By Chris Cronin, ISO 27001 Auditor, Partner
Over-securing protected health information (PHI) means protecting the security of PHI so much that patient care or medical research becomes compromised. It may seem strange to hear this from a security firm. After all, security is where HALOCK makes its living. But if your security controls take priority over your medical mission, then you’re doing HIPAA wrong.
How serious is over-securing PHI? As early as 2004, a study published in the Annals of Surgery demonstrated a significant drop in approvals for medical research due to concerns about of the Privacy Rule. A 2013 report by the Bipartisan Policy Center stated that misinterpretations of the HIPAA Privacy Rule were interfering with health research. And during client HIPAA risk assessments, HALOCK regularly encounters situations in which IT teams feel that they must impose strict controls on clinical access to PHI so they are “better safe than sorry,” even when the patient is more safe with their PHI being accessible to clinicians.
Of course we don’t want our cholesterol levels known by a stranger, but if two-factor authentication protects your record and a physician loses their key fob and can’t access your record during an ambulatory situation … what benefit did security serve? Are we helping or hindering? We don’t want our health data to be sold to a pharmaceuticals marketer, but do we limit sharing PHI so much that valid medical research that can potentially save lives should stop or be compromised?
Think we’re exaggerating? In our practice we have seen security configurations that make it difficult for doctors and nurses to access patient data. We have also seen data collection for medical research slowed to the point of compromising study data. We have also seen business associate agreements demand that service providers use security measures that are impractical, expensive, and inapplicable to the risks at the service provider.
“Regulatory standards, common law, and information security standards for protecting information all agree that we need to balance our controls with our risks.”
While the HIPAA Security Rule explicitly tells us to use “reasonable and appropriate” safeguards to protect information, few people understand what that standard really means. Regulatory standards (EO 12866), common law (duty of care balance tests and the calculus of negligence), and information security standards for protecting information (NIST SP 800-37, ISO 27005) all agree that we need to balance our controls with our risks. The tool that the HIPAA Security Rule provides us to estimate that balance is a risk assessment, during which we think through the potential impacts against our mission, our objectives, and our obligations to others.
In clinical environments, risk balance is particularly important because the mission of a health care provider is foremost the protection of patients, and likely includes medical research to improve health care innovations and knowledge.
So how would you recognize whether you are over-securing PHI? Review the items below and see if any of them look familiar:
- Nurses and physicians complain that they are unable to access patient records, or other information, that is necessary for patient care.
- Partners such as labs, physician groups, pharmacists, associated practices, clearinghouses, or payers complain that they cannot access or process patient records on a timely basis due to security controls.
- Researchers complain that their research protocols no longer work because of their inability to access PHI.
- New technical safeguards are implemented without first ensuring that clinicians and researchers can be productive while using them.
- Vendors and business associates tell you that you are demanding controls in your business associate agreements that do not apply to their businesses.
- You are applying unnecessary security controls in order to satisfy an auditor.
- Your risk assessment did not consider the impact that safeguards impose on clinicians’ and researchers’ work and missions.
If any of these situations are happening in your environment, then you could be over-securing PHI. If these scenarios are commonplace in your business, risk assessors may not be performing risk assessments appropriately, if at all.
“Organizations must stop auditing security controls. They must start to risk assess them.”
There are many other bad security violations, such as poor management of safeguards, and sharing PHI with careless vendors. But there is nothing more important in medicine than patient care and improving health outcomes. OCR will likely not come after you for over-protecting data at the cost of patient health. But your patients will. Don’t let it come to that.
So what can care providers do to avoid this violation?
Organizations must stop auditing security controls. They must start to risk assess them.
Risk assessments are a humbling exercise, because the risk assessor must admit that they do not have all of the answers. They must see themselves as serving and supporting those who operate the purpose and mission of the organization.
A risk assessment may start in a way that appears to be an audit when security controls are tested to see if they operate as intended. But where the skilled risk assessor adds value is in thinking through the potential harm that may come to others as a result of the test results. They must also consider the potential impact against their organization’s mission that a security safeguard may create. Then they must consider alternative safeguards if the proposed or existing safeguards are too burdensome.
“Risk assessments are a humbling exercise, because the risk assessor must admit that they do not have all of the answers.”
Risk assessors must speak to the people who are responsible for clinical care including nurses, doctors, pathologists, lab technicians, pharmacists, and anyone who handles PHI. Assessors should ask these participants to review the security controls in their environment, or controls that are being proposed. The participants should then consider the foreseeable threats that the security controls pose to their medical mission. They should further determine what the likelihood and impact of those threats are against the medical mission. Risk assessors may well be surprised when they see that a control poses an intolerably high likelihood and impact against the medical mission.
In our practice, it isn’t uncommon to find security safeguards that pose a higher risk of harm to a care provider’s mission than the original risk posed to the security of PHI. That is not only undesirable, it’s wrong. It is wholly misunderstanding what HIPAA is requiring of us.
So while security and compliance are rightfully a concern, strongly consider the actual challenge that the HIPAA Security Rule puts before us – and the challenge is a concern that judges, regulators, and information security professionals have been setting for many years now – security is a matter of balance achieved between the harm to others, and our burden to prevent that harm.