Data Privacy and Cybersecurity - What Every Hospital Should Do
By Richard S. Cooper, Esq.Member
McDonald Hopkins LLC
See all this Month's Articles
Original Publish Date: February 9, 2016
Every hospital should undertake a comprehensive review of the effectiveness and legal adequacy of their current data privacy and cybersecurity plan. This plan should encompass HIPAA protections and should also extend to any data required to be protected under federal or state law. Ensuring the protection of Protected Health Information (“PHI”) under HIPAA, although critical to any data privacy and cybersecurity plan, is not alone sufficient. Other data, such as patient financial information and credit card information (Personally Identifiable Information (PII)), must also be protected.
A review would include at a minimum:
- An analysis by a qualified consultant/attorney of whether any weaknesses or exposures exist based upon the completion of a detailed self-evaluation form by the hospital;
- An evaluation of the hospital’s data privacy and cybersecurity policies and procedures by a qualified consultant/attorney;
- A review by a qualified consultant/attorney of the hospital’s employee and medical staff handbook(s) to determine if it/they adequately address data privacy and cybersecurity matters, responsibilities and prohibitions;
- A technical assessment by an outside IT vendor of the various IT systems to include, at a minimum:
- Risk assessment
A risk assessment identifies potential threats an organization may face and an analysis of methods of response if a compromise occurs.
- Vulnerability scanning
Vulnerability scanning includes the scanning of an organization’s systems, including system audits on internal networks, in order to assess the threat of malicious software or rogue employees.
- Penetration testing
Penetration testing is the practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit.
- Data classification and segmentation
Data classification is based on the data’s level of sensitivity and the impact to an organization should that data be disclosed, altered, used or acquired without authorization. The classification of data helps determine what baseline security controls are appropriate for safeguarding that data. Segmenting data can further secure it from access, acquisition, use or disclosure, especially as it relates to the data an organization perceives as undesirable to share.
In addition, every hospital should have policies covering the following:
- Written Information Security Program (WISP)
- A program that creates effective administrative, technical and physical safeguards for the protection of PII and PHI and which sets forth the hospital’s procedure for evaluating its electronic and physical methods of accessing, collecting, storing, using, transmitting and protecting PII and PHI.
- Incident Response Plan (with Incident Response Team)
- A plan that enables the hospital to respond to privacy-related incidents in an efficient and cost-effective manner and provides overall guidelines for the organization’s Incident Response Team and its responsibilities and governing actions.
- Social Media Policy
- Computer & Electronic Devices Usage Policy
- Bring Your Own Device (BYOD) Policy
- Document Retention & Destruction Policy
- Telecommuting Policy
- Physical and Logical Access Security Policy
Training and Education
Hospitals should also assure proper training and education for personnel and medical staff in the following areas:
- The role of employees and staff in protecting PII, PHI and confidential information
- Phishing scams
- Ransomware threats
- Laptop security
- Mobile device security
- Passwords and encryption
- Internet security
- Data disposal and destruction
- Reducing the risk of data breaches
- Reporting suspected privacy and security incidents
Hospitals should also strongly consider training and educational programs for applicable personnel on the following:
- Breach Response Workshop and tabletop exercise with Incident Response Team
- Security and protection of physical access (where and how documents are stored/retained/disposed of; who has access; physical access to buildings, etc.)
- Password and encryption management
- Vendor compliance
- Visitor sign-in
- Exit interview process
Finally, all hospitals should be certain that key agreements are consistent with and further the successful implementation of data privacy and cybersecurity policies and procedures including, but not limited to, the following:
- Employment Agreements
- Non-Disclosure Agreements
- Third-Party Vendor Agreements
- Visitor Agreement
Richard S. Cooper, Esq., is a Member of the McDonald Hopkins LLC law firm. He is also the Manager of its National Healthcare Practice Group and Co-chair of its Healthcare Restructuring Practice Group
Mr. Cooper provides legal representation to a broad range of hospitals, other healthcare facilities and physician groups across the United States. He has been listed in The Best Lawyers in America for health law for twenty-two consecutive years and selected for inclusion in Ohio Super Lawyers (2005-2015).
Visit the McDonald Hopkins LLC web site at www.mcdonaldhopkins.com.