A security breach is the loss or exposure of sensitive data, including information relevant to the organization’s business and patient PHI. Impacts to the organization can be profound if data are corrupted, lost, or stolen. Security breaches may prevent users from completing work accurately or on time, and could result in potentially devastating consequences to patient treatment and well-being. Thus, good data protection and loss prevention practices in turn protect the organization and its patients.
Sub-Practices for Small Organizations
The loss of sensitive data can be prevented in several ways. Data loss prevention is based on understanding where data resides, where it is accessed, and how it is shared. Throughout this document, there are many tips to protect data and prevent loss. This section focuses on loss prevention policies, procedures, and education.
4.S.A | Policies | NIST FRAMEWORK REF: ID.GV-1, ID.AM-5 |
- Set the expectation for how your workforce is expected to manage the sensitive data at their fingertips. Most health care employees work with sensitive data on a daily basis, so it is easy to forget how important it is to remain vigilant about data protection. Organizational policies should address all user interactions with sensitive data and reinforce the consequences of lost or compromised data.
- Establish a data classification policy that categorizes data as, for example, Sensitive, Internal Use, or Public Use. Identify the types of records relevant to each category. For example, the Sensitive data category should include PHI, social security numbers (SSNs), credit card numbers, and other information that must comply with regulations, may be used to commit fraud, or may damage the organization’s reputation. Table 6 suggests and describes possible data classifications.
Table 6. Example Data Classification Structure
Classification | Description |
Highly Sensitive | Data that can easily be used to commit financial fraud or to cause significant damage to the organization’s reputation. Examples of such data for patients include SSNs, credit card numbers, mental health information, substance abuse information, and sexually transmitted infection information. Access to these data should be restricted to users who require it and who demonstrate proper authentication at login. Such data must be managed in compliance with applicable regulatory requirements. |
Sensitive | All other PHI, especially data associated with the designated record set, clinical research data, insurance information, human/employee data, and organizational board materials. |
Internal | Data that should be protected yet are not considered sensitive. Examples include organization policies and procedures, contracts, business plans, corporate strategy and business development plans, and internal business communications. |
Public | All data that have been sanitized and approved for distribution to the public with no restrictions on use. |
- Prohibit the use of unencrypted storage, such as thumb drives, mobile phones, or computers. Require encryption of these mobile storage mediums before use.
4.S.B | Procedures | NIST FRAMEWORK REF: ID.GV-1, PR.AT-1, PR.DS-2, PR.DS-5, PR.DS-1, PR.IP-6, ID.GV-3 |
Procedures to manage sensitive data can ensure consistency, reduce errors, and provide clear and explicit instructions. Such procedures should therefore be implemented alongside data access policies. The following methods may be used to develop and implement data management procedures:
- Use the classifications in Table 6 to establish data usage procedures. Identify authorized users of sensitive data and the circumstances under which such data may be disclosed.
- Train your workforce to comply with organizational procedures and ONC guidance when transmitting PHI through e-mail. Encrypt all PHI sent via e-mail or text. However, patients can request and receive access to their PHI via unencrypted electronic communications following a brief warning to the patient that unencrypted communications could be accessed by a third- party in transit and the patient confirms that they still want to receive the unencrypted communication.
- When emailing PHI, use a secure messaging application such as Direct Secure Messaging (DSM), which is a nationally adopted secure e-mail protocol and network for transmitting PHI. DSM can be obtained from EHR vendors and other health information exchange systems. It was developed and adopted through the Meaningful Use program, and many medical organizations nationwide now use DSM networks. When texting PHI, use a secure texting system.
- Implement data loss prevention technologies to mitigate the risk of unauthorized access to PHI. Check with your IT provider to determine if this is feasible for your organization, or reference Cybersecurity Practice #4: Data Protection and Prevention in Technical Volume 2 for details on the applicability of these technologies to your organization.
- Train staff never to back up data on uncontrolled storage devices or personal cloud services. For example, do not permit employees to configure any workplace mobile device to back up to a personal computer unless that computer has been configured to comply with your organization’s encryption and data security standards. Note: Leveraging the cloud for backup purposes is acceptable if you have established an agreement with the cloud vendor and verified the security of the vendor’s systems.
- Remember to protect archived data, such as records for previous patients. to It is important to monitor access to this data, which may be used infrequently, so that a cyber-attack is detected immediately.
- Ensure that obsolete data are removed or destroyed properly so they cannot be accessed by cyber-thieves. Just as paper medical and financial records must be fully destroyed by shredding or burning, digital data must be properly disposed of to ensure that they cannot be inappropriately recovered. Discuss options for properly disposing of outdated or unneeded data with your IT support. Do not assume that deleting or erasing files means that the data are destroyed. See Appendix G of the Main document for a sample data destruction form that can be used to ensure that data are disposed of appropriately.
- Retain and maintain only data that your organization requires to complete work or comply with records storage requirements. Minimize your organization’s risk by regularly removing unnecessary data.
4.S.C | Education | NIST FRAMEWORK REF: PR.AT |
- Train personnel to comply with organizational policies. At minimum, provide annual training on the most salient policy considerations, such as the use of encryption and PHI transmission restrictions.
Threats Mitigated
- Ransomware attack
- Loss or theft of equipment or data
- Accidental or intentional data loss
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article