Why health systems must think more about data privacy

Hospitals have been working diligently to protect patient data from cyberattacks, but Andrew Mahler says it’s important to think about privacy more comprehensively.

Mahler, vice president of privacy and compliance at CynergisTek, a cybersecurity firm, says hospitals need robust data privacy policies, including who has access to data and what data is collected.

“For a long time, and appropriately so, good cybersecurity practices have been a big focal point of risk management,” he said. “In terms of the overall risk management process, the data privacy piece falls behind other items.”

However, Mahler added, “The risk around bad privacy practices is a pretty substantial risk.”

• Not if, but when: Cyberattacks threaten hospital systems
• Why smaller hospitals are at risk for cyberattacks
• How hospitals can improve cybersecurity: Tips, training and tough love

Mahler spoke to Chief Healthcare Executive in a recent interview about data privacy issues. He also helped lead a discussion on data privacy at the HIMSS 2022 Global Health Conference last month.

“It’s not only about protecting the privacy but thinking holistically about the data you collect,” Mahler said. (The story continues after the video.)

Privacy and security

Hundreds of cyberattacks have hit healthcare systems in the last few years. Since the beginning of 2022, more than 100 health system breaches have been reported to the federal government.

It’s important to draw distinctions between privacy and security, Mahler explains.

Security focuses on protecting data from malicious attacks and the exploitation of stolen data. Meanwhile, privacy focuses on the use and governance of personal data, including polices to ensure private health information is collected and used appropriately, he said.

While strong security policies are needed to protect data, they aren’t sufficient for addressing privacy.

The federal government is applying more pressure to health systems to protect private health information. Last week, the U.S. Department of Health and Human Services issued a request for public comment on what kind of fines or penalties should be assessed if healthcare organizations lose control of private data. Healthcare organizations are also being asked to explain what type of security practices they are using to protect data.

Hospitals and health systems need to “think about who should have data and shouldn’t have data,” Mahler said.

If someone moves from working as a provider into an administrative role, their access to certain types of patient data should be changed, Mahler said. “We see a lot of gaps in those areas where the systems in place aren’t as updated,” he said.

Some people have access to information to data they needed two jobs ago, but not today, said Joe Dickinson, a data privacy and cybersecurity lawyer and partner at Michael Best. Dickinson teamed with Mahler on the privacy session at the HIMSS conference.

Healthcare organizations also should be thinking about the volume of private health information they are gathering. Mahler said they should ask themselves: “What are we collecting? Why are we collecting it? And do we need to collect all the data that we have?”

It could be an especially relevant question for companies involved in health research and clinical trials. Typically, researchers want as much information as possible, but some may not be needed and could pose unnecessary risks.

“Organizations that are just collecting lots and lots of data can pose significant risks,” he said.

• Cybersecurity and patient safety: Why it needs more attention
• How a rural health system improved its cybersecurity

The value of a framework

Healthcare organizations should consider implementing a data privacy framework to help craft more robust privacy regulations. The National Institutes of Standards and Technology, a division of the U.S. Department of Commerce, offers a voluntary privacy framework.

Frameworks help organizations see where they are falling short on privacy and how to fix it, said Dickinson. Frameworks also help organizations document to the world what they are saying on privacy.

The framework alone won’t make an organization compliant with the law, Dickinson said, but it can help organizations make data more secure. A framework can also help foster a culture of privacy. In a breach, regulators want to see organizations have clear privacy policies and are working to adhere to them. Strong, well-articulated policies could also reduce penalties after a breach.

“It’s important to demonstrate you may not always get it right, but you’re trying to,” Dickinson said. If there is a breach, Dickinson said, “Most regulators are willing to work with you if you’re trying to get this right.”

The cybersecurity staff and data privacy teams should be working closely together, but that’s not always the case. Dickinson cited an example of one system that has had breaches and the privacy and security personnel weren’t talking as much as they should.

“You’ve got an environment where nobody has looked at the entire network to understand what’s happening,” Dickinson said. (He didn’t name the system.)

Healthcare organizations, particularly smaller systems with fewer resources, should think proactively about the human resource and information security processes, Mahler said. If people leave the organization or change roles within the system, organizations should develop a step, even a home-grown document, and check a box to indicate different access to the system.

Overall, healthcare leaders should give more thought to data privacy, before a cyberattack forces the issue.

“It’s important for them to think about how data privacy practices are part of their business model,” Mahler said.