Where are you likely to find ePHI? And where shouldn't it be?
Data is everywhere. Never before in human history have we dealt with so much data. Once it was called ‘big data’ now it is big and dispersed. The more data we produce, the more we share, the more we lose track of it, the bigger the security and privacy issues we have to face.
HIPAA defines electronic health data (ePHI) using 18 different identifiers. This, in itself, adds further complexity to the equation, as it covers all sorts of data across a very wide IT landscape. The stakes are high, with increasing numbers of data breaches and large fines for non-compliance with data protection regulations.
But how does the average organization keep track of all this data?
Data Visibility Matters
Having visibility into your data gives you the power of control over that data. This is a vital part of your information governance, which, in turn, informs decisions around data management and protection options. Having visibility of ePHI, is the first step in working towards HIPAA compliance.
Mapping out your data lifecycle, across all of the myriad connected apps, as well as start and endpoints, is the ground stone to Know Your Data (KYD). Going through this process offers many opportunities above and beyond understanding what happens to ePHI on your systems.
It makes visible the location of redundant or obsolete files and documents that can subsequently be deleted, reducing compliance bandwidth, and reducing data exposure risk.
Data visibility also gives you enough intelligence to understand how to more effectively apply access control to data. Applying the principle of ‘least privilege’, can be done in a manner that reflects the true roles of those in your wider data ecosystem. Knowing what data you have and where it is, can help to determine who needs access.
Beginning with the types of data, i.e., structured and unstructured, you can begin to establish a process for finding out where data is located across all of your extended services, devices, apps, and other systems. In particular, unstructured data, such as documents, can be a challenge in terms of visibility, but its whereabouts is vital for control in preventing leaks.
Down the Rabbit Hole of Data
This brings us back to the beginning, where do you start when locating ePHI? In a previous post, we looked at the risk assessment process that you need to go through whenever data is breached. Part of the assessment process involved knowing where the ePHI had been leaked from and to.
Having a data inventory is an important tool in helping in this area of risk assessment (this ePHI Audit Guide could help). But it is also important for many other aspects of a business that deals with ePHI. An inventory is your view into the operational aspects of data - the business of data. Information governance tools offer a way to open up your ‘data smorgasbord’, so you have an at-a-glance view of what you have and where it is at any given time.
In terms of HIPAA, ePHI is far-reaching across the ecosystem, drawing in business associates into the requirements for data protection and privacy.
The Systems of the “Covered Entity”
Some data can be easy to locate, other data more difficult. ePHI includes personal data such as name, address, and financial data. This may exist across disconnected and disparate documents, emails, and other files across multiple locations. Data exists both:
at rest (e.g., cloud storage)
in transit (e.g. being moved between users and apps).
At rest and residing in: You need to do a data inventory to find out where ePHI data resides; analysis tools can find unstructured data and scheduled storage scans can be implemented that automatically index files. The disparate nature of ePHI can be contained using such tools.
In transit: Data is not static. It is shared and ePHI is split across documents and systems, moving into your wider app ecosystem. Mapping your data flows across the lifetime of the ePHI is important but can be a challenge. One way to contain this movement is through the use of least privilege access and the application of data access governance.
External Data at Business Associates
Under the HIPAA Privacy rule and in association with the HITECH Omnibus Rule, businesses that deal with ePHI across the vendor ecosystem, are also required to comply with HIPAA data protection. This means if your company is a business associate of a HIPAA covered entity or if you are a covered entity with business associates, then benefit is gained by knowing where data is located in that business associate’s system. As with the covered entity, ePHI is both at rest and in transit.
Where Shouldn't it Be?
Ultimately, if ePHI data is not controlled it can end up in places it shouldn't. This leads to data leaks and ultimately to your company being out of compliance with HIPAA and other data protection regulations. It also puts your company's reputation at risk.
To put the latter into perspective, a report by Ponemon found that 31% of consumers discontinued dealing with a company after a data breach. Places, where data can end up, making it difficult and often impossible to deal with, during a risk assessment, include:
Social media: Leaks of ePHI onto social media both malicious or accidental can result in lost control.
The wrong mailboxes: Sending out sensitive data to the wrong email address can be as easy as mistyping a recipient address. Use policies and data leak prevention to help stop this.
Digital media and mobile devices: Data on devices can easily disappear from your radar. Put policies in place to prevent this.
The Confidentiality, Integrity, & Availability of ePHI
Control is something that should be a central component of your compliance toolkit. To control ePHI you need to know what you are dealing with. Data does not exist as a static object or in isolation. It is a working object that resides and moves across many services, systems, apps, and partners’ systems.
To know where ePHI is located you need to have excellent information governance and control in place. In turn, this intelligence will help your organization to prevent leaks and ensure compliance with HIPAA and other data protection laws. Data location feeds your HIPAA risk assessment and informs your choices in access control to data based on principles of least privilege.
Ultimately, information governance and knowing where your ePHI is located is about the confidentiality, integrity, and availability of the ePHI under your watch.