Wednesday, October 21, 2015
Technology Makes It Easier… To Unknowingly Put Your Data at Risk
By: Ryan McGinty President / CEO at OCERIS, Inc.
The “always connected” evolution of modern technology has made a deluge of appealing, instantly accessible productivity services and apps. Almost all flaunt being secure - the problem is, healthcare professionals are not included in the “everyone” these services are referencing. Protected Health Information (PHI), as defined by HIPAA, has very specific requirements, and most of these services are not HIPAA compliant out of the box. As an EHR/Practice Management vendor, we have seen first-hand how many people don’t understand how these services work behind the scenes, and whether or not they are appropriate for use in healthcare.
What Types of Services Are We Talking About?
Everyone hopefully knows by now that normal, unencrypted email is not secure and shouldn’t be used to transmit PHI. But there are many other services that also claim to be “secure”, but should not be used for PHI. Some examples (by far not a complete list):
• Cloud storage (Google Drive, OneDrive, DropBox, iCloud)
• Note taking (EverNote)
• Online backup programs (Carbonite)
• Communication (Skype, iMessage, WhatsApp)
The Confusion: “Secure” vs “HIPAA Secure”
One of the primary issues is the use of the word “secure”. Most services are labeled as “secure”. What that means is that the service encrypts the data as it is transmitted and that you have to login to it to access the information. It technically is secure – but only from the outside world. HIPAA goes further and requires that data be protected at a much higher level. There are essentially two ways that a service can be used in a HIPAA compliant manner:
1) Use a HIPAA compliant version of the product – This option is available for many services, but is rarely free. Examples include Office 365 and Google Apps – but not just the “regular” versions. You have to choose the versions that are specifically labeled as HIPAA compliant. An indicator you are on the right track is the service offering a Business Associate Agreement (BAA), which is a HIPAA requirement for entities that house PHI data that is technically viewable by their own employees. HIPAA compliant versions of services also have audit tools for comprehensive logging of access to data and other tools to assist in maintain compliance.
2) For data storage services (like cloud storage), you CAN store PHI but ONLY if it is encrypted with a HIPAA compliant encryption routine and only you, or others in your organization, can access the data. For example, you could store a file with PHI on your free cloud storage account as long as the file is encrypted with AES256 – a type of strong encryption that is considered strong enough to protect data sufficiently. If you do not have a BAA with the service, it is your responsibility to ensure the data is encrypted strongly enough that employees of such a service cannot view the data.
Some Real-World Examples
Now that we’ve defined the problem, let’s go over some example situations where PHI is not adequately protected. Many of these are things people do every day and don’t realize that they are putting data at risk. Again, for “regular” businesses, this wouldn’t be a problem – but it is in healthcare when dealing with PHI:
You save an unencrypted Word document containing PHI to your free Google Drive account to work on at home.
Not only is the storage of that PHI in an unencrypted form on the free (non-HIPAA compliant) version of the service a problem, but also the fact that it might auto synchronize to other devices, such as laptops, phones, and more. If those devices aren’t encrypted, they now contain unencrypted PHI and the data is at risk if a device is lost or stolen.
You take a picture of a hospital note with your iPhone which is set to auto upload your pictures to iCloud.
Most people don’t even think about this scenario. They set their phone to auto upload their pictures because most phones are used in the dual role of personal and business. You want vacation photos backed up, but you don’t want PHI to be sent since the storage service is not HIPAA compliant.
You record notes about a patient in EverNote.
In order to make your notes available everywhere, these popular note programs sync to a central server owned by the note company. As with other services, unless you subscribe to a specific HIPAA compliant version, PHI is not properly protected.
You use your online calendar to store PHI.
The convenience of a centralized calendar is inarguable and might seem like a great way to track upcoming surgeries with patient details. But, unless the calendar is part of a HIPAA complaint offering (such as Office 365), then the it should not be used to store PHI.
You backed up all your medical data with the free version of a cloud backup program.
If the backup program isn’t HIPAA compliant, or if it does not allow you to specify an encryption key (usually accompanied by a large warning that if you lose the key, no one will be able to recover your data), then your data is not properly protected.
How Do You Gain Control of Your Data?
As you can probably see, there are a multitude of ways that your data can be outside of a HIPAA protected zone and you wouldn’t even realize it. So what is a non-technical person supposed to do to gain control of this both at a personal and organizational level? Enterprise operations have entire IT departments devoted to managing this type of thing, but small to mid-size offices are on their own to make sure everyone in the organization stays compliant – a sizable task given the proliferation of easy, accessible services and the Bring Your Own Device (BYOD) movement.
Educate Everyone That Has Access to PHI
It is imperative that everyone who works with PHI understand the importance of keeping it protected – and to understand how current technology works. The main cause of data being at risk is simply because people not knowing the difference between the “secure” and “HIPAA secure”. Do not take anything for granted when developing education – ensure everyone knows they should never take pictures of PHI with their cellphones, never post PHI on a social media site (even in a private message), and never, ever email PHI.
Ban Certain Apps and Services
Prohibit co-workers from using services that are not HIPAA compliant. This is a “better safe than sorry” measure. If you aren’t sure co-workers will know when it is appropriate to use a non-HIPAA compliant service, then don’t take a chance – keep them from being able to accidentally put data at risk. For the ultimate protection, have an IT consultant help you lock down devices to prevent anyone being able to access or install non-compliant programs.
Secure and Encrypt Devices That Are Taken Offsite or Easily Stolen
Most devices, including laptops, tablets, and even phones, now have the ability for full-device encryption. These technologies make it virtually impossible for a stolen device to have its data accessed by anyone without a passcode or key. Make sure the device also has a password or passcode to unlock or log into it. Finally, if the device offers a locator service and/or a “remote wipe” capability, make sure to enable it. Most are not enabled by default, so verify it is setup – after it is lost or stolen, it is too late.
Provide a HIPAA Compliant Option
While not free, signing up for a HIPAA compliant version of a service gives co-workers an option they know is acceptable on which to store PHI. Having an “approved” option means they are less likely to go looking for a readily available “unapproved” solution.
It Is Time to Change How You Look at Technology
Up until the last few years, it was fairly easy to keep data inside a protected network. Smartphones, tablets, file sharing services, and social media have vastly decreased the complexity required to share information, but blurred the lines of what is “secure” enough to use to store or share PHI. Take control of your data now – look at the organization as a whole, including all employees and all services used. The healthcare industry doesn’t have the luxury of using every new piece of technology that becomes available without some close scrutiny. Ongoing compliance requires the diligent research of products and services prior to their introduction to your organization to ensure it meets the requirements of our industry – and the PHI your organization is responsible for stays protected.