With healthcare being a highly-regulated industry, healthcare providers need to preserve all records and communication data, including electronically stored information (ESI) and ensure it is stored safely in a secure and private repository.
Your sensitive health information is worth 10 times more to hackers than your credit card on the black market. Reuters, 2014
Discussions with patients or other professionals, as well as sensitive patient records need to be kept secure while remaining available for future reference. Keeping information safe in the healthcare industry is not only best practice, but also a regulatory necessity. The issue is further complicated by recurring data breaches and continual leakage of sensitive information.
Email Challenges in the Healthcare Sector
Nobody can deny the importance of email in the workplace. In healthcare institutions, be it hospitals, clinics or health insurance companies, people send quite a few emails every day. It is estimated that an average employee sends and receives around 120 email messages a day, and a large number of those messages contain confidential information including patient info, protected health information (PHI) and attached documentation.
A recent statistics report by DMR shows that the global number of emails sent and received daily has reached 270 billion.
Although all regulated industries deal with similar email worries, medical institutions seem to face unique challenges regarding their online presence.
1. HIPAA Compliance
The Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996 and amended in 2013, is a notoriously complex law that regulates how healthcare providers manage the Protected Health Information (PHI), including medical records and payments. It obliges healthcare organizations to regulate policies and protect patient confidentiality.
The largest HIPAA fine was levied in August 2016 and amounted to $5.55 million.
The Act consists of five titles in total, but Title II is vital for today’s story as it deals with email, other electronically stored data and the prevention of healthcare fraud and abuse. When HIPAA was first enacted, this Title imposed new challenges on healthcare organizations to assess and transform their existing systems in order to comply with strict guidelines on digital data archiving and electronic communication, especially when dealing with sensitive patient data. To meet those guidelines, healthcare providers now have to employ high-class technical archiving solutions to ensure fast and easy retrieval of data, accessibility to patient records and facilitate eDiscovery procedures.
The changes enacted in HIPAA’s Security Rule in 2013 are especially important. Although not explicitly prohibiting the use of email to communicate protected health information (PHI), the amendments introduce several requirements which ensure that your organization’s email communication is HIPAA compliant
- Administrative Protection Measures
According to the 2013 HIPAA amendments, it is necessary to assign information security officers in healthcare institutions, sign business associates agreements with third-party members who would have access to sensitive data, establish transparent risk assessment procedures, organize trainings and develop appropriate information management policies.
- Physical Protection Measures
The healthcare provider needs to be able to control the devices that are used to store electronic PHI. It has to carefully explore equipment specifications and have physical access to servers and hardware on which electronic PHI is contained.
- Technical Protection Measures
It is necessary to specify individuals who can access PHI databases remotely as well as define audits and monitoring mechanisms.
According to a summary from the HIPAA Journal, in order for healthcare providers to be HIPAA compliant, they need to restrict access to PHI, be able to monitor how it is communicated, ensure its integrity and protect it from unauthorized access.
Ediscovery is the procedure in which electronically stored information (ESI) is requested from organizations during litigation, government investigations, FOIA and FRCP requests etc. Electronic information is considered to be different from traditional, paper documentation because of its intangible form and transient nature. Moreover, ESI is special because it is accompanied by metadata which forensic investigators need to review for hidden evidence.
The average cost to companies during an eDiscovery case is $1.8 million.
Like all large organizations in the digital age, healthcare providers are struggling with multiple sources that can contain discoverable ESI. Apart from managed data sources such as patient databases and electronic health records systems, other relevant data is typically scattered in email or even on employees’ laptops and mobile phones.
Access to electronically stored information is inseparable from eDiscovery. Before digital information archiving solutions first appeared, employees had limited options to preserve electronic data. They could store emails on their overburdened mail servers or backup tapes and risk data loss or employ the traditional method of printing out all electronic documentation and filing it in cabinets. This, however, did not make the archived documentation searchable nor did it make the healthcare provider HIPAA-compliant, as printed emails would be preserved without the valuable metadata. In case of an eDiscovery request, covered entities would have to invest a lot of money and extra effort to retrieve data from backup tapes in a timely manner, often failing to meet the strict deadlines and facing exorbitant fines and other penalties.
How long does it usually take you to locate a specific email or attachment in your inbox?
In the digital age, data accumulates fast. It gets harder and more costly to locate specific information in the terabytes of patient data, which can turn into a nightmare when you need to produce that information in case of litigation.
4. Storage Troubles
Recent years have brought a rapid and progressive growth of email traffic, which has increased the pressure on companies to handle their email communication and storage space more effectively. An obvious and major downside to email is that it clogs email servers. The huge volumes of information hospital staff send and receive via email soon start to accumulate and consequently overwhelm our inboxes, significantly reducing the servers’ storage capacities.
An average email is about 75 KB of size. If you submit photos or drafts and exchange files frequently, your average can be closer to 500 KB. Attachments, which can be 10 MB large, can heavily affect this average.
Large healthcare providers employing more than a thousand staff members might have to store over a terabyte of mailbox data onto a single email server. This much data will certainly result in an impaired performance. On the other hand, all critical data (especially patient records) must be readily available at all times, even in extreme cases of downtime and server failure.
5. Data Breaches
When HIPAA was revised and amended in 2013, the notion of data breach was also redefined. A data breach now occurs when there is an unauthorized exposure of electronically stored PHI unless the healthcare organization can prove that patient data was not compromised. The best way to prove this is through encryption, as encrypting patients’ personal information, medical histories and current health-related information would make them unreadable and useless.
