Assessing Healthcare Security IncidentsSoftware Helps Measure the Impact for HITECH Reporting
In an interview (transcript below), David Parks, operating counsel and regulatory compliance and privacy officer at Alegent Health:
- Describes why the eight-hospital system decided to serve as a beta site for a healthcare security risk assessment and reporting application to help with HITECH Act compliance;
- Outlines how the application is helping the organization objectively measure the risk involved in healthcare security incidents and track all cases;
- Notes that security incidents at Alegent so far have involved primarily internal cases of non-malicious negligence;
- Warns that incidents involving paper records, verbal communication, blog posts and social media comments pose serious potential risks;
- Describes the organization's use of breach prevention technologies, including data loss prevention software, encryption of mobile devices and social media and Internet monitoring tools.
Parks, an attorney who has worked at Alegent and its affiliated organizations since 1994, was originally educated as a medical technologist and clinical laboratory scientist. He holds certification in healthcare privacy and security from the American Health Information Management Association.
HOWARD ANDERSON: I understand your organization was a beta test site for a security risk incident assessment and reporting application. Tell us why you decided to be a test site for this software, and what did you learn from the test?
DAVID PARKS: Well, the RADAR system was something that ID Experts was working on, and we had an existing relationship with ID Experts for breach prevention and breach response services. So, knowing a little bit about us, and having an existing relationship, ID Experts and their design team specifically asked if we would be interested. And we thought it might be a good thing to take a look at, given the specific goals of the software. The application, really, was designed to help health systems do risk analysis on breach incidents or data loss incidents. And as you know, we are required under the federal HITECH Act breach notification rules, to do a risk of harm assessment to determine whether or not we need to notify patients, and if necessary, send an immediate notification to Health and Human Services and the media. ...
This gave us an opportunity to see if there could be a consistent, objective method to doing that risk analysis. So, we decided, sure, we'd participate in beta tests, and see what that would look like. What did we learn from the tests? I think we learned a couple of things. There is a much better way to look at the individual incident level of risk, than doing it ad hoc each and every incident. An individual that does this job, such as myself, a privacy officer ... can look at some objective criteria. For example, the Office of Management and Budget has a memorandum from back in 2007 that helps establish, "Here are some things that you can look at to see if there is significant risk of reputational harm, or financial harm, medical harm," that sort of thing. But still, at the end of the day, it's an individual or a group of individuals subjectively weighing whether this is really a significant incident or not.
What the test allowed us to see is that there can be an objective way to measure that risk, so that whether the privacy officer in an organization is doing that risk assessment or the chief information security officer or a group of people, or if they are not around, somebody else, you can get to the same result. That was an eye-opener for us -- that there is a way to methodically take a look at facets of the information that was lost or breached and come up with a numerical, objective level of risk.
At the same time, what we learned is the RADAR program was flexible enough that it didn't prescribe that you had to do breach notification, or prescribe that an incident reached a significant level of risk. It was more of a recommendation, and based on the circumstances, you could adjust what it would automatically spit out, and then it would provide a place for you to document why you made those changes. So it did help us to see that there is a way to objectively measure that risk, and have it not be so ad hoc and subjective, based on the person grading that risk.
Documenting BreachesANDERSON: So are you now rolling out the application throughout the enterprise? And how do you plan to use it to help document information about data breaches and then track the breach notification process moving forward?
PARKS: ... At Alegent Health, right now, it is still really centralized with me at the moment. ... From my experience, in talking with other privacy officers and information security officers across the country, one of our challenges with the whole breach notification process and incident analysis is having a way to track those cases as they come up, so they don't fall through the cracks. We all have come up with different ways to hold that information in secured files with auditing that shows who is going in and out of them. But many of us struggle with doing it in a way that we can easily take a look, "Oh, let's see what cases we have currently, and which ones we still have to get a decision out on, when we need to get letters out to the victim." RADAR, in its current iteration, was a good first step into, at least, cataloguing and inventorying all of those events as they occur, so that we can make sure that we don't forget about a case. Because, as you would imagine, in a place with the scope that we have, or even smaller locations where people having a lot more tasks than what I have, it is really easy to lose track of the cases that you are working on.
