Keep up with the latest on information governance as this key strategy emerges for addressing a myriad of information management challenges in healthcare. This blog will highlight the trends and opportunities IG presents for ensuring information is treated as an organizational asset.
By Kristi Fahy, RHIA
Every day, it seems, the headlines report yet another data breach. Small or large, they just do not stop, and there are many more yet to be discovered. The hackers are winning the game; current information and security approaches just aren’t cutting it and healthcare organizations are no doubt at risk. The industry is in need of a solution that will stop hackers in their tracks, avoiding the hefty fines required by the US Department of Health and Human Services’ Office for Civil Rights (OCR) and ensuring patient information (and other sensitive information) is protected.
Anthem was the victim of one of the largest data breaches in the United States in 2015. This particular cyberattack exposed the personal health information of almost 79 million people, far surpassing the previous record highs for data breaches. Anthem has recently agreed to pay $16 million to OCR—merely the beginning of the costs associated with recovering from a breach of this magnitude.
This excerpt from the OCR press release on October 15, 2018 describes the inadequate processes that contributed to Anthem’s breach, expressing the need for a more refined and effective approach:
In addition to the impermissible disclosure of ePHI, OCR’s investigation revealed that Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI, beginning as early as February 18, 2014.
The breach was undetected for up to a year and the sad reality is that many other healthcare organizations are equally as unprepared. They are at risk and the only thing standing between them and a breach is time. Hackers WILL find a way in, whether it be through the organization’s credit card machines, legacy systems, a targeted phishing attack, or some other unforeseen point of entry. It’s time to learn from the mistakes of those who have been breached. An enterprise-wide approach, through information governance (IG), is necessary to ensure all bases are appropriately covered.
The proactive nature of IG gives organizations a new framework to better understand their information landscape and where their vulnerabilities lie. A comprehensive view of ALL information assets (systems, applications, records, etc.) will enable IT and security personnel to more effectively conduct a risk analysis to identify where additional protections are needed. They can then quickly implement security measures before the hackers find their “in.” In addition, IG sets the foundation through solid policies, procedures, and best practices that have been vetted and agreed upon by key stakeholders across the organization.
Privacy and Security is one of ten competencies that falls under the Information Governance Adoption Model (IGAM)™. Privacy and Security efforts will be maximized in conjunction with two other IGAM competencies: Enterprise Information Management (EIM) and IT Governance. Through technology investments and strategy, along with EIM, organizations will have more confidence that their information (beyond just health information) is secure across all business units.
Organizations should look into the following IGAM maturity markers when crafting their IG strategy for privacy and security and breach management:
- Safeguards (administrative, technical, and physical)
- Information access management
- Information sharing and protections (including sharing with business associates)
- Incident/breach management and correction
- Security risks assessment and risk management
- Employee sanctions process
- Information asset inventory
- Information architecture
- Long-term digital preservation (includes legacy system management)
- IT governance framework
- Business continuity
- Disaster recovery
The aftermath of a breach can financially, operationally, and clinically cripple an organization. In addition to the $16 million fine, Anthem must also implement a robust corrective action plan to comply with the HIPAA rules. Anthem was not adequately prepared to protect against these threats and healthcare organizations must learn from their mistakes. Maturity in the areas listed above will help to mitigate risk and enable organizations to be better prepared to defend against cyberattacks. The solution is information governance and organizations can no longer afford to do otherwise. Had IG been in place at Anthem, the outcome may have been different. Don’t allow your organization to be next!
You can determine your IGAM maturity today and start implementing IG. Click here for access to AHIMA’s free IG assessment tool, IGHealthRate™.
Kristi Fahy (firstname.lastname@example.org) is manager, information governance at AHIMA.