As a routine matter of delivering care, billing for services and operating their hospitals and physician practices, healthcare providers deal with patient’s protected health information all day, every day. Dealing with the data becomes routine and it’s easy for sometimes onerous security and privacy policies and procedures to be overlooked. While we’d all like that not to be the case, delivering healthcare (and getting paid for it) is a hugely complex undertaking and focusing exclusively on human processes and calling for constant vigilance and attention to detail can only go so far.
So in parallel with policies, procedures and training, it’s also critical to put in place technology solutions that reduce the likelihood a human oversight can result in a data breach. For example, we frequently hear the blame for a data breach being placed on “an outside contractor”, an “outside vendor” or some other party other than the provider and their staff. And albeit without the full details behind the reason the outside vendor had PHI data, as a technologist it’s easy to question the need for real PHI data for the activities referenced in some of the announcements of the breach. For example, a contractor doing database design, or building an application or dashboard, or doing an analysis of some sort for financial reporting. In any of these cases, masked data that was representative of the real data, but useless from an individually identifiable perspective, could likely be more than adequate for the intended purpose. Yet the use of widely available data masking technologies for test and development data remains infrequent in healthcare organizations. These technologies represent a compelling opportunity to reduce the dependence on fallible human processes and procedures. And from a philosophical point of view, organizations should really have only a single copy of production data – in production no less – and all other uses of data not absolutely requiring individually identifiable patient information should use masked data
Similarly, many healthcare applications do not support an adequately granular level of securing access to patient information within their applications – particularly older legacy systems – and end users have access to much more information than they need to do their jobs. In these cases, non-intrusive active data masking solutions that obscure individual fields within the application depending on who the end-user is should be viewed as essential in reducing an organizations risk of a data breach. As is frequently the case, many organizations provide outside third-parties with access to internal applications for support, outsourced services, or in many instances customer self-service as a matter of convenience. In all of these situations, active data masking should be considered a mission-critical solution for limited access to only the PHI each users needs as a means of reducing the risk of inadvertent exposure of PHI.
Securing protected health information will always be a combination of people, processes and technology. Part of the challenge today is it’s way too much of the former two and not nearly enough of readily available technologies to help reduce the risks of human error. Until we as a healthcare industry get a better balance, I fear the incidence of healthcare data breaches is destined to get worse as the volume of PHI in electronic systems explodes over the next decade.