Ransomware and the challenge of protecting PHI
In my last article I shared information about the vulnerability of computer networks against a form of malware known as ransomware. In review, ransomware is a hack that encrypts all files on a computer or network so they are inaccessible. (In some cases operating systems have also been encrypted). In order to gain access to the files, the victim is required to pay a ransom to the hackers using untraceable bitcoins. What has made ransomware even more concerning is that the healthcare industry has been targeted in recent months, which has put the systems used to protect patient privacy to the test.
Healthcare cloud security
Protecting patient information is a challenging but vital component of the healthcare system. State and local governments as well as healthcare organizations all have policies and procedures to ensure the protection of patient data. On the federal level, there is the Health Insurance Portability & Accountability Act, (HIPAA). This federal law provides privacy standards to protect patients’ Protected Health Information, (PHI), provided to health plans, doctors, hospitals and other healthcare providers. PHI generally refers to demographic information, medical history, test and laboratory results, insurance information and other data that a healthcare professional collects in order to identify an individual and to determine appropriate care. HIPAA ensures that PHI is secure, whether it is hard copies or digitally stored. In addition, the Health Information Technology for Economic and Clinical Health, (HITECH), Act is designed to promote the adoption and meaningful use of healthcare information technology. This federal law also addresses privacy and security concerns, as well as strengthens enforcement of HIPAA rules.
Having security standards that address both hard as well as electronic records is vital in today’s healthcare world because the transmission and storing of patient information is increasingly electronic. Healthcare processes that are increasingly electronic include scheduling, dictation, transcription, coding, and medical record storage. Not only are many processes done electronically, but a healthcare facility could use several different companies for the transmission and storage of PHI, which increases the need for good security.
Hospitals and other healthcare organizations utilize software and hardware to protect their patient data, most of which is developed and maintained internally and is compliant to or greater than federal guidelines. Some healthcare organizations use outside vendors such as ClearData to manage and secure their cloud storage. There is also a need to safeguard physical documents, such as scanned medical records, that are often kept off-site. For this, many healthcare organizations rely on companies such as Access and Iron Mountain.
In addition to electronic security systems and document storage, there are actions that do not involve electronics or “the cloud.” Some of these include confirming a patient’s identity at the first encounter, not discussing a patient’s case with any unauthorized parties without their permission, not leaving hard copies of forms or records where unauthorized persons may access them, and using only secured routes to send patient information, (and always marking the information as confidential). Confidentiality is further protected by keeping records that contain patient names and other identifying information in closed, locked files, restricting access to electronic databases to designated staff, protecting computer passwords or keys, safeguarding computer screens, keeping computers in a locked or restricted area, physically or electronically locking hard disks, keeping printouts of electronic information in a restricted or locked area and destroying printouts that are no longer needed.
It takes a lot of planning and maintaining to ensure that healthcare organizations have policies and procedures in place to ensure that patient data is safe and secure and to prevent and minimize breaches. The American healthcare industry is working hard – and utilizing many modern technologies as well as taking common-sense steps – to ensure that our personal data is protected.
About the Author
Brian Chicoine was born in Nashua and raised in Manchester, graduating from West High School. After earning his undergraduate degree from Rhode Island College in Providence, Brian and his family lived in Manchester for about five years before returning to the Ocean State. Brian has merged his passion for entrepreneurship and innovation with his love of new and bold ideas to bring fresh perspectives on the way things are done. Brian, his wife Jackie and their two boys live in Rhode Island, but their hearts are in New Hampshire.
Originally published April 2016 in the Manchester Ink Link