Skip to content Skip to navigation

The Unpopular Answer to Data Protection

October 6, 2012
| Reprints

I’ve been thinking about data breaches in healthcare a lot lately. For my feature in the October/November issue of Healthcare Informatics, I interviewed various industry thought leaders who had plenty to say on the topic. One constant theme from every interview subject was that this issue is primarily an organizational one. When I interviewed James Rountree, senior consultant for Aspen Advisors, in a recent two-part podcast series, he echoed those feelings.

As Michael ‘Mac’ McMillan, chair of the HIMSS Privacy & Policy Task Force, and co-founder and CEO of CynergisTek Inc., a health information security and regulatory compliance firm located out of Austin, Texas, says, the unpopular answer to why we’ve seen an uptick in the amount of data breaches is “carelessness or lack of attention to controls, or lack of attention by the organization.”

What does this mean? It can mean lost portable devices, stolen devices, unencrypted devices and unencrypted data, and the lack of a multi-layered firewall. It can mean uneducated employees, the lack of uniform BYOD policies, or a miscommunication with a third-party. It can mean a lot of things, but whatever it is; it ultimately falls back on the organization. I keep thinking of something John Halamka, M.D., CIO at the Boston-based 649-bed Beth Israel Deaconess Medical Center (BIDMC), told me during our interview.

“CIOs may not have a lot of authority, but we have a whole lot of accountability,” he says.

That is an accurate statement if I’ve ever heard one!

Take a recent story I read about in Florida. At the 525-bed general medical and surgical facility, the University of Miami Hospital, two employees accessed patient information from registration “face sheets,” and reportedly sold that information to a third-party. According to the hospital, this happened between Oct. 2010 and July 2012, almost two years uninterrupted.

Interestingly, this mirrors another Florida-based data breach. This one occurred at Florida Hospital Celebration Health, a 112-bed acute care facility. In that case, a 35-year-old hospital employee, his 31-year-old wife, and a 30-year-old co-conspirator accessed more than 760,000 patient records from 2009-11, and reportedly sold them to the agent of a medical center, chiropractic clinics, and an injury hotline.

Let’s say for the sake of argument that these charges are true. How does an organization let this kind of behavior happen over a two-year period? You can make every excuse in the book and hospital leaders may not be directly at fault, but don’t be mistaken, as Halamka says, the unquestioned accountability lies at the top.

Halamka would know. His hospital, an industry-recognized leading medical facility, has had to deal with multiple data breaches. After the most recent one, tired of dealing with accountability, he decided to take a more aggressive stance. Every device that touches the BIDMC network, whether it’s the hospital’s own device, the physician’s personal device, or something else, must be synched by the IT team. This forces password-protection and encryption on every device that touches the network, Halamka says.

Other CIOs would likely agree that shoring up policies is the way to go. I heard similar things from Sue Schade, currently CIO of the University of Michigan Hospitals and Health Centers and formerly CIO of Brigham & Women’s Hospital at the time of a recent breach, and Jim Turnbull, CIO of the four-hospital, integrated University of Utah Health Care system, both of whom dealt with breaches of their own.

With all the digitization of healthcare data set to take place in the coming years, this issue will only become more prominent. What’s the first thing providers need to focus on to avoid making the federal Department of Health and Human Services (HHS)’ growing list of data breach victims? Schade’s three-word answer should suffice: “Policy and training.”



And ONC is going to get tough on vendors as well under Stage 2. They issued a test procedure for End User Device Encryption 170.314(D)(7) that requires vendors to automatically encrypt data transfered to external devices.

It states:
§170.314(d)(7) End-user device encryption. Paragraph (d)(7)(i) or (ii) of this section must be met to satisfy this certification criterion.
(i) EHR technology that is designed to locally store electronic health information on end-user devices must encrypt the electronic health information stored on such devices after use of EHR technology on those devices stops.
(A) Electronic health information that is stored must be encrypted in accordance with the standard specified in § 170.210(a)(1).
(B) Default setting. EHR technology must be set by default to perform this capability and, unless this configuration cannot be disabled by any user, the ability to change the configuration must be restricted to a limited set of identified users.
(ii) EHR technology is designed to prevent electronic health information from being locally stored on end-user devices after use of EHR technology on those devices stops.

Frank Poggio
The Kelzon Group

Thanks for the great information!