Data Security 101: Avoiding the List (INFOGRAPH)

“[Before the breach], there was a belief that the tapes were encrypted, and in fact they were not. So we put encryption practices into effect immediately,” Turnbull says. “The second thing was dealing with the transport contractors. We stopped sending them to the backup vault in the mountain for some time before we did a review of all the processes. With our own employees, we made it so they have to go to the vehicle and ensure the proper vehicle is there to transport the data.”

BE AGGRESSIVE

Looking back, Turnbull says one of the most important things University of Utah Health Care did in the wake of the breach was to be transparent with patients. He adds that the worst thing an organization can do after a breach is to “try and hide it.” That sentiment is shared by BIDMC’s Halamka, whose organization has suffered two data breaches over the past two years. He says it’s important for those in the industry to share and learn from each others’ mistakes.

“It’s so important for the industry to share lessons learned. We’re all in this together, and it isn’t a question who is to blame, but how does the industry get better,” informs Halamka, who has not only publicly reported the breaches to HHS and BIDMC’s patients, but also discussed them extensively on his popular health IT blog.

Like University of Utah Health Care, BIDMC’s first recent breach was caused by the error of a third-party organization. According to Halamka, a personal device used by a subcontractor ended up getting stolen from that person’s car. The device had error logs on it, and in the error logs there were patient names. This year’s breach happened when the personal computer of a physician was stolen from his desk. Neither device, he says, was procured or protected by the hospital’s IT department. This led BIDMC to make a major change.

“CIOs may not have a lot of authority, but we have a whole lot of accountability. How will you sleep at night knowing you’re responsible for any device at the Apple Store? The answer is you have to take an active approach, rather than passive,” he adds.

WORKFORCE EDUCATION

Around the block from BIDMC, Brigham & Women’s Hospital, a 777-bed hospital that is also a teaching affiliate of the Harvard Medical School, also recently suffered a data breach. It occurred when a doctor, who works at Brigham & Women’s and nearby Faulkner Hospital, lost an external hard drive in a cab that stored data on 638 patients.

Sue Schade, who is currently CIO of the University of Michigan Hospitals and Health Centers and was CIO of Brigham & Women’s at the time of the breach, says the incident taught her that it’s important to ensure your policies are in place and people are trained on it. “The number of breaches right now of a large-scale magnitude that involves security within your overall infrastructure is far less common than the small ones of laptops and flash drives,” she says. “And that latter category is really about education of the workforce.”

STANDARDS AND PRACTICES

For some, though, data breaches are complex, and involve IT infrastructure. Take the Surgeons of Lake County, Libertyville, Ill., which recently had the server hosting its unencrypted EHR data hacked, encrypted, and held for ransom. The surgeons did not oblige, and instead turned off its servers and alerted authorities. To Dorothy Glancy, professor of law and digital privacy expert at Santa Clara University, Santa Clara, Calif., this kind of breach represents more serious criminal activity.

“[The hackers] were probably pros, and not just 16-year-olds playing in their bedroom,” Glancy says. “I don’t think a single person was targeted but probably the organization, and probably for financial reasons.”

McMillan says these kinds of threats would be better avoided if better data security standards and practices—even with legislation from HITECH and Health Insurance Portability and Accountability Act of 1996 (HIPAA)—were implemented and observed industry wide. “We’re in a kind of environment where healthcare really needs to step up its game. It needs to adopt a real security standard like you see in other industries,” he says with conviction.

Mac McMillan

Of course, as Glancy and others note, it’s most important to shore up data security practices in house. In an era where the digitization of data is rampant, getting your own information procured and staff trained is critical.
“Think about the law of averages. They [providers and payers] have all this information or almost all, which can identify one person, one way or another. And they have so much data per person because of the way medicine is practiced. So yeah, the law of averages says there will be a lot of data breaches. It’s not surprising,” Glancy says.

SIDEBAR: THE 10,000 CLUB

Notable data breaches in 2012 affecting more than 10,000 patients*

Jan 25. – Howard University – 34,503 patients

Jan. 31-April 2 – South Carolina Department of Health and Human Services – 228,435

Feb. 7-Feb. 20 – Emory Healthcare – 315,000

Feb.  11 – Indiana Internal Medicine Constituents – 20,000

March 10 – Utah Department of Health – 780,000

March 16 – Our Lady of the Lake Regional Medical Center – 17,339

April 30 – The University of Texas MD Anderson Cancer Center – 29,201