Have you considered that there are other valuable information assets to protect than just your PHI? Most healthcare privacy and security programs only focus on PHI and HIPAA requirements. If you are already doing the work why not include all of your valuable information assets. It is time to ask yourself what data should we protect?
More announcements came out recently about settlements or rulings in cases where employees are suing their employers after a data breach. Most cases involve some sort of W2 scam. These cases are complex due to all of the different state data breach laws and little specifics that apply at the federal level when it isn’t the banking, HIPAA, credit card data. Compliance with regulations doesn’t make you secure and security will not handle all your compliance obligations.
When you evaluate everything you create, receive, maintain, or transmit (CReMaT) it may be shocking to see how much you have that are really valuable assets. Those assets need to be protected even if there isn’t a law requiring it. Good news for you, though, that since you are already doing HIPAA security requirements you can add these other data elements to your security controls without starting over.
As we work through our new policy and procedure system with clients we include some portions of the NIST Framework (CSF). We know things are moving in that direction and there is more to address than simply your HIPAA obligations. Focus on protecting your valuable information assets and meeting your compliance obligations at the same time. By including options for them to look at the whole of the company or at least begin the process of doing so we are attempting to preempt not only PHI breaches but all data breaches.
Both HIPAA and the Framework follow the same core process. Actually, the Framework calls it the Core which includes Identify, Protect, Detect, Respond, Recovery.
- Identify what needs to be protected.
- Protect the data you identified needs protecting.
- Detect when problems occur, crises occur or your defense fails.
- Respond with a thought out plan when things go wrong.
- Recovery using a well thought out plan to get you back to normal after a problem.
So, it is easy to see that HIPAA clearly uses all of those steps in the security rule. The only difference we bring to it is under the identify step we don’t just look for PHI. We ask: What are your valuable information assets?
Make a list of all of the data that you CReMaT. Then assign a value to all those data types. When you do that it will be easy to see what kinds of protections you should have in place for PHI and other valuable data.
How to classify your data.
|Restricted||Highly valuable, highly sensitive business information and the level of protection is dictated externally by legal and/or contractual requirements. Restricted information must be limited to only authorized employees, contractors, and business partners with a specific business need. Examples include Protected Health Information (PHI), Personally Identifiable Information (PII), Financial Information, Trade Secrets, etc. SIGNIFICANT DAMAGE would occur if Restricted information were to become available to unauthorized parties either internal or external|
|Confidential||Highly valuable, sensitive business information and the level of protection is dictated internally. MODERATE DAMAGE would occur if Confidential information were to become available to unauthorized parties either internal or external|
|Internal Use||Information originated or owned by the organization, or entrusted to it by others. Internal Use information may be shared with authorized employees, contractors, and business partners who have a business need, but may not be released to the general public, due to the negative impact it might have on the company’s business interests. MINIMAL OR NO DAMAGE would occur if Internal Use information were to become available to unauthorized parties either internal or external|
|Public||Information that has been approved for release to the general public and is freely shareable both internally and externally. NO DAMAGE would occur if Internal Use information were to become available to unauthorized parties either internal or external|
Many people find it surprising just how much data they have that hasn’t had specific protections added to protect it. This exercise of classifying your data in your organization will almost always be eye-opening, especially the first time you do it.
The only day you should not worry about protecting is the data you classified as Public. Each of the other classifications requires increasing security controls to appropriately protect it. As for PHI, it is in the restricted category already due to compliance requirements. Go ahead and add other restricted data to your HIPAA policies, procedures, controls, and assessments.
Remember, compliance is not security and security is not compliance. Protect your data because it is valuable not because you are required to do it by law. Many companies are finding out they need to add security controls in place to protect their non-healthcare data because it is under attack and valuable in many other ways to criminals. Why wait until you suffer the embarrassment of a breach that isn’t healthcare information in your healthcare environment. Word gets out that you don’t protect that data will so maybe there are holes in getting to your PHI, as well.