Could Decentralizing Healthcare Be Leading to Increased ePHI Security Risks?

Decentralizing and outsourcing healthcare — or moving key healthcare services out of hospitals — is leading to major concerns about electronic patient healthcare information (ePHI) security.

ePHI is an essential part of enabling these shifts; yet for busy IT healthcare managers who don’t have time to deal with additional potential security risks, this may represent the most critical issue to date.

Healthcare is no longer a one-stop shop. From critical care to lab work to x-rays, it used to be that everything could be provided in a single visit to a large hospital. Today, the average patient receives a ream of referrals and multiple appointments with a variety of healthcare providers.

For healthcare professionals, this means there’s been a dramatic spike in required communications with subsidiaries, partners and related “supply-chain-like” service providers.

More communication means greater risks of data breaches, cybercrime and ransomware. The communications that are necessary in today’s age of decentralized healthcare need to be protected with data management and transfer best practices. Do you have the practices and process in place to take them on?

confidential-patient-information-and-hipaa-compliance

Confidential Patient Information and Healthcare Breaches

Consider what happens with the treatment of a broken bone. If a teenager breaks a knee while playing sports, she may initially be taken to an urgent care facility. Once it’s clear that the issue is serious, EMTs transfer her to the hospital, where they take images and put the leg in a brace or cast. Information has already been shared between three organizations — and it’s only been a few of hours.

As the patient receives additional treatment over the next few weeks or months, her healthcare records will be shared with her primary care physician, an MRI center, an orthopedic specialist, and even the local healthcare clinic that will take her cast off. It’ll even go out to the patient’s physical therapist who might become involved in follow-up care.

As the New England Journal of Medicine’s Catalyst publication notes, “Health care is changing. The exponential growth of digital and virtual health, the deployment of advanced technology deeper into the community, and the movement of higher-acuity care into the outpatient environment create opportunities to shift from a large, centralized health care system to a smaller, faster, more cost-effective one in which health care is more accessible, more affordable, more personal, and closer to home.”

It’s not just a change in how patients are treated. The sharing of records and information electronically creates serious concerns for healthcare IT managers, security experts and department heads.

When sensitive patient data is flying around, being sent to a dozen offices in the case of treating one injury, how can it be kept safe?

What does that mean for sharing patient information and offering treatment at scale?

Solving this challenge isn’t just theoretical. It’s essential to delivering top-quality care, while also protecting healthcare organizations from risks of data breaches, ransomware and cybercrime threats.

secure-cloud-communications-for-healthcare

What’s Driving Decentralized Care?

In large part, it’s the ability to easily create and share patient information that’s made healthcare decentralization possible.

NEJM Catalyst writes, “Without electronic health records (EHRs), it was nearly impossible for health care providers to understand care longitudinally or to coordinate care without bringing patients to one physical place where information could be organized with the use of archaic documentation management systems.”

At the same time, HIPAA and other regulations that protect patient information — and implement steep penalties when something goes awry — have gotten tougher.

Healthcare Data Management reports that there were over 200 major healthcare data breaches in the first half of 2017 alone, and other estimates are even higher.

Health IT News reports that the average data breach costs companies $4 million — and when substantial HIPAA violations occur, the cost can be staggering. Another report found that each stolen healthcare record costs organizations $380. When you consider that stolen records can number in the tens of thousands, the totals can be sobering.

Strategies for Sharing Patient Information with Business Associates

The reality for doctors, nurses and healthcare administrators is that healthcare is changing. Whether you’re a large hospital or helping secure the data of an individual practice, you need to consider options for securely sharing ePHI with a network of other providers. The decentralization of healthcare services has vastly complicated the way ePHI is exchanged and managed by an increasing number of entities.

If you don’t have a plan in place — or there’s a weakness in your plan —your organization could be facing significant risks.

In the not-so-distant past, ePHI was largely shared internally. Information that used to be shared in-house across a single IT infrastructure is now shared across multiple, disparate IT infrastructures owned by different entities.

Protected healthcare information includes:

•   Past, present or future physical or mental health conditions
•   Healthcare services provided
•   Payment data

The ePHI you could be exchanging includes:

•   Patient names and contact information
•   Patient billing details
•   Insurance information and correspondence
•   Social security numbers
•   Images of the patient
•   Identifying information, such as a copy of their driver’s license
•   Dates of treatment
•   Provider notes
•   Details of care received
•   Pharmaceutical information
•   Lab results
•   Images, such as x-rays, MRIs and CT scan results
•   Mental health information
•   Histories of appointments, such as calendars

The list goes on. This information can be shared on a variety of different forms, including patient health histories, referrals, bills and more. However, what’s certain is that information is being shared among multiple participants.

It’s impossible to coordinate treatment — or outsource operations to business associates — without sharing this information. What’s essential is that it be secure.

sharing-patient-information-can-lead-to-security-breaches

Business Associates (BAs) and HIPAA Breaches

There are numerous examples of healthcare data breaches that have occurred due to outsourcing. Business Associates are a significant source of risk for healthcare organizations.

One healthcare system found millions of potential records compromised due to an onsite food and beverage vendor.

Another had several hundred thousand records compromised when a vendor’s systems were affected by ransomware. As a healthcare organization, it’s important to have a plan in place for how to share information and protect it — so even if there’s a failure down the line, your business isn’t impacted.

Fax machines: While many millennials don’t know how to operate a traditional fax machine, the devices continue to be essential equipment in healthcare.

You can’t hack them, and they won’t be taken down or compromised by ransomware.

Yet fax machines also have no physical protections associated with them. If a fax goes to an office, it may be seen by people who aren’t authorized to view ePHI— and faces the risk of being misplaced on a busy day. It’s hard to keep track of physical paperwork and ensure its security. And the heavy maintenance required when faxes break down — as well as delays when they run out of ink or encounter other issues — can prevent you from getting patient information where it needs to go in a timely fashion.

As younger managers move up in healthcare organizations, traditional analog fax machines and even fax servers will continue to fall out of favor.

But what will they be replaced with?

Blockchain: Any discussion of how to share ePHI in 2018 isn’t complete without a mention of blockchain — the ledger technology that’s used to keep track of digital currencies like Bitcoin. It potentially offers a secure way to track data and may have implications for the way healthcare information is managed in the distant future.

Many people are discussing the possibilities now. It’s a hot, buzzy technology. But the realities of adopting such a complex and unknown technology are challenging, and it’s not a solution most organizations can realistically consider in the near future. For the average healthcare organization, and even the largest hospitals, it’s important to find a solution that’s easy to understand and doesn’t carry the unknown risks of a largely untested solution.

Digital faxing: Or cloud faxing, or electronic faxing, can provide the speed and precision needed to share electronic records, as well as the access control and transmission security to be HIPAA compliant. However, not every e-fax provider is equal. Many aren’t familiar with healthcare requirements and won’t sign a HIPAA-required Business Associate Agreement (BAA) to help protect your business. It’s important to choose a digital faxing solution that will keep you in compliance with federal regulations, including HIPAA, and other critical areas.

Don’t wait to put a strategy in place for handling ePHI security with your business associates and other treatment providers. Your IT and security teams are busy; yet sorting out how decentralized healthcare will impact your data-sharing practices is essential.

Sharing patient information is a necessary part of treatment, and as the landscape continues to change, it’s important to have ways of sharing healthcare data that are both fast and secure.