February 2017
Make Patient Privacy a Priority
By Susan Chapman
For The Record
Vol. 29 No. 2 P. 18
Creating a culture of accountability and correctness can help organizations safeguard protected health information.
As health care organizations change their privacy cultures, they must find ways to promote new privacy standards across the enterprise and encourage staff to share the common goal of protecting patient data.
Raise Awareness
Privacy violations can occur in various ways. For example, employees may access medical records for purposes other than patient care or discuss a patient in public settings. Educating staff can help promote privacy and curb such incidents.
"When I talk about privacy and security awareness, I want all groups within an organization to talk with one another because these are shared responsibilities," says Robert Brzezinski, MBA, CHPS, CISA, principal of BizWit. "We have to have privacy, security, and compliance. We think people understand what patient privacy means, but they may have a very shallow understanding. We have to use discussions, posters, and other reminders to educate people and promote good privacy and security behaviors, and we need some technology to monitor behaviors."
According to Adrian Talapan, CEO of Haystack Informatics, organizations have become more cognizant of privacy issues. "What we have seen is that hospitals and other health care organizations seem to be improving when it comes to privacy," he says. "They're reinforcing its importance in their employees' minds through notices in elevators and hallways, which remind employees not to discuss patient information in public spaces. We are helping them create a culture that internalizes patient privacy as an everyday way of life. Employees have to have a clear understanding of what that is."
Talapan recommends organizations take a five-step approach to addressing privacy issues. "Detect, investigate, report, educate, and prevent. We [Haystack Informatics] help health care organizations with the first three stages, so they have the know-how to educate their workforce and ultimately prevent additional privacy violations from happening," he says.
Serious Consequences
Brzezinski suggests organizations take a fundamental approach to privacy education. "I tell employees to think of their own home environments, because 70% to 80% of basic privacy and security awareness training content applies to home environments and personal lives," he says. "As a homeowner and family member, you have to protect your home network and your kids or parents from online scams. I think relating privacy and security messages to personal life allows people to better understand the implications of lack of privacy or security at work. So, at the end, they will ultimately change their insecure or noncompliant behaviors."
Brzezinski believes it's important to drive the point home that privacy violations can have a far-reaching impact. "There are examples of companies that couldn't deal financially with a breach and have had to close the doors. Security incidents can affect jobs," he says. "And sometimes people do bad things on purpose to benefit financially from stealing patient information. There are a number of HIPAA enforcement examples by the Department of Justice where people went to jail. Not to scare people, but it's just a fact. You will be held personally responsible if you are caught violating these important rules and regulations."
Talapan concurs, "At a basic level, you have fines levied by the OCR [Office for Civil Rights] for noncompliance. Above that, you have the risk of civil suits and the potential to pay for protection programs for the patients who were affected by ID theft due to the information that was disclosed. Then, the cost associated with revenue loss due to patients taking their care elsewhere if they simply hear about a breach that occurred. If patients have the ability to choose among multiple health providers, they will take their health needs to a place that doesn't have the negative stigma of a breach.
"The financial implications are very high," he continues. "At the top, it's about the health system's reputation. If you think about the number of years and marketing dollars it takes to build a brand, the damage to the good will that a breach of trust can cause is substantial."
Technology's Role
Brzezinski believes the proliferation of HIT is complicating efforts to maintain patients' privacy. "Organizations consistently adopt different types of technology. We have to educate end-users about technology and how it affects security and privacy," he says. "People see the functionality and convenience of new technology but don't understand some of the implications of the convenience solutions."
Take cloud storage, for example. Employees may be using mainstream technology such as Google Drive or Dropbox to store documents. "We've all been there. Sometimes you have to finish a project and share the documents with people you're collaborating with," Brzezinski explains. "But if employees are using consumer-grade solutions that don't have the necessary security built around them, then they don't know who else is logging into that drive and using that solution.
"From a more technical perspective, some of the consumer-grade solutions don't provide protection against malware, and consumer-grade solutions don't have version control built in. So if the computer is infected by ransomware and files are automatically synchronized with the cloud storage, these files in the cloud will also be encrypted and ultimately lost."
There is a significant difference between cloud solutions for business and those for consumers, Brzezinski says. "Users don't always understand the pitfalls of consumer-grade tools and don't realize which are the approved solutions. They may jump to a solution without first checking with the security officer. That creates an issue," he says. "However, cloud solutions can be secure and compliant; some of the cloud vendors will sign a business associate [BA] agreement or incorporate the BA agreement into the licensing agreement."
Additionally, the Federal Risk and Authorization Management Program, or FEDRAMP, approves many cloud solution vendors for use by federal, state, and local governments. And, like larger corporations such as Microsoft and Google, FEDRAMP-approved vendors use the ability to sign the BA agreement and meet HIPAA standards as competitive advantages.
With numerous medical devices connected to a network, Talapan says it creates an environment ripe for wrongdoing. "Everything is moving toward more automation and computerization. Who is minding all this information?" he asks. "Who is making sure that only the right people are accessing the data? The health care industry is different than the financial industry where there are hard access controls in place. You expect and want the hospital to allow an emergency department doctor to collaborate with a phlebotomist. And you expect those employees to access only the information that is required."
Insider Breaches
According to Brzezinski, breaches that occur within an organization fall into the following two categories:
• Unintentional incidents, which occur when employees do not fully understand or are not paying attention to security and privacy concerns—for example, an e-mail or fax sent to the wrong recipient.
