I was talking with one of our staff the other day after their trip to the dentist, and they were telling me something that blew my mind. Their dentist had them in the chair and was making dentist chit-chat while they were working on my colleague’s teeth.
They needed some specific treatment data on my colleague from a previous appointment done at a branch of the same dental office across town. To do this, they asked the staff at the other site to email or text over the information. Neither unencrypted email nor traditional text messaging comply with HIPAA regulations on data transmission security. Sharing protected health information (PHI) over an unencrypted network is not only a HIPAA violation, but it’s simply unwise practice.
Your PHI is essentially a snapshot of who you are. The health record details entrusted to your care provider include vital statistics, detailed test results, social security numbers, addresses, current illnesses, medications you are taking, or (in the dentist’s case) x-rays and treatment of your mouth. All of this information is an intimate look at you as a person and should not be shared in a manner outside of the information owner’s (patient’s) comfort zone and knowledge.
While it seems unlikely that there is a market for pictures of your teeth and gums, this example shows a general lack of regard for maintaining proper treatment of medical records. A leak of similar health information in this manner could ultimately be data an attacker would commercialize.
How HIPAA Compliance Relates to Security
HIPAA compliance details that the electronic transmission of patient data for any purpose should only happen if the data is encrypted prior to being electronically transmitted. This means that even though the branch the data is being sent from is coming from the same umbrella company, they still need to encrypt the data prior to the disclosure of PHI to the staff across town. While it’s slightly inconvenient and more time-consuming to share data securely, every piece of data we share in this way belongs to a human being who could be dramatically impacted if that data were to leak into the wrong hands.
And the end of the day, that’s why security is important. It protects the information of people. If that’s not enough of a motivator for you, though, organizations who experience a breach in the healthcare space are typically reprimanded very heavily. You’re likely familiar with the Department of U.S. Department of Health and Human Services’s (HHS) Office for Civil Rights (OCR), which routinely administers harsh fines and openly shames organizations for their breaches and breach notifications.
Neither leaking someone’s sensitive information, nor dealing with highly publicized fines is likely something any healthcare organization wants to be subjected to.
Yet, many do it to themselves.
Sharing unencrypted information through text or email is putting blind faith in the networks those platforms utilize. Are you one hundred percent sure your network is secure? If you are, you are the first company I know of that is sure of your network security.
Let’s rethink this.
In a recent lunch meeting, I was talking to a friend who shared their corporate general assumption that their network is unsecure, so anything that goes through it needs to be encrypted. If not, it’s assumed they’ll hand over data to bad actors, who will hang on to it until they can put it up for sale. If we can assume no network is perfectly secure, how do you feel about your dentist texting or emailing your PHI over to another clinic? With the number of times that personal devices are used in the office and couple that with the ease of compromising our networks and Bluetooth-enabled devices, simply texting or emailing PHI is asking for the data to be exploited.
There’s an added layer to this as well. SMS (text messaging) companies store copies of data on their servers. If you text PHI, not only are you entrusting PHI to your own network’s security, but you’re also making it susceptible to compromise on their network as well. If that network is breached, the data is up for grabs, and what started as an innocent and easy use of text messages has now put you (and the person to whom the data belongs) in a bad situation.
So, how can we assure our patients that we’re not only complying with HIPAA regulations but also (and more importantly) protecting the patient data that is entrusted upon us— the same data that could ruin someone if it got into the wrong hands?
Education and Training
People are the weakest link in every security program. People make mistakes. People bypass technology. People ignore rules.
Those same people can be turned into our biggest strengths with some proper training and education. If we’re not teaching our employees and staff how to properly transmit data from one branch to another, it’s not fair to be mad when they don’t do it the way they’re supposed to. They can’t read minds. We must make a concerted effort as security advocates to show them acceptable ways to transmit data… and what the ramifications are if they don’t.
Until then, we can’t expect them to know.
Policies and Frameworks
The policies, procedures, and access controls you have in place make up the bulk of your security program. They’re what drive the other security decisions you make, and they are what give your employees guidance on the right decisions to make.
Good policies, procedures, and controls are tailored specifically to each individual business, and they are not so strict as to prohibit their employees from completing their work efficiently.
It’s easy to measure how the controls we have in place make your security better and if your administrative safeguards are effective.
At FRSecure, we have a way for you to gather a detailed understanding of the security of your organization. FISASCORE is similar to a credit score, but for your security posture. It’s a security risk analysis and assessment that takes a look at all four areas of controls that are pertinent to a good security program and objectively measures their effectiveness. It maps to security standards like HIPAA security rules, and the result is a series of scores you can use to show your weaknesses and strengths— and to make improvements moving forward.
On top of all that, you should encrypt your email. It is a tad more work, but it provides an added layer of security that will pay dividends moving forward. Using encrypted email keeps you compliant with HIPAA privacy rules regarding ePHI (electronic personal health information) and is generally a good first step. If you are concerned with connection speed, you could certainly consider a messaging app with end-to-end encryption. This will provide you with the ability to get the x-ray or other information over to the provider in a hurry. I mentioned before that security is not supposed to hinder the ability for your employees to do their jobs, and this is a great compromise for those looking for both security and speed.
It’ll be another six months before my colleague has to return to the dentist’s office for their next visit. Hopefully, they can convey this message to the office employees when they return. This clinic has a long way to go to get to where they SHOULD be security-wise. While they are not alone, there are resources and solutions available that make securing their business a relatively pain-free one. If you’d like to learn more about how your practice can properly train and educate its employees, get a framework assessment, work through the development and improvement of procedures and controls, and get a full risk assessment (FISASCORE) for your business, you can do so by visiting frsecure.com.