There’s no denying it—healthcare data has gone digital. The days of paper health records are fast disappearing, and if the Centers for Medicare & Medicaid Services have their way, we won’t be going back. CMS has built meaningful use of electronic health records into its plans for a number of years, and the healthcare industry is responding.
Of course, patient health records aren’t the only reason healthcare systems store sensitive digital information. The equipment used in clinics and labs, such as ultrasound machines or lab computers, store patient data; we share protected information through email and other secure systems; and our business associates processing insurance claims and reading lab results are also storing patient data.
With such large amounts of healthcare information now being stored in digital format, I believe healthcare systems should consider the following key questions:
- Do you know what types of data are being stored digitally in your system?
- Is the data properly secured?
- Is the data being transmitted securely to offsite customers, clients and associates?
Even with small systems, it’s quite difficult to list all the types of data generated and maintained. Add the daily pressures of work and a lack of resources, and it’s understandable why many hospitals have not performed an inventory of all the data integral for continued operation.
The big issue is that there are many different departments and divisions within a healthcare system generating and maintaining specific types of data. As a best practice, the administration and IT department should consider performing a thorough inventory of the data within the entire system.
An efficient way to do this is to assign a contact person within each department or division and have that person work to identify the following information:
- the types of data that are generated daily
- the level of significance of the data
- where the data resides (for example, a local workstation or laptop, a shared network or a storage device)
- how long the data must be retained
- whether or not the data is transmitted electronically outside of the system to patients, physicians within and outside of the system, other healthcare providers, processing organizations, payers, etc.
This data inventory process can be time consuming and can involve feedback from a number of individuals within a department.
Once a thorough data inventory has been completed for the system, however, the administration should review the various categories of data and determine the sensitivity level for each. Administrators should consider the regulation requirements that might be attached to the data, whether the data contain sensitive information regarding patients and employees, whether the data are important for financial decisions and reporting, and whether the data contain sensitive information, plans or strategy.
For any data that are considered to be sensitive to an organization, the administration should work with IT to ensure that the data are being stored securely within the system’s network. When data are stored locally on system workstations and laptops, IT should ensure that the devices are properly encrypted and kept physically secure. When the data are stored on networked devices within a department, IT personnel should ensure that access to these shared devices is properly restricted to only those employees with a business need. For data that are stored on backup tapes, IT management should review the backup tapes and ensure that they are physically secure and that the tapes are encrypted. If a cloud backup solution is used, IT management should ensure that only authorized personnel have access to these backups.
The transfer of healthcare data offsite can be risky, if proper planning is not considered. Before agreeing to transfer healthcare data, administrators should ensure that proper business associate agreements are in place between the system and the receiving party.
System administrators should review the available transfer methods, such as FTP, SSH, VPN or TLS, to ensure that both the sender and the receiver use sufficient security. If sensitive data is emailed, IT management should ensure that encryption software is installed on the mail server. The software should automatically scan both the body of the email and attachments and then properly encrypt any sensitive data. IT management should have established policies that spell out the required level of data-transfer security that must be met by any party that is receiving sensitive data.
If the business associate receiving the data is not willing to accept the system’s security requirements for data transfer, the administration should question the business relationship or consider other secure methods of providing the needed data. An unwillingness to follow security protocols for data transfer could result in data breaches that could lead to large fines and the tarnishing of the system’s public reputation.
Data truly is one of the most integral elements for healthcare today. The performance of a data inventory can help an organization identify where data is located and who has access to it. Using a data inventory, administrators can make a concerted effort to properly secure the data both internally and during transmission to customers and clients.
For weekly insights into healthcare, please sign up here: