In a healthcare organization, it’s “data, data everywhere”.  But do you really know where it resides? Are you taking the necessary steps to protecting healthcare data?

If you planted your credit cards in the backyard, you would protect them. When you carry your cards with you, you are sure which pocket (or handbag section) they are secured in. But, if you didn’t know the cards were in that old wallet, you just might leave it in today’s trash bag, curbside, for the regular garbage pick up. The potential result: your garbage man will be buying a new Iphone on your Mastercard.

Wouldn’t you expect the same diligence with precious data that you use to protect your credit cards, from your healthcare organization?  Often, healthcare IT managers don’t consider all the possible patient information locations requiring concern. This article will describe some of the hidden places where health care data may exist, so that you can take proper protective action.

After identifying your data assets, your organization should conduct a documented risk analysis over each type of data and determine its location and vulnerability. With a systematic analysis, you can determine if additional controls are needed to lower protection risks to an acceptable level.

Start with a list and record every location where your data exists. Do a comprehensive drill-down.

As an example, all healthcare organizations have business associates. Realize that if a business associate experiences a security breach which contains your patient data, your organization is responsible for reporting this breach. You therefore have a responsibility to ensure that there is a vetting process before releasing the event. A HIPAA-required business associate’s agreement may no longer be enough.

List every business associate. Every one. Including your IT vendors, consultants, billing firms, claims processors… you get the idea.

List every type of entity — person or organization — that may be storing your patient data, whether they realize it or not. And, ask some questions:

• Home Computers: Are there workers who routinely take protected information home to work? How is this prevented? Is this being done on their personal equipment? What happens when that person is no longer employed by our organization? What if someone steals his or her computer containing Protected Health Information? Do you have policies and procedures to cover such an incident? You will have to report that breach.
• Transcription Services: There have been more than a few stories of breaches involving transcription services. Have you vetted your transcription services? Have they given you any assurance about how they secure your protected health information?
• Accountants / Examiners: How are you giving this data to them? Have they asked you to provide the information on an unencrypted thumb drive? Does anyone maintain a list of what data and to whom we have given this information?
• Common Business Associates: Law Firms, Collection Agencies: How do you provide this data to them? Do you have assurances that they protect patient information?
•  Email File Transfers: How do you prevent data loss through emails? Many organizations secure/monitor their corporate email, but then allow employees access to their personal email (Hotmail, Gmail, Yahoo, etc.). Employees can then send files to private addresses, so they can work at home.
• Common Mobile Media: Laptops, thumb drives, and more…. Is critical data encrypted? Do you know to whom it is entrusted?
• Smart Phones, IPADs, Bring Your Own Device: Do you have policies and procedures to control what data is allowed on these devices?
• Electronic Data Given to Patients: How are you protecting this information? What are the risks associated with this activity?
• Biomedical Equipment: Such devices often store information about patients. Do you have a list of the devices you employ and the information maintained on them? When disposing of this equipment, what assurances do you have that the data has been removed?
• Printers/Digital Fax Machines: Printers are often time-leased. Do you have a process for removing protected health information before old equipment is replaced? Can casual viewers access information on printers?
• Paper: Do not forget about paper. Have you done a simple walk-through of your facility to find where paper records exist? It is common to find boxes of old records stored in areas accessible by unauthorized users and patients.

I’ve just offered some of the locations where your critical data may be hiding — outside your normal clinical systems. The list is not all-inclusive;  you also should be concerned with the data that resides on servers, application systems, etc.

The first step in security risk analysis is to identify where your data resides. I recommend that once you begin your list, don’t assume it’s complete. You will probably keep adding to it.

Perform periodic risk analyses to determine if additional controls are needed. And, remember that HIPAA requires us to document our actions and to maintain the documentation for six years. If an auditor asked for your risk analysis over these areas of risk, could you provide it?