ANDERSON: So to make sure that I understand this correctly, has the beta test phase ended, and are you using the application on a limited basis on the corporate level now and considering eventually expanding its use?
Assessing Security RisksANDERSON: Tell us more about how the application helps you assess the severity of an incident to decide whether it merits reporting.
PARKS: Well, the way it really works is it allows you to put in all the facts of the incident, to the extent that you are aware of them, and if you are not aware, then to put that into the application as well. It takes a look at the nature of the data elements that perhaps had been lost or breached, and the number of individuals affected, and how accessible or usable that information is in the form that it was lost -- their value to somebody to misuse them. And for each one of those elements, there is a score that is adjustable for financial harm, reputational harm and medical harm. The application takes a look at all of those things that you have put in, and at the end of its assessment, puts the incident on a heat map, with an X and Y axis, and a certain part of that grid would be in, let's say a "red zone," where you would definitely consider that the data and the significance of the information that was either breached or lost is such that it reaches the level of breach notification. And there is a yellow zone where there's a little bit more subjectivity to it, and then a green zone, where the application would recommend that it is essentially not a significant loss or breach and there is no breach notification required.
The other thing that it does, besides just helping to do that risk assessment in an objective way, is it allows you to inventory all of the cases that you are working on. You can go back to them and take a look at them, and if you decide that this is a situation where the application maybe felt that it was not something that you needed to do a breach notification on, but the privacy officer or whoever is doing the actual working of the case knows that the patient believes it was significant, you can decide to do a breach notification and log that information into the application and enter comments as to why you decided to deviate from the recommendation of the application.
So it provides a place for you to track your breaches, it helps to do the risk assessment in an objective way and it also has a place for you to document your ultimate decision and logic. Because two to three years from now when a situation may come up and you may need to look back, the information is there.
Breach IncidentsANDERSON: So far, in general terms, what has been the experience of your hospitals and other facilities with data breaches, and what have you learned from those experiences?
PARKS: The largest percentage of those data losses and breaches are non-malicious. They involve negligence, but, initially at least, the individuals involved didn't intend to cause harm. There wasn't reckless disregard of company information security or privacy policies or intent to do bad. But the unfortunate thing is that those breaches and data losses do occur, and often, even though the intent might not have been to create any harm, there are powerful consequences that may come from it. We have also seen that the large focus, of course, in HIPAA and the HITECH Act, is the electronic world. But there is still an awful lot of paper out there. And there is a lot of verbal communication, which also causes breaches. ... And there seems to be an explosion of potential risk out there in the world, the explosion of blogs and social media, etc., as an outlet for breach. So ... as we move into a social media or blog-type environment, it's an area where we are seeing more and more breach opportunities that we have to be conscious of. ...
Security TechnologiesANDERSON: Finally, to wrap things up, tell us briefly some of the key steps you are taking to prevent breaches and what technologies are playing an important role in that.
PARKS: Some things are core to any compliance program -- really making sure that members of the workforce and business associates are fully aware of what their obligations are, what the rules of the road are ... and providing effective, efficient education and awareness. ... We are also working with our intranet and some of our corporate communication folks to really help with news articles that used to be on perhaps flyers and posters. ...
As far as technologies that our information security and IT department are employing, they have data breach protection solutions that they have purchased for our server and storage, and soon for our network and eventually end-point data leakage protection solutions. We also have some encryption strategies in place right now. It's really focused on our mobile devices, which are what we have considered to be at the most risk.
We are looking at application auditing; we don't have automated programs in place yet. We work with our IT department to design certain programmatic auditing processes for us. But they are very labor-intensive. So we are looking at some solutions there.
With all of those, the data leakage protection, the encryption strategy, application auditing, we are trying to look for behaviors and problems before the breach occurs. ... And we do use some social media monitoring tools and Internet monitoring tools. ... So we are looking at what is being put out there on blogs, Facebook pages, Twitter, that sort of thing. Because we will then be able to identify when, Alegent, or any of the Alegent patients or facilities, are being mentioned, and maybe be able to catch something on a publicly facing site that we might be able to nip in the bud if we feel that there is perhaps some breach potential there.