Asset management is broadly defined as any system that monitors and maintains things of value to an entity or group. In regard to safeguarding the security of electronic health records, we often think of it as a custodial responsibility. Healthcare providers safeguard PHI primarily so that the patient confidentiality is not breached. But in fact, that information is also an asset, something of great value to the provider. Three news items regarding recent healthcare data breaches make this abundantly clear:
In July, hackers infiltrated a server that stored electronic health records at The Surgeons of Lake County, a medical facility in Libertyville, IL. Rather than operating in a clandestine manner and attempting to sell the PHI on the black market, these hackers privately encrypted the PHI on the server. This prevented legitimate users from accessing patient data. They then demanded ransom in exchange for providing the password to unlock the data.
Last month, the FBI arrested a former employee of Florida Hospital Celebration, charging him with accessing 760,000 emergency department records from several hospitals over the past two years (primarily from automobile accidents) and selling them to chiropractors and attorneys.
Also in July, a laptop computer containing Cancer Care Group’s computer server back-up media was stolen from an employee’s locked car. The Indianapolis-based firm reported that the breach may have exposed the PHI of up to 55,000 individuals, including its own employees.
In the first example, the hackers attempted to extort money from the physicians by blocking access to assets (PHI) and then holding it for ransom. Frighteningly, just as in cases of kidnapping, the assets had an arbitrary value based more on the ability of the targeted group to pay than on the replacement value of the asset. It was not only that the information once released “in the wild” could never truly be recovered, but also that patients’ lives could have been put at stake. The case at Florida Hospital Celebration (as charged) is the criminal theft of an information asset and it rose to the level of an FBI investigation! The asset had value (by virtue of the fact chiropractors and attorneys were willing to pay money for the info) and the perpetrator was motivated to steal so that he could profit personally from the theft.
At Cancer Care Group, the organization was not sure whether the portable media was stolen for its contents or just for the device itself. Nonetheless, it contained a goldmine of demographic data that could be used for identity theft and/or fraud: names, addresses, dates of birth, Social Security numbers for both parties. as well as medical and insurance information for patients and beneficiary.
Regardless of the motivation of the thief, the value of this asset to Cancer Care Group can be expressed in what it will cost the organization in incident response and remediation. From blackmail to pawning PHI online to physical device theft, these examples all illustrate that the security of PHI has risen to a standard of protection that organizations would implement and impose on any other asset class. As seen above, the value of PHI can be stated in both positive financial and productivity gains (greater efficiency, customer/patient confidence and satisfaction) as well as avoidance of loss (breach penalties, legal costs, restitution, lost business).Yet, most healthcare organizations have not yet embraced the concept of PHI security as asset protection as fully as they should. The industry needs to move from a reactive mode to a proactive model.
As the migration to electronic health records accelerates, every health provider needs to conduct a security risk analysis and implement precautions and safeguards to eliminate vulnerabilities and lower the probability of costly data breaches. Security awareness needs be expanded throughout the organization and formal PHI governance (as an area of asset protection and risk management) should be an executive and boardroom agenda item. Consider that money in the bank.