October 16, 2012
In a healthcare organization, it’s “data, data everywhere”. But do you really know where it resides? Are you taking the necessary steps to protecting healthcare data?
If you planted your credit cards in the backyard, you would protect them. When you carry your cards with you, you are sure which pocket (or handbag section) they are secured in. But, if you didn’t know the cards were in that old wallet, you just might leave it in today’s trash bag, curbside, for the regular garbage pick up. The potential result: your garbage man will be buying a new Iphone on your Mastercard.
Wouldn’t you expect the same diligence with precious data that you use to protect your credit cards, from your healthcare organization? Often, healthcare IT managers don’t consider all the possible patient information locations requiring concern. This article will describe some of the hidden places where health care data may exist, so that you can take proper protective action.
After identifying your data assets, your organization should conduct a documented risk analysis over each type of data and determine its location and vulnerability. With a systematic analysis, you can determine if additional controls are needed to lower protection risks to an acceptable level.
Start with a list and record every location where your data exists. Do a comprehensive drill-down.
As an example, all healthcare organizations have business associates. Realize that if a business associate experiences a security breach which contains your patient data, your organization is responsible for reporting this breach. You therefore have a responsibility to ensure that there is a vetting process before releasing the event. A HIPAA-required business associate’s agreement may no longer be enough.
List every business associate. Every one. Including your IT vendors, consultants, billing firms, claims processors… you get the idea.
List every type of entity — person or organization — that may be storing your patient data, whether they realize it or not. And, ask some questions:
I’ve just offered some of the locations where your critical data may be hiding — outside your normal clinical systems. The list is not all-inclusive; you also should be concerned with the data that resides on servers, application systems, etc.
The first step in security risk analysis is to identify where your data resides. I recommend that once you begin your list, don’t assume it’s complete. You will probably keep adding to it.
Perform periodic risk analyses to determine if additional controls are needed. And, remember that HIPAA requires us to document our actions and to maintain the documentation for six years. If an auditor asked for your risk analysis over these areas of risk, could you provide it?