways your organization can share data in a secure manner to mitigate the chance of PHI falling into the wrong hands. Even sharing PHI with your patients could be a risk in itself depending on your channel of delivery. Many healthcare professionals use e-mail, which is fine for general correspondence but not for sharing PHI. Other channels to avoid are CDs (some institutions still use them), and file sharing services that don’t encrypt their information.
Many healthcare professionals are turning to cloud based storage services, such as Google Drive or Dropbox. The security of the storage services are attractive, but it’s important to remember that if the channel is not HIPAA compliant you could face massive fines. Services such as Amazon Web Services offers HIPAA-focused cloud storage and data processing. However, it will also be important to be critical of all third party technology vendors you may be using to send and manage data through.
Stakeholder Engagement & Education
Hospitals and clinics are at the center of a lot of data exchanges across the healthcare industry, which provides a lot of opportunity for managers to influence better security coordination among their partners and patients. Patients don’t have to worry about regulatory issues, but privacy and protection of their data is important to them as well. Providers need to engage their partners who may fall outside of HIPAA compliance to ensure there is an established practice and consideration for the secure transfer and storage of PHI. If there is not, then hospitals can establish as a policy that any vendors who would like to work with them must follow a secure transfer and storage process. With patients they will fall in line with any procedure you put in place for data transfer. It could be an added value to patients to use secure and encrypted forms of data transfer and generation.
Technology recently has made it easier to manage and identify if there are anomalies in established work processes. Technology solutions such as Teramind, are HIPAA compliant and provide both full user behavioral and system wide insights for managers. Additionally if provides fair warning if there is any suspicious behavior on the network. When auditors come your clinic or hospital technology solutions such as Teramind can provide you with proof of our commitment to meet compliance with administrative requirements. Additionally, it implements technical safeguards and allows you to preemptively perform compliance reviews.
When it comes to data sharing, it’s important to understand what your processes are for protecting data-at-rest, data-in-transit, classifying data, identifying partners, and data transfer to all stakeholders. The medical industry has a long way to go in terms of improving cyber security, however the steps required are more a matter of education and better understanding than it’s hard financial or administrative barriers.