Protecting Health Information
What You Need to Know
It is well recognized in the security industry that data security cannot be built on top of a system. Security must be built in as part of the system and organizational development.
As the climate in today’s healthcare industry pushes for more security around the handling and storing of patients’ electronic data (Protected Health Information or PHI), old technologies struggle to keep up. Legacy systems were never built with security in mind, and as a result, face the insurmountable task of trying to comply with today’s security expectations.
With penalties against clinics and clinicians of fines of up to $1.5 million (per year per type of violation), up to $250,000 in personal fines and up to 10 years of imprisonment, each and every dental practice must make externally verified security the fundamental starting point in selecting a system for their Electronic Health Records (EHR). You are responsible for the work your service provider delivers and as such external audits need to be your standard.
Below are questions we recommend you ask any service provider that might handle and/or host your patients’ data.
When was your last external security audit? Who conducted it? Show me the outcome.
What questions do you recommend I ask about the security of my patients’ PHI?
How is my patients’ health information protected with your system and company?
How does your software and company help prevent me from accidentally exposing PHI?
Patient PHI out in the cloud seems risky, how do I know that it’s safe?
Patient PHI in my office seems risky as well. How do I make local data safe?
ICE Health Systems (ICE) responses to these security questions
- When was your last external security audit? Who did it? Show me the outcome.
- What questions do you recommend I ask about the security of my patients’ PHI?
- How is my patients’ health information protected with your system and company?
November, 2015. Conducted by the information security office at the University of Michigan. Outcome was positive and we would be pleased to connect you with the university to discuss it directly with them.
We developed these questions as a service. Providers that are attentive to security issues should be able to recommend similar questions to these for you to ask.
Protection is provided through a security framework. It is an ongoing process, beginning with a risk assessment to determine the greatest areas of concern. Next we develop security policies (such as data encryption, separation of duties, penetration tests, etc…) to address those concerns. Policies are then implemented through documented, auditable procedures. Procedures are then reviewed for their effectiveness, which leads to a new risk assessment. Examples of security controls include:
- continuous monitoring of production servers for attempted logins
- data encryption at rest and in transit
- separation of duties
- penetration tests
- ongoing security and privacy training
- reviews of programming code
- automated analysis of programming code for known vulnerabilities
- geographic user authentication
- implement security baseline procedures based on industry standards
- security incident response plan
ICE Response: Product development through active and ongoing collaborations with industry leaders allows for practical planning and development of system features which are both intuitive and secure.
ICE Response: Cloud services provide a unique solution that must be properly evaluated against security concerns. Cloud solutions place your data in the hands of a 3rd party, stored and processed using shared resources, with access to the internet. As with any 3rd party hosted solution, there must be trust through transparency and accountability. The 3rd party must be aware of their responsibilities, which can be proven through a signed Business Associate’s Agreement (BAA). Controls must exist to ensure proper procedures are followed to ensure the security of your data. These procedures must be proven to be effective through regular 3rd party audits. Security controls must also exist to ensure proper isolation and protection of data on shared resources (some cloud services such as AWS provide the option of dedicated resources). As with any solution with internet access, protections against hacking must be put in place. Through economies of scale, cloud solutions are well positioned to outperform other solutions in terms of integrated security solutions; however, these controls should be confirmed through 3rd party audits.
ICE Response: Patient data must be dealt with in a secure manner, regardless of where it is stored. You have the same liabilities and responsibilities. Therefore, you must ensure that all items identified above in the questions above are addressed by you and your provider. More burden falls into your lap if you are hosting your data locally.