11 September, 2016
It’s 4 am and you get “the call.” The hospital has experienced a breach and electronic health record (EHR) data is printing incorrectly on patient armbands. The first questions you ask may be some of the toughest for people to answer: “What data feeds into the EHR?” “Are there any downstream systems and processes receiving incorrect data from the EHR?” Sadly, the answers are all too often the same: “That’s a good question.”
Fast forward in this crisis scenario. It’s now noon. The investigative team has found that a crontab job affecting a webserver used to register patients in the EHR has been replaced by a malicious file. This is a useful discovery, but it’s only the beginning. To know where to focus their recovery efforts, the team must know what other servers are connected to this one, and whether any of them store PHI or other sensitive information. When PHI is at risk, no one can afford to work strenuously to recover non-essential data. Resilience relies on information security officers (ISOs), chief information officers (CIOs), and relevant business users knowing the system and data use.
To effectively respond to crises like these, business leaders and security officers must have accurate, up-to-date documentation explaining all of the ways information is used during the course of a typical day in order to ensure that all sensitive information is protected and easily recoverable. This knowledge should go beyond basic EHR systems flows, broadly established risks like email and laptop loss, and the limits of HIPAA compliance. It should extend to any informal uses of personal health information (PHI) during day-to-day hospital operations. Any healthcare organization narrowly focused on securing only the expected flow of EHR data is missing many areas of exposure.
Here are five actions an organization should take now to better uncover sensitive information– wherever it may be hiding–during a breach: .
Map clinical and operational processes
The first step is to understand the operations behind the organization and how information flows across the enterprise. Meet with operations and clinical groups to map out data flows for day-to-day business processes. Look also to compliance or internal audit departments for information on these processes.
First and foremost, this exploration will help you act defensively in a crisis. You’ll know if one machine is affected and what machines downstream that store sensitive data could be next. This also gives you the opportunity to take these machines offline and curtail any additional damage. An exercise like this also helps you uncover irregularities in how people are using systems day-to-day, which is a common cause of exposure—and leads us to number two.
Survey your users
While IT systems are often customized to users and business processes, many times large groups of users employ the same system for very different functions. This can lead to supplementary processes or “user workarounds” outside of the system, which create high-risk data flows that are invisible to IT. Frequently survey end users about system usability and processes that may be conducted outside the system. The system maintenance or bug/fix/enhancement request process is also helpful. This can alert you to possible workarounds and data leakage risk.
Understand how paper forms are managed
Are patients still filling out paper forms? If so, it’s important to keep tabs on where these forms are going. Information is often keyed in the EHR, but can also be scanned, sent, and saved to systems. Is this scanned data deleted, or is it saved in a temporary file on the network? Are employees shredding paper copies of this data?
Does the printer itself store these images and data? Checking and limiting printer and scanner settings, as well as overseeing user behavior, is essential to protecting critical data.
Printers themselves are often overlooked sources of risk. Machines across the enterprise may be linked together through the printer. Protect this network hub by limiting access to its many USB ports. If the printer is used to print PHI, like armbands, store the printer in a secure setting like a nurses’ station or behind closed doors.
Review data saved by technical support systems
Patient data may also be lurking in your IT help or service desk systems. When struggling with a technical problem, many users take a screenshot of an issue or alert. Trouble is, they don’t realize that patient data may be in the picture they send.
Review your help/service desk system for this data, particularly if that system is in the cloud, and find ways to strip out this information if possible. This may be challenging since scanning for sensitive data in an image is very difficult. Another helpful tactic is to educate users about the risks of using pictures to request support.
Know how data flows across all third-party relationships
It’s easy to think only about third-party IT vendors, but what about business and clinical third parties that receive the hospital’s data? Ask your clinical and operations teams about any outside vendors with which they work, or outside contractors with which they may share data. Then prioritize protection of this information by understanding the sensitivity level of the data, how the data is shared, and where the data is stored throughout the business process. Most of the data breaches reported widely in the news started with a third party. Tracking the information involved in these relationships is a key step in protecting it.
A comprehensive understanding of where critical data is created, used, shared, stored, and destroyed will help ensure data integrity or loss incidents do not have unnecessary impacts. This should be considered key to any information security program. This is particularly important for healthcare organizations where vast amounts of personal information are in play across complex, sprawling operations—much of it may be hiding where you’d least expect it.
For further information, please contact:
Paul Jackson, Managing Director, Stroz Friedberg
pjackson@strozfriedberg.com
