Tips for patient data security: Policies, education, funding

Recent news broke of patient data breaches across the country, including one at Beth Israel that could affect more than 2000 patients. FierceHealthcare caught up with Andrew Lenardon (pictured), director of indirect and solution sales for North America at Shred-it International, an information security and document destruction company that works with 1,500 hospitals and thousands of clinics, to discuss patient data security challenges faced by hospitals.

FierceHealthcare: What are the patient data security issues at hospitals?

Lenardon: There's a lot, to be blunt. Some of the security issues are employee awareness and management support. If your employees aren't aware of the security issues or the security protection requirements, that's a big problem. If the management isn't supporting those policies or creating those policies in the first place, that's a huge issue, as well.

Some other areas that hospital executives need to think about is how they're handling the hard drives in copiers, laptops, and external storage devices, as well as confidential paper and disposing of that information in a secure manner. You have to think about things like patient records being sent to the wrong places. You also have to think about non-paper issues, such as patient health information that is on plastic--like patient cards--that gets misplaced. You also need to think about medical files that are left unattended. Having a complete lack of security on some hospital floors is a big issue, where you've got people coming and going within a hospital setting that are not background checked and not employees of the organization, and they can walk right into those environments. That's a very large physical access issue that leads to breaches.

FH: What are some security gaps Shred-it finds at healthcare organizations that might surprise hospital executives?

Lenardon: One of the things that hospital executives don't think about is how they're educating their staff and training their staff to be compliant with the rules, processes, and protocols for secured document destruction. That's a big gap. It is something they should have thought of but aren't really spending a lot of time on.

Another surprise would be that their employees don't understand the policies, so employees are using their own discretion to decide what's confidential and what's not. Hospital executives go around and see bins labeled "confidential waste" and "non-confidential waste;" yet, there is confidential information in non-confidential bins on a regular basis. They think they've put out a policy and that's that, but it's not followed very well.

There are organizations like the World Privacy Forum that estimate the number of medical identity theft to be somewhere between 250,000 and 500,000 of reported cases per year. When you take into account the average breach can cost as high as $200 per patient, you've got millions and millions of dollars that are at risk for an organization when they have a breach. And that is a big surprise to healthcare execs, because I don't think they realize how big the problem is.

FH: What should healthcare professionals do and not do after a breach has been discovered?

Lenardon: Well, what they should do before a breach even comes close to happening is have a policy in place to tell them what to do and what not to do. They should have a place where employees can easily go to refer to what to do and what not to do.

But in the absence of that, what you definitely should be doing is notifying the appropriate individuals within your organization that a breach has occurred. You've got restrictions around what is considered to be a reasonable delay for notifying authorities, depending on the jurisdiction. You can't sit on it.

You definitely want to notify the appropriate authorities within your hospital, and that person should be notifying the media to tell them what's occurred and what the organization is going to do about it. If a breach involves more than 500 individuals in a single state or jurisdiction, then there is various legislation that requires healthcare organizations to notify prominent media outlets.

Another thing to think about is notifying the U.S. Department of Health & Human Services. Covered entities are required to report all breaches of unsecured patient health information to that department.

Also, the individual that has identified the breach must let their folks know internally. Then if the individuals involved, like patients, are identifiable--which is usually why there's a breach--those people need to be directly notified.

In terms of what they should NOT do:

1. They should not withhold information because of the legislative requirements with regards to large breaches.

2. They should not have a delayed response because that, aside from being bad in general, can put them in violation of the legislative requirements.

3. They certainly should not lie or attempt to cover up because there are serious penalties if you are found to be acting illegally.

All of these situations should be taken very seriously. I would add that if employees come across a breach, they should not speak to media directly, unless they're the authorized person within their organization. That can be extremely damaging if the wrong things are said.

FH: Based on that list of what NOT to do, what is the most common mistake hospitals make?

Lenardon: I would suggest it's actually before a breach occurs. If they don't have a policy in place, then they are going to be very hard-pressed outright. What organizations should be doing is recognizing that a breach is very likely. There are humans involved, and they make mistakes; there are people who go in with intent to hack. These things are going to happen to a large organization over time. So the best thing to do is have a policy about what to do if a breach occurs, and then you don't even have to worry about what people are not doing right.

