How Health Catalyst Ensures HIPAA Security Compliance: 2 Key Components
National awareness for the privacy and security of patient electronic health information is at an all-time high, especially with the recent data breach at health insurer Anthem. Anthem revealed that hackers accessed data protected under the Federal Health Insurance Portability and Accountability (HIPAA) Act, such as names, Social Security numbers, dates of births, addresses, and other personal data of an undetermined number of its members. While Anthem doesn’t know the exact impact, they do know the breached database contained the records of 80 million people.
Motives for Stealing Patient Health Information
Stealing healthcare data is enticing and highly profitable for hackers. In fact, according to a report from Price Waterhouse Coopers, a comprehensive health insurance record with several types of information (e.g., financial, medical, person) included can be worth up to $1,000 on the black market. Basic health insurance credentials alone can bring in $20 for each record. Compare these amounts to the meager $1 that data thieves receive for each stolen credit card, and it’s easy to see why healthcare data breaches are a growing problem.
But why does healthcare data command such a steep price in the black market? The main reason is it contains all of the information needed to commit both financial and medical fraud. Also, patient information has a longer shelf life because birthdates and social security numbers don’t change. In contrast, credit card data is prone to more fluctuations (e.g., changing phone numbers, addresses, last names), and cards can easily be cancelled.
HIPAA and PHI: Always Top of Mind for the Healthcare Industry
Even though there’s a heavy focus in the news about recent data breaches, the privacy and security of protected health information (PHI) is always top of mind for organizations operating day-to-day in the healthcare industry—and has been for many years. Congress enacted HIPAA back in 1996, in part, to regulate the security of PHI. Since then, many guidelines and best practices have been developed to help organizations ensure the security of patient health information, especially in the electronic age.
At Health Catalyst, preventing a data breach like that suffered by Anthem is our highest priority. Our handling of PHI isn’t as extensive as that of a payer or healthcare provider. But for the PHI we do come into contact with, we are committed to complete compliance with HIPAA and ensuring the privacy and security of our clients’ PHI. This is possible because of two key components: our culture and our advanced technology.
Ensuring Data Security with 2 Key Components: Culture and Advanced Technology
Protecting the privacy of our clients’ patient data is a core operating principle at Health Catalyst. Our number one objective as a company is to help hospital and health systems improve outcomes, and as a precursor to that objective, we must prioritize the security of their data. We do this by creating a culture with a deep focus on HIPAA compliance through a security awareness program. This program includes mandatory, rigorous HIPAA training for new employees, regular refresher trainings, monthly newsletters with a focus on security, and ongoing dialogue about best practices.
We also instill an understanding of exactly why we’re working so hard to protect data. HIPAA’s Privacy and Security Rules are designed to protect patients’ civil right to privacy. Healthcare providers often feel a sense of ownership over PHI because they work so closely with it and are responsible for its protection. This can happen with vendors also. Our commitment to protect and secure PHI stems not only from our responsibility to our clients. We also emphasize to employees that PHI really belongs to patients, and it’s our responsibility to protect patients’ privacy.
In addition to creating a culture that focuses on the security and privacy of PHI, our technology plays a significant role in preventing data breaches. Technology features such as the following ensure data remains secure and HIPAA-compliant:
- Tracking and audit trails. Health Catalyst solutions offer the ability to log and audit user actions at three different levels: the database, the enterprise data warehouse (EDW), and the visualization layer. In addition, individual data elements, such as the sensitivity level of the data, can be configured. For example, data elements can be classified as non-sensitive, sensitive, or as PHI. All changes to sensitive or PHI data are tracked and can be audited.
- Physical security of the data. Our data center has industry-recognized certification as a Tier III certified data center. This means comprehensive safeguards are in place to ensure proper access to the data. First, entry to the data center facility requires biometric identification of the worker’s palm. Second, entry to the Health Catalyst caged area requires biometric identification of the worker’s thumb, which then allows access to the network and server infrastructure. In addition, a video camera monitors the secured area around the clock. While Health Catalyst policy prohibits the storage of PHI on laptops, to ensure “safe harbor” (i.e., PHI is rendered unreadable or indecipherable to unauthorized individuals), all laptops are encrypted using advanced encryption standards.
- Limited user access to data during deployment. More users with access to data can lead to lower security. Because of this concern, we limit the number of privileged user roles during the deployment of an EDW. In addition, all user accounts are created based on the “least privilege” rule: the minimum level of access required to complete the job function.
- Role-based security features. Our EDW provides role-based security to users through the integration of Microsoft’s Active Directory identification and authorization database. Health Catalyst supplies a number of pre-defined Active Directory roles (varying levels of rights to access different types of information) to which clients may assign users. The advantage of using Active Directory is that it provides very fine-grained control over who can and can’t access a health system’s data, its EDW, and the various applications.
- Protection of sensitive subsets of PHI. Some PHI data is considered more sensitive than other PHI data. Examples include mental health data, HIV data, and genomic/familial data. Because of the need to identify this type of data for care or research, users with access to the EDW can create definitions of the data at the metadata level. In other words, users have granular control of their data and can perform audits based on the sensitivity of the data.
- Ongoing control of user access regardless of the hosting environment. Health systems can choose between a local (self-hosted) environment or a virtual private cloud option to implement their EDW. With both options, health systems remain in charge of user access at all times. For example, if Health Catalyst employees need to perform maintenance and management tasks within the platform, the health system must grant access at the Active Directory level.
The Best Solution to Become HIPAA-Compliant: An EDW
Many health systems still rely on Excel spreadsheets and Access databases to perform analytics. These decentralized tools are often stored on laptops that may not be using the latest security procedures. The truth is that, although a hack like Anthem’s makes big news, most healthcare security breaches are the result of lost or stolen laptops. In fact, just last year an organization paid a $1,725,220 settlement because of unencrypted data on a single stolen laptop.
Even if the spreadsheets and databases are stored on encrypted laptops, collaborating with spreadsheets tends to introduce security problems. People might email the spreadsheet back and forth. Or they might transfer the file from one encrypted laptop to another via an unencrypted thumb drive. They might even upload it to a shared, unencrypted drive on Google, or Dropbox. The possibilities are endless, quite common, and very problematic.
Adopting an EDW eliminates security concerns—and improves analytics. An EDW aggregates data from a health system’s many source systems (EHRs, financial systems, patient satisfaction, and more) into one single source of truth. With data organized in this way, health systems can perform analytics that deliver insight into how to improve the quality and cost of care.
You might ask whether having all of this data aggregated into one place increases the security risk. The answer is a resounding no. The rigorous security practices outlined above prevent unauthorized access of the EDW. And, in fact, restricting an organization’s analytics efforts to a single, secure EDW actually reduces the opportunity for security lapses.
Having all of the data in a highly secure EDW helps ensure that health systems can work to improve care while maintaining complete visibility and control of the security of their patients’ PHI.
What technology does your health system use to remain vigilant about data breaches? How do you ensure HIPAA compliance across your enterprise?