The recent hack of Sony Pictures Entertainment has garnered significant attention in the media lately, and for good reason. A large corporation with significant technological and financial resources should be, in the eyes of the public, fairly well defended against cyber-attacks.
While 2014 has had numerous high-profile attacks on many retailers, the Sony hack shows the public just how pervasive electronic Protected Health Information (ePHI) is through all company networks. Reports indicate 30 employees had ePHI (birth dates, medical conditions, medical costs and even diagnosis details of an employee’s child with special needs) breached in the process of the attackers stealing servers’ worth of data and yet-to-be released movies.
This latest data loss demonstrates how easily PHI can be breached in today’s digitally connected world. Medical information likely was not the intended target for the hacking, but the Human Resource data loss spread collateral damage to involving the employees’ PHI. The resulting potential fines and remediation will certainly add to the high financial burden of the incident.
Both the pervasive nature of electronic Protected Health Information, as well as its relative ease of access in many networks, gives us pause for caution in the healthcare industry. Even inadvertently forwarding an email containing PHI attachments or replying to an email with PHI buried deep in the thread without encryption could potentially create or compound a breach of PHI.
The Department of Health and Human Services (HHS) clearly identifies encryption and deletion as the two safe harbors for ePHI. Encryption should be employed both in programs (email clients such as Outlook plug-ins, or Electronic Medical Records systems access such as through VPNs) as well as the devices that could hold data: laptops, USB thumb drives, smart phones, servers and more.
As technology becomes more pervasive in our daily lives of work and recreations, so too does the expectation to safeguard data with which healthcare professionals like abstractors work. And while programs and encryption go a long way in protecting sensitive medical information, there will never be a replacement for qualified professionals that treat medical data with the same care and respect as they do their patients.