What CIOs Want CEOs to Know About Data Security

To help CEOs combat data security threats, CIOs are actively addressing a number of IT and analytics risks

Over the past few years, the issue of data security has become increasingly more important to healthcare industry executives. Yet, how to best identify risk and prevent data breaches remains elusive to many.

To address the very real threats of data security, Chief Information Officers (CIOs) have been aggressively looking at technology innovations, limitations and regulations. Many are aware of options that could help their organizations, but are often stymied due to the other priorities and issues the business may face. However, as threats to data security increase, the need to move that line item to the top of the queue continues to grow.

To help organizations adapt to the increasing threats to data security, CIOs are actively addressing a number of issues to help their CEOs better understand these risks. They include:

  • The realities of data security today, including the source and causes of data threats
  • Where the organization’s biggest threats may lie (it’s not always where presumed)
  • Solutions available today to enhance data security
  • Steps to take (and not take) to improve an organization’s data security profile

Data Security Issues

The key challenges for CIOs and CEOs when it comes to data security include preventing loss, as well as adhering to regulatory mandates and creating solutions that can be quickly and cost-effectively built into operational structures. For example, in 2009 to better ensure the safety of patient information, the government passed the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Under the law, any entity or individual—including health plans, clearinghouses and providers—involved in the gathering or transmission of patient data must ensure its safety, or face penalties, which can be severe. As an example, in 2015, one of the largest and most prestigious healthcare systems in New York settled with the Department of Health and Human Services (HHS) for a breach of Health Insurance Portability and Accountability Act (HIPAA) Act for $4.8 million.

To conform to the security rule, organizations must ensure they have administrative, physical and technical safeguards, as well as organizational policies and procedures and risk analysis and management.

It’s a daunting list of requirements, made even more difficult by the issues that lead to data breaches.

The Key Causes of Data Breaches

One of the leading causes of data security breaches today is criminal attacks. The FBI reports a key reason for the increase in breaches is because criminals want access to the data rich information found in healthcare data such as patient demographics, personal health information (PHI), financial data and more. Plus, the information is easily accessible, one breach and there is a literal gold mine of information for the “bad guys.” All told, according to the FBI, medical identity theft has nearly doubled over the past five years.

One of the most high-profile examples of data breach in the healthcare industry, and troubling on a number of fronts, was a data breach of a company providing cancer services to patients. In 2015, more than 2 million patient records were hacked. That meant patients with cancer were dealing not only with the disease, but also with the loss of privacy and PHI.

Research tells us that the other major cause of data breaches is human error. Verizon reported in its “2016 Breach Investigations Report” that improper device disposal or mishandling of PHI leads to stolen or lost assets. Breaches can also result from insider and privilege misuse of information, as well as lost or stolen laptops.

Solutions Available

The most important step toward data security begins at a fundamental level. One that ensures health data is transmitted to and from vendors, providers, health systems and patients in a safe and secure manner.

Consider a hospital sending a patient’s lab results to a physician, or a vendor communicating with a patient or provider about information from a personal fitness device or app. These platforms are ripe for data breaches and, therefore, penalties, lawsuits and even high profile media exposure. (No one wants to be the lead story on the nightly news due to allegations of poor data security.)

Another major question that CEOs and CIOs must address is which data transmission solution is best for their specific organization. Currently a number of vendors, consultants, software programs, etc. are available that promise to help organizations address their data security issues. The best option for each organization will be based on a number of factors, including size, budget, IT staff, expertise and overall goals.

Hand in hand with ensuring the security of transmitted data is the manner in which it is shared. The Health Information Trust Alliance, or HITRUST, was created to establish a Common Security Framework (CSF) that can be used by all organizations that create, access, store, or exchange healthcare data. A growing number of health systems want their own organizations and vendors to use HITRUST to ensure ease of communication and data security.

Other certification options include Statement on Standards for Attestation Engagements (SSAE) No. 16 and International Organization for Standardization (ISO), which also provides guidelines for organizational information security standards and information security management. The Service Organization Control (SOC) 2 framework is a comprehensive set of criteria known as the Trust Services Principles (TSP), composed of the following five sections:

  1. The security of a service organization’s system.
  2. The availability of a service organization’s system.
  3. The processing integrity of that organization.
  4. The confidentiality of the information the organization processes or maintains for user entities.
  5. The privacy of personal information the service organization collects, uses, retains, discloses and disposes of for user entities.

While SOC 2 is not a certification, over the past few years, more healthcare organizations are applying it to HITRUST and SSAE as SOC 2 helps to assure the effectiveness of controls around processing integrity, privacy and security.

All certification options have their pros and cons. Organizations must analyze and weigh each to determine which option is best for their organization, as well as the healthcare industry as a whole.

While there is no single entity to affirm HIPAA compliance, one of the primary benefits of HITRUST is that it provides a third party assessment that verifies an organization has met requirements. However, meeting recognized standards is much more than a rubber stamp verification, it ensures the steps have been taken to assure customers and the public of data transmission security.

Steps to Take

As the threats to the breach of healthcare information continue to grow, and as the stakes that relate to both federal and reputational penalties grow, a number of steps must be taken to ensure the safety and integrity of any and all health data. Steps to consider include:

  • Educate C-Suite leadership on the critical importance of data security and the need for processes to ensure the safe transmission of data.
  • Move forward now with improving and updating policies, systems and procedures to prevent a data breach. If it’s been more than two years since data security procedures have been reviewed, they could well be out of date.
  • Determine the methodology to transmit PHI and healthcare data. Talk with other industry experts—even competitors—looking for ways to build consensus to ensure greater security and ease of transmission and reception for the entire industry. Review HITRUST and the other options, analyzing cost, marketplace adoption, ease of implementation, etc.
  • Conduct a self-assessment and readiness review of the organization’s data security strengths and weaknesses. For those organizations selecting HITRUST, this step helps to prepare for the official assessment process.
  • Ensure your organization takes the steps to be certified for the transmission of health data. This provides your partners, patients, vendors and regulators with assurances that your business is taking the appropriate measures to help ensure data security.
  • Establish a solid security awareness program to help ensure compliance. At our company, this step is the foundation of our compliance plan. It includes industry-standard policies, sending monthly email reminders and quarterly newsletters to the staff, and displaying posters in the office to raise awareness about common issues.
  • Avoid common mistakes, such as assuming that internal staff will be able to handle the massive undertaking of analyzing, developing and implementing new data security protocols.
  • Identify partners that have the experience and track record to help you best determine your needs and who are committed to working within your organizational processes and budgets.

CIOs and CEOs: Becoming Partners in Better Data Security

The challenges of data security will only increase in the coming years. Safeguarding patient data must include a policy and a program to ensure the safety of data transmitted. By communicating the realities of threats, as well as opportunities for addressing challenges, CIOs can help CEOs make the decisions to ensure organizations build better data security programs, comply with regulations and maintain the security of patients’ private personal health information.

About the Author

Wes Rhea is the Chief Compliance Officer for BioIQ, a company working with most of the top healthcare systems in the nation to better engage patient populations through technology.  Rhea received his Juris Doctorate from Taft University School of Law; his MBA from Troy University; and his BBA from Kennesaw State, where he is now also a professor of Information Systems Management.