How to Avoid Exposing Patient DataKey Steps to Preventing Unusual Breaches
A recent breach incident at Memorial Sloan-Kettering Cancer Center highlights the difficulty in determining where all sensitive patient data resides - and making sure it isn't exposed.
The cancer center recently discovered that unencrypted patient information had been embedded in charts within PowerPoint slides that were available on two professional association's websites (see PowerPoint Charts Led to Breaches).
Protected health information can turn up in a variety of places beyond electronic health records, including PowerPoint presentations, spreadsheets, word processing files, and other user-generated content.
To pinpoint the location of patient information - so it can be removed or encrypted - experts advise using data loss prevention technology.
"One of the really interesting things DLP can do is it can help to scan your environment and inventory that kind of data, even if it's embedded out in things like Excel files," says Melodi Mosley Gates an attorney specializing in cybersecurity and healthcare regulations at law firm Patton Boggs LLP. "It's not a simple process. It can be a lengthy one, but it can be very helpful."
Gates explains that DLP "can be pointed at a shared server where work groups keep their spreadsheets and their documents and that kind of thing, and can scan that content in an automated kind of way and come back and say, "Here are the hits we have for data that looks like it might be protected health information or looks like it might be a Social Security number."
But to avoid inadvertently exposing patient data online, as in the Memorial Sloan-Kettering case, organizations should take several steps, experts says.
For example, to guard against exposing data embedded in a PowerPoint presentations posted on the web, the files should be converted to PDFs, which won't allow any buried data that can be uncovered or manipulated, security consultant Rebecca Herold of Rebecca Herold & Associates.
But staff members need training on appropriate uses of patient-identifiable data to avoid having sensitive information show up in presentations.
When healthcare organizations conduct HIPAA-compliance training, even when it's a refresher session, "it's good to remind people to think carefully about what they put into files" - and especially those documents that are shared with others, Gates says.
Those preparing presentations, for example, should carefully consider whether "the objective of the presentation can be met using aggregate or de-identified information" Gates says.
But using de-identified data requires caution, Herold stresses. Under HIPAA, 18 identifiers are considered part of protected health information, she notes, so all of those should be eliminated.
Even if a patient's name, address, Social Security number and other identifiers are removed, it's possible that the patient could still be identified in certain circumstances, she points out.
Organizations should consider creating a process for reviewing the materials that staff members plan to include in presentations, Gates says. That process should include a careful review of documents for embedded data, especially if the material might be posted to a website or shared with others.
"Lots of organizations have people who watch over brand and consistency of message," Gates says. "But if you also build cyber-risk into the process, you can have prevention without a lot of expenditure."
Healthcare organizations often use PowerPoint presentations to train nurses, physicians and other staff. But these are often created by clinicians or others who lack technical expertise, Herold says. As a result, slides from previous presentations may be re-used, without checking for whether they include embedded data.
Smaller organizations with limited staff resources might need outside help with risk assessments to ensure that sensitive data - including information in presentations, documents and spreadsheets - is safeguarded, suggests Mac McMillan, co-founder and CEO of IT security consulting firm CynergisTek Inc.
And all hospitals and clinics should designate someone to control what gets posted on their websites, McMillan adds. That person should have access to tools, such as DLP, "that can look for different types of information buried," he says.
McMillan warns: "There are people out there who troll sites" looking for documents that have embedded PHI or other exploitable information.