By Thomas J. Moore, MD; Quinn R. Shamblin, CISM, CISSP, PMP, GIAC GCFA; Sumit Sehgal, CISSP, CISA; Robert Sprinkle, MS; Stanley M. Hochberg, MD; and Ravin Davidoff, MD
This article has three sections:
We have all heard the stories of hackers stealing personal data stored on computers. In December, Target retail stores lost financial and personal data on over 100 million of their customers. In January, Neiman Marcus also announced credit card data theft of nearly 1.1 million customers. The thieves use the stolen information to make fraudulent purchases or access bank accounts. The results can be devastating. Experts are estimating that it will cost Target approximately $1 billion to meet their liability responsibilities for the December credit card theft.
Theft or loss of medical data is also common. Any data loss affecting 500 or more patients must be reported to the Department of Health and Human Services, and there have been over 800 breaches of this magnitude in the last four years. Twenty-five of these were in Massachusetts, including several well-known Boston hospitals (not us). Some of these breaches are due to high-tech hacking. But most are mundane: loss of a laptop or theft of a smartphone. In a case involving Mass General Hospital, an employee left paper records on the MBTA that included information on 192 MGH patients. MGH and the MGH physician organization paid a $1,000,000 fine to HHS for this infraction.
Here at BMC and BU Medical Campus, we are continually making changes to reduce the risk of data breaches. The large patient databases at BMC and at the Goldman School of Dental Medicine are protected from malicious hackers by layers of central administrative, physical, and technical safeguards. But, as shown in the figure below, hacking is not the major reason for medical data breaches. This article will address what we--as departments, providers, and researchers--can do to prevent patient or research subject data breaches.
Figure 1. Types of events causing PHI data breaches.
From Third Annual Benchmark Study on Patient Privacy & Data Security. Ponemon Institute, LLC. www2.idexpertscorp.com/ponemon2012/
1) Unsecured “Personal” Patient Databases or Spreadsheets
Databases and spreadsheets containing patient information or research data are created by individuals for many purposes and typically thought of as someone’s “personal” data set. A department may want to track outcomes for a certain patient group or procedure, so they create a file where they store that information to keep it readily available for analysis. Some providers keep a file of names, diagnoses, and contact information to make it easy to contact patients with a certain medical condition. Researchers collect a variety of information during a study and then keep those data in a database or spreadsheet after the study is finished, planning to use the data to answer new research questions in the future.
But each of these “personal” data sets contains patient information that is considered protected health information (PHI) by HIPAA Privacy and Security rules (see table of PHI below). If a department or provider has a database with PHI and it is stored on an unsecured device, then those data are vulnerable to theft or loss.
One way to avoid breaches is to de-identify the data by stripping all the HIPAA identifiers. De-identified data can still serve many quality assurance and research purposes. Furthermore, de-identified data are not considered PHI and, therefore, are not subject to HIPAA privacy and security regulations.
“Personal” databases should only be stored on secure devices which are password protected, and the device itself is encrypted (see below for more detail). These precautions make the data less vulnerable to hacking, to access by unauthorized individuals, and to loss of confidentiality if the device is stolen or lost.
Finally, keep a careful inventory of what data are stored in a given file and on a specific device. If a device is then lost or stolen, we will then know what type of information has been lost and from how many patients. These factors determine whether BU and BMC are required to notify the patients, HHS, and the public.
2) Loss or Theft of Unsecured Devices Containing PHI
Laptops, tablets, smartphones, and flash drives allow PHI files to be portable. One can work on them anywhere--and, of course, one can lose them anywhere as well. This is the most common cause of PHI breaches (see Figures). The best advice is don’t store PHI files on portable devices. But if you must, at least be sure they are password protected and encrypted. When devices are password protected and encrypted, the risk of an unauthorized person accessing that PHI is greatly reduced. Both BU and BMC are already installing encryption software on devices purchased with institutional funds (department, grant, etc.). If PHI will be stored on personally-owned laptops, phone, or flash drives, it is the owner’s responsibility to add password protection and encryption to that device. (See Section III. below for details). Be aware that simply deleting PHI from a device does not truly remove those data. They can still be recovered. The drive must be scrubbed (re-formatted) to remove the data.
Figure 2. Types of devices that have been lost or stolen and compromised confidentiality of PHI.
3) Only Trained Individuals Should Have Access to PHI
Patient databases can be an invaluable tool for teaching students and other trainees how to analyze datasets. It is tempting to copy a PHI file onto students’ laptops so they can work on the data wherever and whenever is convenient. Even if you transfer PHI to an encrypted laptop, there is risk of data breaches if the student has not had formal training in protecting the confidentiality of PHI. An untrained student may move the file to a different, non-secure device, or even share the file with another student who has non-secure devices. Or, the student may email the file using a non-secure email program. Each of these actions increases the risk of data breach. But that risk can be reduced if all trainees who are given access to PHI data are thoroughly instructed about what they can and cannot do with those data. Training also ensures appropriate “authorization” is provided to individuals handling the data. Under HIPAA, having “access” does not always mean you have “authorization” to view or store PHI.For more information on how PHI is to be handled and the BU/BMC policies regarding Information Security, see the BU information security website: http://www.bu.edu/infosec/policies/ and Section 40 on the BMC Policy & Procedure website: http://internal.bmc.org/policy/.