FH: What are the dos and don'ts for ongoing risk analysis at hospitals?

Lenardon:  Basically, you're analyzing where your current gaps are. I break it down to four different components.

1. Identify where you have problems.

2. Put a plan together to mitigate those problems.

3. Decide the mechanism by which you determine whether a problem has occurred.

4. Maintain an ongoing process of reassessing; it's not just once and done.

To that, I would add that hospitals have a committee of people that are responsible and accountable for those activities. That comes from a variety of roles within the hospital, whether it be risk and compliance, physical security, information security, facility management, legal, and an executive sponsor. Those are the best practices that organizations are figuring out today to ensure that they have a cross-functional team to understand what the risks are for various parts of the organization.

FH: What steps can and should hospitals take to protect patients' private data?

Lenardon: No. 1, they should correctly identify the unique security challenges of their own organization. So, while a hospital is a hospital is a hospital, the policies within each hospital are going to make their challenges different from another's.

Second is physically securing data. You've got a myriad of data formats, everything from electronic formats to paper formats to charts. Examine what are those risks, how real are those risks, and weigh them against the cost-benefit of securing the information.

Integrating and managing the scale of e-health applications is a big issue that organizations need to take into account when they're securing patients' private information. You've got a very strong movement in the healthcare industry to get to electronic patient records, so if you're not properly securing those environments, you've got a problem. Folks are more than willing to spend the time to hack into those systems, so those need to be properly secured.

But hospitals still have a ton of paper. Although everybody wants to go digital, there's no shortage of paper. A really important step to secure patient private data is to move to a shred-all policy. That takes the discretion out of the employees' hands of what is confidential and what is not. A lot of organizations are saying they don't even want a person to think twice about what is and isn't confidential, so just treat it all as confidential, and you'll eliminate the risk. It's what hospitals and all of corporate America should be doing.

Lastly, one of the biggest and hardest steps that hospitals can take is to secure funding to get the proper systems in place, the actual day-to-day activities, and the management oversight systems to make sure that they're compliant. There's lots of ways to go about finding budgets these days by freeing up wasteful spending. Taking that existing funding that's being spent in the left hand and moving it to the right hand to make sure that you're securing your patients' private information is a really important step. You must do this, and there is opportunity to shift your spend from wasteful spending to funding things like compliance.

There's a fear out there that [a shred-all policy] is going to cost a lot more. But the reality is it doesn't, as there's a lot of capacity in shredding containers that can be used.

Organizations should keep in mind that by not having a shred-all policy, they're keeping themselves exposed to a higher risk of breach. And if and when that happens, the costs of that breach are far, far in excess of doing a shred-all policy. The average cost of breaches is in the neighborhood of $6.6 million; that's direct costs and productivity costs. But the cost of a shred-all policy might be in the few thousands of dollars range, if it even costs extra.

FH: Any additional advice for hospitals?

Lenardon: I would like to emphasize that securing documents can save costs. Certainly you can work with vendors to get a lower price. But at the end of the day, you don't want to be cutting costs so much in this area of your business that you're introducing additional risks by doing so. You want to balance your costs and your risks.

And doing it right not only protects against costs, but protects the brand reputation of the facility. A breach at a well-known healthcare facility hurts it in the community.

A mistake that a lot of hospitals make is they relegate this portion of their business to their procurement department to get the lowest possible cost, which may not always be the wisest decision. You need to bring into the equation the compliance officer, the security officer, and an executive within the organization that is accountable if there's a breach. Just having a procurement person do their best job may add risk to your organization that the other roles would counteract to make a better decision than just cutting cost. 

Andrew Lenardon is the director of indirect and solution sales for North America at Shred-it International, Inc., where he leads a team of professionals in helping clients improve the security of how they handle confidential records and identify wasteful spending that can be shifted to priorities, such as information security, compliance efforts, and business efficiency.

This interview has been edited and condensed for clarity.