• Incidents with malicious intent, which are designed to cause harm or create a financial benefit from disclosing information. Tax, insurance, and prescription fraud fall under the malicious intent umbrella.
"An insider breach could be simply that a nurse wants to see what's wrong with his neighbor and starts looking up the information," Talapan explains. "Or a mother is working in a children's hospital and is looking at her teen daughter's medical records to find out more details."
"People sometimes are simply not aware that their actions are violating privacy rules," Brzezinski says. "They don't understand they shouldn't look at records without needing to, and that is how the first type of insider breach can occur. However, the second type of breach is different. For instance, there is an example of an IT administrator holding data for ransom, or individuals with access to insurance information using it to file false tax returns to profit from that data."
While the general public tends to hear about breaches in large organizations, there are many small unpublicized incidents that may affect only one patient. "In New Jersey, for example, a hospital employee disclosed information about a teenager's suicide attempt, which resulted in bullying," Brzezinski says. "There was also an incident with an employee's Facebook posting that disclosed a woman's HPV diagnosis, and commenters on the post were calling this woman names. Such breaches create a lot of emotional distress for the person and their loved ones. In many cases, these are actions with the intent of harming other individuals, and that shouldn't happen."
"What employees are trained to do is to look at the information of only the patients they need to care for. They should have no reason to look at the ones they don't provide care for," Talapan says. "This becomes an issue especially when a VIP is admitted. Hospitals may often create a new name and even a decoy patient for that individual."
While the prevalence of insider breaches is not easy to measure, there are tools available to help organizations gather a better understanding. "I use the Verizon Data Breach Investigation Report that comes out each April," Brzezinski says. "Organizations report the data breaches they had throughout the year to Verizon. It's a well-respected resource. In the 2016 report, about 77% of breaches could be attributed to insiders or privileged misuse category. Health care was one of the top industries affected by those types of breaches."
The OCR's Wall of Shame lists breaches affecting more than 500 individuals but does not break down whether the attack was internal or external, Brzezinski says. "OCR does not have a category for insider breaches, but I looked at incidents described as 'unauthorized access and disclosure,' which currently stand at about 22.7%, and these incidents are usually associated with insiders," he says. "And I looked at incidents in the 'loss' and 'improper disposal' categories, which constitute 8.5% and 3.7%, respectively, of all reported incidents. These are also likely caused by insiders. If you add up those categories, they equal about 35% of breaches that are caused by insiders. That is a significant figure."
Preventing Insider Breaches
Educating staff is one of the most effective methods of reducing the chances of an insider attack. "Just as hand washing and clean needles became common practices for safe health care environments, the same holds true for the authentication of users when it comes to protecting data," Brzezinski says. "It's both good for patients and good for business to know who is accessing health information. Most of the time, it's simply a matter of not understanding what's right and what's wrong, which is why education is so important.
"We also have to apply the minimum necessary rule," Brzezinski continues. "In health care, you don't need access to all of the information, only to that information that is necessary to do your job. And people need to know that someone is watching. It's not about distrust. It's about checking on the behavior and practices of the organization. We have monitoring tools to provide reports and summarize the log or behavioral data, but we also have to understand what data represent. If we get the wrong data or reports, or if they are interpreted incorrectly, we can put someone's job on the line. Therefore, we have to watch the watchers as well."
Effective Passwords
Brzezinski says passwords are an ongoing issue that shows little signs of being remedied. "We need technical solutions to ensure passwords have the strength they need, but we also have to give users tools and techniques to maintain passwords they can use and live with," he says. "We have to give users the option to use password managers. Then, they have to use only three or four passwords that they actually have to remember. Some of the passwords are random so those we would keep in a password manager or password vault. It's a lot easier when you realize that you have only a few passwords to remember, like those for your device, your password manager, and maybe banking."
Brzezinski suggests health care organizations take steps to ensure password strength. "Some company policies require that passwords be 12 to 14 characters long. I recommend using a password phrase, rather than just a password, and using password padding," he says. "You can combine both techniques and easily meet almost any password requirements. Padding is basically extending password length by adding the same character to your password phrase. For example, putting three exclamation points in the middle or at the end of the phrase would enable you to use a short and memorable password phrase and meet the password length and complexity requirements in a combination that you can easily recall, such as Robert777777."
Both Talapan and Brzezinski believe that implementing biometrics—technology such as fingerprint readers and facial recognition—in place of password-only devices can bolster security efforts. "Scanning fingerprints can make [security] easy," Brzezinski says. "Some organizations have this technology but don't take the time to configure the devices. Facial recognition also makes it easy. Both offer strong security, along with convenience."
Talapan adds, "The topic has been analyzed for the past 15 or 20 years. I see institutions using a card with a two-step or three-step process. If employees move away from their computers for only a few minutes, they can log in with a card rather than using a password.
"And, I agree, biometrics or face recognition are both better," Talapan continues. "Technology is going to come to the rescue, but it may not be right away."
Organizations that create overly strict password rules may be inadvertently creating another problem. Restrictive security policies can cause user frustration that leads to risky workarounds. For example, it's so difficult to log on to the system that users stay logged on when they shouldn't. "Because passwords will be here for a while longer, I believe a password has to be something an employee can remember. We don't want people to write things down and leave them near or on their computers because they were too complicated," Talapan says.
"The ultimate goal with all of this is protecting patient privacy," he continues. "It's about doing the right thing and creating a culture of accountability and correctness."
— Susan Chapman is a Los Angeles-based freelance writer.