Chris Apgar – CEO at Apgar & Associates, LLC
Andy Nieto – Health IT Strategist at DataMotion
Data security has certainly been a hot topic in recent months, especially in the healthcare industry. In today’s HCCA webinar, Chris Apgar and Andy Nieto discuss the need for data encryption, and where some of the industry’s key risks lie.
The first, and sometimes most daunting, question is where to start when deciding how to protect your organization from data breaches. One of the most important steps in this process is to assess the risk. When assessing your organization’s risk, keep in mind that, in the event of a breach, encryption is typically considered a reasonable safeguard. In other words, you’ve got to do it! In the past, ORC has fined entities for lost, unencrypted laptops, and has emphasized the need for encryption in 2014 HIPAA/CLIA Rule.
A second point that was brought up during the session is the importance of investigating where the organization stores its data. Mr. Apgar told an interesting anecdote about conducting an assessment for a healthcare provider that insisted none of its patient data was stored on workstations. However, upon investigation, it was found that around 75% of the workstations stored PHI. Investigating where patient data is stored is definitely something that should not be overlooked when assessing an organization’s risk and deciding on an encryption policy.
A third consideration is whether vendors are inadvertently putting your organization at risk. When employing key vendors, a best practice is to be sure to inquire about their security policies and processes on a routine basis. At times, vendors can unintentionally be putting your organization at risk, no matter how well your own internal security and encryption policies are implemented.
A fourth point of emphasis is the importance of having and maintaining a “bring your own device” (BYOD) policy. The mobile nature of the world we live in opens an organization up to a whole host of data breach risks, especially when employees are using personal devices to access PHI. A study was presented that shows about 96% of physicians use a smartphone as their primary device to support clinical communications. Encryption of patient data is especially important in these situations.
As our world becomes more mobile, the policies must change to accommodate new technology and practices. When designing and updating policies, it is important not to overlook the data that is “in motion” and be sure to account for encryption and security protocols in those situations as well. Training on such policies is crucial. OCR reminds us to employ a “culture of compliance” and be sure that employees are aware of the organization’s policies, and that the policies are enforced. Having a policy that is not enforced puts the organization at risk as much as not having a policy at all.
Finally, there are budgetary considerations. An informal study has shown that the average cost of a breach is around $201 per compromised document. This is not taking into account any potential fines that may follow for HIPAA violations. Given the fact that a data breach can be costly, not only to an organization’s budget, but to its reputation and customer base, it is important to carefully weigh these factors when choosing encryption and policy implementation strategies.
The key is to find the encryption solution that works best for an organization’s culture, and of course – implement.