First #SecChat Raises Questions on Securing PHI

Last week we kicked off the first ever #SecChat, a hashtag chat on Twitter that some have likened to a ‘flash mob.’ It was pretty cool to witness. For about an hour, roughly 66 security practitioners and evangelists were actively engaged in conversations via Twitter about information security and Personal Health Information (PHI). Many more, like myself, were following along with the Twitter stream as interested spectators.

Here’s a quick look at some of the top issues that came up during the chat:

Tokenization: It seems as though most folks in the chat had considered tokenization for de-identifying personal health data. Simply speaking, tokenization is the act of replacing sensitive data with symbols allowing you to retain the info without compromising security. Tokenization is often used to secure credit card information and many businesses use it to meet requirements associated with PCI.

While tokenization has its benefits, there was definitely hesitation to suggest that it was a perfect fit for securing PHI. One participant pointed out that a primary challenge for the healthcare industry is finding a way to de-identify data while retaining its usefulness. Others agreed, noting that the need to share PHI across multiple organizations and the need for individuals to translate PHI in treatment areas could throw a wrench in effectiveness. The transfer of data and reformatting of data can lead to challenges of their own. Tokenization can also be a hard sell to medical professionals because it interrupts their business processes.

Data Mapping & Use Cases: Without a doubt, the idea of mapping PHI data within an organization, or understanding the lifecycle of an electronic medical record (EMR) is necessary to beginning the security process within an organization. Given the high number of third-party organizations (pharmacies, insurers, labs, research companies, etc), knowing where PHI data will go and who needs access to it is crucial to securing it, meeting compliance and determining liability.

HITECH Helps: Almost all participants agreed that the HITECH Act seems to be helping. Not only does HITECH give some teeth to the requirements set out by HIPAA, but it also extends the requirements to the ‘Business Associates,’ or third parties, who deal with HIPAA governed organizations. One participant noted that he’d seen a number of new information security projects concerning PHI develop since the HITECH Act took effect. Others wished that HITECH/HIPAA could have the same impact and enforcement of PCI, noting that the threat of litigation under HITECH, while helpful, may not be enough to get organizations on the right path to security.

So where does this leave us? As it was aptly put by one chat participant, securing PHI is a balancing act between “ease of use, separation of duties, security and privacy.” And, according to another, “we have many different problems to solve: small/individual healthcare provider apps, health aggregation tools, tokenization and use cases.” Throw in third parties and an industry where the focus is on saving lives rather than securing data and you have quite a challenge.

As I’ve mentioned before, there is no silver bullet for securing a healthcare organization or PHI. It takes a solid understanding of your environment and business constraints combined with a selection of integrated, intelligent solutions to get in a better position to safeguard your (and your patients’) data.

Did you participate in #SecChat? What did you think of the points raised on PHI?

What would you like to see discussed at next month’s #SecChat?

Tags: enterprise, Healthcare, Mid-Market, Network Security, Risk and Compliance