What’s Going On?
A recent article by Daniel Solove, a security and privacy expert who specializes in HIPAA compliance amongst other things, described a case of data loss that was newsworthy in a critical way – it was the first instance where stiff financial penalties were levied to a third-party, known as a Business Associate or BA in HIPAA parlance.
In an increasingly fluid healthcare landscape where the once monolithic nature of healthcare providers is being fragmented due to the use of third-party services, contract physicians, and other suppliers, this incident highlights the criticality of strong data stewardship and protection and the serious ramifications of poor management of the same.
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has issued a a $650,000 fine to an IT services provider that works for a healthcare provider because it was an employee of the IT provider that lost the patient data in question.
Why Is This So Important?
BAs are involved in a significant number of the known data breaches that are tracked by the OCR. The BA’s employees are (obviously) not employed by the same organization, typically a healthcare provider, where the Protected Health Information (PHI) is generated. This means that traditional device-centric approaches for data security simply won’t work due to the fact the healthcare provider can’t manage or control BA employees’ devices.
This problem is further compounded by the fact that caregivers are frequently not employed by the healthcare provider, but are instead part of an independent group that contracts services to the healthcare provider. Adding more fuel to the fire, employees of these contract groups are, like the rest of the world, increasingly mobile and have expectations of being able to access patient data whenever and wherever the want.
All this adds up to a situation where PHI data needs to be secured wherever it goes, even to suppliers and other third parties. Traditional device-management centric paradigms can’t work in this scenario because the healthcare provider has no ability to manage the device of the BA’s employees, creating a significant area of exposure, one that now comes with stiff financial penalties.
How Do We Address This Issue?
This is where an app-centric approach to data security can have a dramatic impact. Solutions like our Atlas Platform provide healthcare organizations with the trust that they need to protect their compliance-critical data, via mobile apps, without having to manage their end users’ mobile devices.
Atlas enforces security policies at the app level rather than on the device itself. This allows third-party employees to use their own devices, however any data shared by the healthcare provider is now protected if the device is misplaced or stolen, or even maliciously compromised by an attacker.
Another way to mitigate this risk is for data stewards to make the data available via mobile web access. In this scenario, the app’s connection to the website still needs to be secured but the data itself is never stored on the device, protecting all parties in the case of device theft or compromise. This is also an area where Atlas can help. (check out our blog on this).
All in all, we’re happy that HIPAA is cracking the whip on protecting data. Implementing an app-centric security solution will not only protect organizations receiving healthcare data and their suppliers and sub-contractors, but ultimately also the patients whose private and sensitive data is being shared.