From Missile Control to Data Awareness and Classification: Seven tips for embracing a "healthy discomfort" when working with patient data


Nearly one year to the day from my college graduation I took my first “alert” in an underground Minuteman II Missile Launch Control Center deep beneath a Montana prairie. That was the first of 213 (but who was counting) 24-hour - and sometimes 48-hour - shifts commanding anywhere from 10 to 50 nuclear weapons, ensuring their security and immediate launch capability. The Minuteman complex was a multi-site, interconnected system with a program of physical, administrative, and technical controls that few organizations can duplicate. 

Some of the key foundational lessons in information security that I carry with me today were forged during my time in the Air Force; I draw from it every day in advancing information security programs. 

As you can imagine, much of the information we worked with day-to-day in this environment was classified.  It ranged from “FOUO” (For Official Use Only) to “Top Secret.” We’re all familiar with the adage “familiarity breeds contempt.” When dealing with classified information in the military, contempt can mean compromise.  Compromise can mean disciplinary action -- potentially prison -- and the degradation of national security. 

As such, we always felt a very “healthy discomfort” when accessing or transporting classified information. It was part of our everyday job, but we were never fully comfortable – we never developed a contempt for it. 

The challenge is the same for healthcare organizations. Amid the onslaught of medical identity theft and information security breaches, organizations must effect a similar degree of vigilance in the day-to-day handling of PHI and other sensitive information.

How do we achieve that “healthy discomfort” in handling healthcare information? 

I look to the elements used by the military to create and sustain the respect for sensitive information that’s handled on a daily basis. Two of those key elements are awareness and classification.

Information and operational security are areas that the military has down pat. You can't miss the various ways that the level of security of a particular piece of information is highlighted. Red binders, access restrictions to rooms and buildings where it’s handled, labels at the top and bottom of each page, labels on monitors - it all makes it clear how one should handle information. Nothing is devoid of classification, even if to identify that it is unclassified. 

The widely known program throughout the military – “OPSEC”, or “Operations Security” continually underscores how individual items of otherwise innocuous information can be assembled by an adversary to exploit vulnerabilities. OPSEC, at its heart, is an awareness program that is part of the culture. 

Even if a healthcare organization does not adopt a rigorous Mandatory Access Control model, awareness of the sensitivity of information can be reinforced with conspicuous visual cues. Additionally, highlighting the potential damage that can be done to a patient or member can help create that extra degree of vigilance among those who handle patient information.   

Hospital units and waiting rooms in doctor's offices feel secure. There are no obvious enemies or threats. And, that is where the lack of “healthy discomfort” is putting patient's identities and organizational reputations at risk.

Yet, over 2 million adult patients will face medical identity theft this year. Most of those victims will have irreparable damage to their financial health, their medical record and insurance benefits. A Ponemon survey in 2015 found that 65 percent of medical identity theft targets spent an average of $13,500 to restore credit, pay healthcare provider for fraudulent claims, and correct inaccuracies in their health records.

While much of this can be attributed to remote breaches by unseen criminal elements all over the world, those who conduct risk assessments know that vulnerability to medical data theft can be found in nearly every setting.

When you take into account the high cost of healthcare and the high value of medical data -- $50 for medical data versus $6 or $7 for a credit card number – it makes sense that people would become bold enough to enter the seemingly safe space of the hospital unit, medical practice or clinic to scout for unprotected information.

It comes down to awareness with healthcare staff that they are in the center of the war zone and the battle for medical identities. 

What can you do to build awareness and competency with your front-line staff and healthcare leaders around the critical nature of data classification and security?

  1. Make security an organizational issue, not an IT or Compliance issue:
    Are members from all areas of the organization represented on Information Security groups? Is senior management committed to ensuring security?
  2. Assess knowledge and competency:
    Is your staff aware of data security policies and procedures? Are they aware of the risks to patients and members if their information is compromised?
  3. Assess your data security risks:
    Do you know where the gaps are in your policies and procedures, both, digital and within the physical space where you deliver care and access/store patient information?
  4. Build in visual and procedural cues:
    How can you conspicuously flag, color, demarcate sensitive information to its level of security?
  5. Practice the skills of data security:
    What regular events, meetings or training could reinforce the security behaviors required to keep patient identities safe?                              
  6. Empower staff:
    Are they aware that they have the duty to challenge unknown individuals? Do they have access to an effective means of reporting information security vulnerabilities they may observe?
  7. Enforce policy:
    Are managers/supervisors throughout the organization holding staff responsible for proper security practices?

Whether we appreciate it or not, every doctor’s appointment, every hospital unit, every medical claim, every ambulance ride, and every clinic visit is an opportunity for compromise. 

It’s often stated that the human being - the employee - is the single weakest link in the chain of cybersecurity. By assessing, training, and reinforcing data security practices and importance, that weak link can become one of your organization’s strongest controls.

Learn More: Let’s assess your organization’s data awareness and classification plan, together. How can we help your organization empower your team to have a healthy discomfort and properly handle PHI? BluePrint can help.

More about the author...
 

MarkFerrari IntroMark Ferrari brings over 18 years of healthcare IT experience to BluePrint with the unique perspective of working both for provider and vendor organizations. Prior to joining BluePrint, Mark served as a Principal Consulting Project Manager for Siemens Health Services Corporation where his primary focus was working with clients to implement the MobileMD HIE platform. Mark was also involved in EMR implementation initiatives in support of clients’ pursuit of Meaningful Use, and successfully managed certification efforts for Siemens with the Electronic Health Network Accreditation Commission (EHNAC), and managed OCR audit preparation efforts. Mark chaired his division’s Compliance Advocacy Committee, delivered quarterly Privacy and Security training, and sat as a member of Siemens Heath Services’ Protected Information Management Council.  Prior to his involvement in healthcare IT, Mark served as a military officer in charge of security and operations for an interconnected, ground-based missile system.  Mark currently sits on the New Jersey Health Information Management Systems Society (NJHIMSS) Security and Privacy Task Force.

Mark received a Bachelor of Science in Business Administration from Villanova University, earned a Master of Science in Emergency Management from Millersville University of Pennsylvania and holds certifications as a Project Management Professional (PMP), Certified Information Systems Security Professional (CISSP), HealthCare Information Security and Privacy Practitioner (HCISPP), and a HITRUST Certified CSF Practitioner (CCSFP).

Email Mark | Follow Mark on Twitter | Connect with Mark on LinkedIn