Where is your ePHI hiding? A data discovery/data loss risk assessment will tell you

One of the most recent cases of a data breach comes from what, on the surface, may appear to be an unlikely source – powerpoint charts derived from ePHI-rich source data, embedded in a professional presentation, posted on the websites of two medical associations, by one of the world’s leading cancer centers, Memorial-Sloan Kettering.  See the full story here:  http://www.healthcareinfosecurity.com/powerpoint-charts-led-to-breaches-a-4868.

While that may seem like a complicated “it cannot happen to us” scenario, think again.  How many of your esteemed clinicians conduct research, present, and publish?  Not so many?  Let’s try another scenario then.  How many of your employees create, access, use, manipulate, analyze, or transmit ePHI to perform their duties? Have you implemented technical controls that prohibit your employees from moving ePHI from what may be fortified assets to less fortified assets, like a USB drive or workstation hard drive?  In our ten years, we have not met a client yet that is not struggling to understand just how distributed ePHI has become in their environment and gain control over it.

The HIPAA Security Rule is clear – Covered Entities need to have control of their ePHI and safeguard it appropriately.  To gain control, one has to know where it is first.  For many, the challenge lies within unstructured data on employee workstations, file shares, portable media – documents, spreadsheets, databases that employees have created.  Such is the story with Memorial-Sloan Kettering.  But it could very likely be your organization’s story too.

Manual efforts to locate ePHI across the enterprise are fraught with inefficiency and inaccuracy.  As introduced in this follow up article, http://www.healthcareinfosecurity.com/how-to-avoid-exposing-patient-data-a-4891,  Data Loss Prevention (DLP) solutions cannot only help organizations effectively discover ePHI across the enterprise but enforce rules and policies to prevent data loss and data leakage.

For nearly three years, CynergisTek has offered clients a structured and affordable way to discovery ePHI across the enterprise and measure data loss/data breach risk by monitoring data-in-motion for a defined period of time.  Contact us  http://blog.cynergistek.com/about/contact-us/ for more information or to request a quote for this service.

Business Partners: A New Risk to Health Data Security?

by John Moore, iHealthBeat Contributing Reporter

Third-party business partners represent a significant security risk to health care providers, who may need several layers of protection to ensure the security of patient data.

The HIPAA Privacy Rule refers to third parties as “business associates” and defines them as individuals or organizations that handle protected health information, or PHI, in the course of working with a covered entity. The category may cover a range of companies, including data processing firms, IT consultants and cloud computing providers.

HIPAA’s Security Rule calls for covered entities to create contracts with business associates to ensure that the partner “will appropriately safeguard” PHI. The HITECH Act of 2009 further strengthened HIPAA’s rules regarding business associates and security obligations.

While the HIPAA rules have been around for a while — the Security Rule’s compliance date goes back to 2005 — hospitals and other health care providers have not consistently devoted a significant amount of time to business associate security.

Read John’s entire article here: http://www.ihealthbeat.org/features/2012/business-partners-a-new-risk-to-health-data-security.aspx