Unfortunately, we live in a nefarious world when it comes to cyber attacks, hackers, malicious malware threats, and loss or theft of personal data due to computer breaches. Look at the recent announcement of a major breach at Anthem Health that potentially could impact 80 million records. Let’s face it, its time catch a thief! We must engage now to protect further loss of Protected Health Information (PHI) and organizations who aren’t do so must realize that “doing nothing” is not an option; nor was it ever an option.
So What can Organizations do to Secure Critical PHI?
Here’s what I told a group of healthcare executives recently at a major conference on this topic of securing PHI. I discussed that to protect personal health information we must think like a thief; so I’ll using analogies from a childhood TV show series that I often watched called “It Takes a Thief.” ™
The show was about a convicted cat burglar Robert Wagner known in the show as Alexander Mundy who gets an incredible offer he can't refuse from the United States government: If he puts his formidable thieving skills to work for them and steal for the government, then he'll be released from prison. Also Alexander's dad, Alistair played by the famous Fred Astaire would sometimes come out of retirement as a thief to help his son too on special jobs as well. So let’s have some fun and once again, I’ll use the TV Show series as a comparison to explain 3 basic steps organizations can do to catch a thief or prevent thievery of PHI.
Step One: Assess and Protect PHI
In the TV Show, “It Takes a Thief” valuable items the thieves took were worth thousands of dollars. So just like the TV show healthcare data has a priceless value that thieves want to steal and even more importantly PHI is life giving data. Organizations may need to start thinking like the TV series actor Mr. Mundy and think like a thief to protect valuable PHI and catch a PHI thief.
Protecting PHI involves thinking about how a thief could break policy or procedures in three key areas: Technical safeguards, Administrative safeguards, and Physical safeguards. I’ll discuss each safeguard below to illustrate a way to stop a PHI thief.
(1) Deploy technical safeguards like encryption, access controls, and monitor the organization’s network IP traffic.
(2) Vigorously train and sanction administrative safeguard policy violations. For example, set up and train online passwords, electronic consent rights policies, and procedures for system
Business Associates (BAs) who aren’t regularly following the organization’s policies.
(3) Publish and mandate physical safeguards such as not allowing unauthorized mobile or remote devices to connect by wireless, USB, or printer ports. Physically locking-up and storing securely out of site any portable devices like tablets, iPads, & accessible small electronic medical devices after use each day.
Thinking like a thief allows you assess and evaluate your organizations venerability’s, potential safeguard breakdowns daily, reduce negligent acts by employees and BAs, and create a necessary “heightened alerts” compliance culture for your organization before something bad happens.
Step Two: Find an Expert to Help Secure PHI
In the TV series, Al Mundy’s Father Alistair would join him on special jobs and together they were stronger. So too, when it comes to securing PHI organizations have to find the experts and use expert technology working together to secure PHI. Securing PHI is not a “do-it-yourself” exercise; nor is it supposed to be free of charge or even subsidized by other government agencies. Hiring experts with the right technology is just the right smart thing to do to secure PHI. This notion of getting expert help and using smart technology to secure PHI was recently commented on by our country’s new Chief Privacy Officer, Attorney Lucia Savage, she explained at Feb 2015 Annual ONC Conference, Savage said her idea of managing consent is to stop managing it and make it computable. She said, “Let’s make computers be able to do this so we can write privacy rules that software can capture. That’s my vision,” she called it “Computable Privacy.” According to Savage, capturing a patient’s consent choice on a piece of paper is interoperable. “We can have all the technical standards in the world, but if consent is with pen and paper, the whole system crashes to a halt,” she said. So like Lucia, I believe to catch a PHI thief organizations should get expert help.
Step Three: Leave No PHI Behind
My third and final analogy from the TV Series', happened in the third season of the show, another key actor Malachi Throne who played Mundy’s Secret Intelligence Agency (SLA) boss, Mr. Wallie Powers was replaced by Edward Binns, which may have impacted the shows future. As Throne explained: "They had this idea of shooting the whole season in Italy, but they wanted me to stay behind and give Wagner’s character orders over the phone. I told them if I didn’t go I’d quit, and I did” and the show ended after the third season. “The show was successful because the chemistry between Wagner and Throne, the two actors working together. This working together mentality seems to be necessary in order for organizations and teams to secure PHI. Everyone in the organization including BAs must never leave PHI unprotected nor leave PHI behind unattended. The entire team must be on-board using project management skills, workflows, technology, creative ideas, team building, and accountability to make it all work together to secure PHI while catching a PHI thief.