Do You Really Have a Handle on Your PHI Data?
Tom Walsh, founder and managing partner of tw-Security, a health care privacy and information security firm in Overland Park, Kansas, said it is naïve to think health information is secure if providers do not even know where it is. “It’s like the parents of teenagers saying, ‘I don’t know where the kids are or what they are doing, but I’m sure they are acting responsibly,’” he said.
The primary way to understand where data are housed is through something each organization is supposed to be doing to comply with HIPAA: a risk analysis. By doing this, a group can determine where PHI is held and where those systems are vulnerable to breaches, said Susan Lucci, a senior privacy and security consultant with tw-Security.
… Network diagrams need to be updated on a regular basis—annually at least and more frequently if possible, Lucci said. “In a large organization, it’s not unusual for someone to say, ‘We need this new medical device that will save us time and give better diagnostics,’ and it gets added and maybe IT isn’t made aware,” Lucci said. “There are systems and assets that get added and aren’t reviewed for vulnerabilities.”
If the diagrams are updated on a regular basis, new equipment and systems can be added and assessed for risk. “This needs to be reviewed annually because the bad guys don’t use the same tactics to get into systems,” Lucci said. “They are constantly changing and looking for vulnerabilities to get in, so we have to do our part to try and stay ahead of that.”