There are a few simple things that you can do to protect patient and research subjects’ information. Further details about all these security measures can be found at:
1) De-identify your data. If you completely remove all 18 HIPAA identifiers (see text box above) from your dataset, the remaining data are not considered PHI according to HIPAA. And the loss of de-identified data is not considered a HIPAA data breach. For example, if you are keeping the dataset to allow you to follow patient outcomes after a certain procedure, then you can still de-identify the data. Each patient can be given a unique identifying number, and you can keep a master code connecting that number to a specific patient. At any point, you could update your outcomes data by reconnecting the patients using the master code. Then, again de-identify by severing the connection to the master code. The master code should be kept on a separate computer from the de-identified dataset. If you have PHI that was collected for research purposes, Linda Rosen, our research data warehouse manager, can assist you in de-identifying your data for a reasonable fee (http://www.bumc.bu.edu/ocr/clinical-research-clinical-warehouse-data-access/).
2) Securing your devices. Every device that holds PHI should be password protected and encrypted. This includes desktop and laptop computers, tablets, phones, and flash drives. BU and BMC will encrypt devices that they “own” (i.e., purchased with grant or departmental funds). If you are not sure if your institutionally-owned device is encrypted, then call the BU or BMC IT Service Desk at 617-353-HELP or 617-414-4500).
For devices that you purchased independently, it is your responsibility to password protect and encrypt them. Fortunately, this is easier than it sounds. For iPads and most phones, when you activate password protection, the device is automatically encrypted. Most Macs and PCs have encryption built in--you just have to activate it. BU and BMC IT have created a website that provides device-specific instructions for how you can secure your devices with password protection and encryption. Even if you don’t have PHI on your devices now, we suggest you password protect and encrypt them anyway. That way, you will be prepared in case you want to load a PHI file in the future. If you receive emails with patient identifiers, then those emails should be received on a secure device.
Flash drives can be encrypted either with the encryption software provided by BU or BMC or with other trusted encryption solutions such as TrueCrypt (also free).
Click on this link and secure all of your devices as soon as you can.
3) Never share your password. Every person needs to have his/her own account and password for accountability purposes. If something occurs and your password was used, you are responsible. Don’t share your password with your students or research assistants; and don’t write your password on a piece of paper next to the computer.
4) Use only secure email. Do not use Gmail, Exchange or other regular mail systems to send PHI. BU provides a secure email solution known as DataMotion SecureMail. While BMC has deployed technology that should automatically detect and encrypt BMC email containing PHI sent to non-BMC email addresses, it is safer to encrypt messages by adding the word “secure” in the subject line before sending PHI outside BMC. For large file transfers, BMC provides a secure file transfer option that you can sign up for by calling the BMC Service Desk at 617-414-4500. Do not forward messages from secure email to your regular email like Outlook, Exchange, or Gmail. Those are not secure systems, and it is possible for an unauthorized person to read any message you send.
5) Access PHI through a secure connection. When you are off-site, use an approved secure remote access method when accessing sensitive information. Information sent across the Internet can be easily read by other people, unless it is protected. Secure remote access solutions encrypt that information during transmission. This is especially important when using free, public wi-fi hotspots and when traveling internationally. To set up secure remote access at BMC, you need to call the BMC Service Desk at 617-414-4500. For BU Remote, please visit the website for instructions.
6) Train everyone who handles PHI. Before you share PHI with anyone, be sure their devices are secure and that they understand their responsibility to protect the data. They should not download the data onto an unsecured device, send it via non-secure email, or share it with anyone who does not understand their responsibility to protect the data. Asking everyone who will handle PHI to read this article would be a good place to start.Again, here is the link to what you need to do to secure your devices: http://www.bu.edu/infosec/howtos/securing-your-devices/.
When patients and research subjects allow us to collect and store private information about themselves, they have a right to expect that we will keep those data secure and use them only for clinical and research purposes. Although the data belong to our institutions (BU and BMC), when we put those private data on our devices, we become responsible for respecting that expectation of privacy and protecting the security of those data. You can fulfill that responsibility by following the advice in this article; securing your devices; and, if you have to transmit those data, by doing so in a secure manner. Finally, if you have colleagues who may store PHI on their portable devices but who don’t routinely read this newsletter, then please ask them to read this article and follow its advice. Protecting the privacy and confidentiality of patient and research subject data is a responsibility that we all share.
This Quiz applies to the current recertification period from July 1, 2013 to June 30, 2015. We recommend that you take this quiz now so you can stay up-to-date.