Sharing More Data? Ask More Questions.

Posted On:

By Jeff Morrissey
Managed IT Director, McKesson
Health Information Exchange for Home Health - Ask More Questions

Sharing data is becoming a common occurrence for home health and hospice organizations, whether you’re exchanging specific patient data with another provider or more general data on your patient population with a state, regional or private health information exchange (HIE).

As you share more data more often, security rises to the top of your list of concerns—as well as it should. Asking questions is the best way to familiarize yourself with security terminology and become comfortable with what constitutes a secure connection to an HIE.

At a minimum, HIEs must be fully compliant with HIPAA and the state-specific privacy regulations in their region. They also should have readily available, detailed information on their security policies.

For example, HIEs must consider the following:

Physical security

  1. Logged access to the production facility
  2. Power quality and backup power
  3. Smoke detection and redundant HVAC (heating and air)

Network security

  1. Redundant firewalls
  2. Site autonomy
  3. Logged restricted electronic access to the data center

System security

  1. Protection against electronic attacks
  2. Hardening and monitoring of web servers, integration servers and file transfer servers

Access control

  1. Controlled access requests
  2. Strict security account policies
  3. Encrypted remote access
  4. Auditing

Application security

  1. Input validation
  2. Strict authentication
  3. Credentials management
  4. Exception management

Data security

  1. Data separation (PHI never sent or received without being encrypted)
  2. Data auditing
  3. Data backup
  4. Data destruction

In a nutshell, any entity you exchange data with should be able to prove to you that it has well-tested physical/network security, that its facilities and processes are audited periodically, and that it has taken all potential patient privacy concerns into consideration.  It is recommended that entities that handle PHI should undergo an independent SSAE-16 SOC 2 audit to detail and validate security, availability and confidentiality controls within the operation.

It’s no less important to understand the basic causes of data breaches, and their consequences.  In declining order of frequency, here are the main ways in which data is compromised:

  • Theft of paper records or electronic media such as computers, USB flash drives and smart phones
  • Loss of paper or electronic records, including from laptops and storage media that contain sensitive information
  • Unauthorized access to protected health information (PHI) through actions such as hacking, malware infiltration and unpermitted employed-related interventions
  • Human error and technical lapses, such as mistaken mailings, misdirected e-mails and network server glitches
  • Improper disposal of paper records, which usually involves errors by billing or document shredding services, or vendors

The potential negative fallout from these breaches can be devastating, ranging from big monetary penalties to bad publicity to loss of public trust and – perhaps worst of all – harm to patients and subsequent liability if medical records are lost or compromised.  And, ordinary professional, property or general liability insurance won’t necessarily cover any resulting financial losses.

So what should home care organizations do to eliminate or at least greatly reduce their exposure to risk? Evaluate how vulnerable they are to cyber attacks, review their current data privacy policies and the ways they secure their information, and get insurance coverage that is specific to cyber security.

There are some proven preventive strategies that home care organizations can adopt to begin making themselves safer. They can perform a cyber risk assessment/PHI inventory to identify and locate their most sensitive information; look at their data sharing and security agreements with business associates; keep data sharing with vendors to a minimum (as per the HIPAA Privacy Rule); educate their staff about federal and state privacy and notification requirements; obtain encryption technology that will make their protected information unreadable and useless in case of a data breach; put a post-breach response plan in place that gives credit and medical identity monitoring services to affected persons; and take out a cyber-liability insurance policy that addresses data- and privacy-related gaps in their existing coverage.

If you think all of these concerns are overblown, and that data breaches are what happen to the other guy, think again. In its latest annual benchmark study of healthcare data privacy and security, Ponemon Institute found that nearly 90% of healthcare organizations experienced at least one data breach in the past two years.

While compliance with HIPAA and other regulations, as detailed above, is important, compliance isn’t synonymous with foolproof security and risk management. That’s because the big, wide world of healthcare companies is full of legacy systems that have never been designed, coded or tested to adopt security best practices. Piling new systems on top of these older ones to support PHI efforts may actually make a home care organization more vulnerable.

Learn more about HIE and other news from the home health and hospice industry by liking us on Facebook and subscribing to the McKesson Homecare Talk blog.

Leave a Reply

Your email address will not be published. Required fields are marked *