Let’s face it, you don’t want your personal information out in the wild! Additionally, you don’t want to cause your business to end up here: the US Department of Health and Human Services’ “Wall of Shame” – OCR’s Data Breach Notification web page. Improper disclosures of sensitive data can cause harm and embarrassment to all parties involved, and immeasurable damage to the image and reputation of the your company. It is in everyone’s interest and everyone’s obligation to ensure that the sensitive data is appropriately protected…
Some examples of sensitive data (also, see our recent post on What is PHI?) are:
- Social Security numbers (SSN)
- Credit card numbers
- Drivers license numbers
- Personally identifiable patient information
- Personally identifiable clinical trial enrollee information
- Personally identifiable student information
- Personally identifiable employee information
- Personally identifiable donor information
- Proprietary research data
- Confidential company legal data
- Confidential company financial data
- Other proprietary data that should not be shared with the public
Both Federal and state laws and regulations such as HIPAA, FERPA, PCI, and GLBA mandate the protection of different types of sensitive data. The following are some guidelines for protecting such data.
- Do not download or copy sensitive data from company servers to your PC, PDA, laptop, etc. unless absolutely required and you have documented permission to do so from appropriate management.
- If there are no viable alternatives to copying or downloading data from company systems, additional security controls must be implemented:
- Remove the confidential part of the information from the data if possible (e.g. SSN, credit card number)
- Store the data on a secure server managed by your authorized IT support group. Be especially cautious with web servers and creating your own file shares, whereby such data may be inadvertently accessible by unauthorized individuals.
- Always use some form of encryption (or at the very minimum, password protection) if you absolutely must store sensitive data on portable devices such as PDAs, USB drives, laptops etc. Keep the data on such a device only for the shortest time period you need to accomplish your task
- Physically secure devices that can be easily moved such as laptops, portable USB drives, backup tapes etc. There have been many reported cases of such devices being lost with sensitive data. Ignorance is no longer an excuse.
- Do not create databases or applications that use SSN as identifiers unless there is an unavoidable business need. Whenever possible, create an unique identifier that does not use SSN.
- If you are storing sensitive data elements such as SSN, then restrict access to only those workforce members whose job function absolutely requires access to such sensitive data.
- Do not send unencrypted sensitive data via email. Email messages can be intercepted by third parties or mistakenly sent to the wrong address.
- Never download or copy sensitive data to your home computer.
- Never store unencrypted sensitive data on a portable device.
- Do not transmit unencrypted sensitive data outside the company computer network, e.g. by using FTP or submitting data through an insecure web site. Contact your IT support group for recommended, secure practices for electronic transmission of sensitive data.
- Protect printed sensitive data. Secure sensitive data in a locked desk, drawer, or cabinet. Don’t leave unattended sensitive data on a copier, fax, printer, or any other unsecured area.
- When disposing or transferring ownership of PCs, CDs, backup tapes, and any other form of electronic storage, make sure any sensitive data is irretrievably deleted.
For healthcare organizations (Covered Entities) and their business partners (Business Associates and Subcontractors), HIPAA Privacy and Security Rules provide the best guidance. The complete HIPAA Privacy and Security regulations are here.
More HIPAA HITECH Resources:
The complete HIPAA Privacy, Security and Breach regulations are here.
Latest posts by Bob Chaput (see all)
- Making the case for comprehensive cyber-risk strategies: 10 startling facts that will spur C-suite action - August 8, 2016
- Building Capability and Capacity to Take on Healthcare’s Evolving Security Threats - August 5, 2016
- HIPAA Risk Analysis Tip – The Biggest Risk Management Surprises in the 2016 OCR Audit Protocol - April 11, 2016