A 2017 data breach report shows that there has been a 305% increase in the number of records exposed in data breaches, which makes this year “yet another worst year ever for data breaches”.
Risk Based Security via HIPAA Journal
The single largest cause of data breaches is human error. There have been numerous cases of employees misplacing flash drives and doctors’ laptops stolen from their cars etc. Cybercriminals are now aware that it is the employees that are the weakest link in hospitals’ cybersecurity defenses, and the majority of their attacks now focus on targeting hospital staff.
How Email Archiving Helps to Overcome the Challenges
To ensure that their digital records are harmonized with HIPAA, healthcare providers face the challenge of handling sensitive data in a way that would enable safe storage, quick access to and easy audit and retrieval of specific data in their database as well as make sure that the data is stored in a WORM, tamper-proof format.
93% of information created in an enterprise is created in electronic form, and 70% of that is never printed. Healthcare IT News
In their quest for a tool that would meet the Act’s Privacy Rule and simultaneously allow for a fast and easy eDiscovery process, in-house email archiving stepped up as the most efficient solution.
Data Control & HIPAA Compliance
Although it has been more than 20 years since HIPAA’s enactment, the risks that the healthcare industry is facing now seem more serious than ever. Data breaches, criminal attacks and employee negligence are just some of the threats that healthcare organizations need to neutralize. According to the recent KPMG cyber security report, 56% of healthcare executives believe that HIPAA violations and compromised privacy are their number one security concerns. Non-compliance with HIPAA can mean heavy penalties and fines and mandatory audits for organizations.
Any impermissible disclosure of EPHI can result in a financial penalty. The most common violations include disclosure of sensitive patient info due to theft or loss and careless handling of protected health information. By employing external or cloud software solutions, health organizations put sensitive patient data at risk of data loss. The benefits of an on-premise email archiving appliance lie in the fact that the data is stored internally, within the organization, regardless of its size or the number of employees. An in-house email archive allows you to store emails in a tamper-proof format, together with their metadata and be able to locate, retrieve and export individual messages in a matter of minutes.
With email archiving technology, healthcare providers can ensure that their sensitive information is secure and that they won’t face the repercussions of non-compliance with HIPAA such as heavy penalties and hefty fines. To optimize their digital data handling and keep all their medical records and email exchanges safe, companies need to perform a risk management assessment and implement data security solutions. With the help of email archiving, the technical aspect of the whole process can be simplified, automated and kept internally.
Everything in a Single Repository
With email archiving, medical records can be kept across the system. Customizable retention policies let compliance officers define what information should be archived and for how long. Automating this process will give you a long-needed peace of mind. Being able to purge the archived information once it’s no longer necessary will alleviate your storage space worries. Whether you need to access your archived information for reference, business intelligence, as part of employee monitoring strategy or because you are facing litigation, the process of searching, finding and retrieving what you need is guaranteed to be smooth and efficient with email archiving.
Access and eDiscovery
Large hospitals can have between a thousand and two thousand beds. Imagine the enormous lists of patients and patient records that your staff will need to manage. If your hospital becomes implicated in a lawsuit or if there is a particular case you need to inspect in detail, you will have to retrieve data quickly. But how do you locate data if it’s distributed across your entire system? You’ll probably reach out to your IT team to retrieve the necessary information, but they already have their hands full, don’t they?
That’s where email archiving comes into play and offers unparalleled possibilities. A recent survey found that the average time needed to respond to an eDiscovery request often exceeds 24 hours, and the retrieval of data can cost your institution millions of dollars.
With an email archiving system that possesses an audit trail feature, you will be able to limit and control access to specific data. Regular end users will be allowed to search and retrieve their own email archive, whereas privileged users with full capabilities (compliance officers or admins) will have unlimited access to the appliance and be able to search the entire organization’s archived data. A good email archiving solution will allow select users to customize user roles, apply legal holds and define email retention policies, both for entire departments and for individual employees.
In summary, despite the enormous lists of records under the given policies, email archiving lets organizations track specific patient data easily and without the risk of data loss or damage. This is especially important for health providers with large numbers of patients.
Faced with problems such as mailbox overload, HIPAA compliance and lack of storage space, healthcare institutions have started looking for a comprehensive solution that would help them maintain efficiency and protect their entire operation. With server backup turning out to be insufficient and only partially effective, archiving has emerged as a wholesome system that can not only allow easy data storage and retrieval, but also alleviate the workload of your server.
Email Archiving easily optimizes inbox with email deduplication, spam recognition and indexing, leading to the optimization of storage space. This ultimately improves the performance of the hospital’s server, which gets less burdened by the amount of data it has to process. An additional benefit is that the volume of the archive grows slowly, thanks to the storage-related features such as deduplication and single-instance storage, as well as high compression rates. A good email archiving solution will also be scalable and expandable and be able to grow together with your organization.
As transparency is one of the key elements in handling sensitive information, email archiving helps organizations track all aspects of digital communication that involves patients’ sensitive data. With email archiving, organizations can have a clear record of all activities and track email communication that they are obliged to provide in cases of legal disputes.
Cost and Staff Optimization
Faced with potential severe penalties for malpractice, health organizations had to hire HIPAA consultants to meet regulatory compliance both prior to and after the enactment of HIPAA. With the automation that email archiving offers, organizations can cut the costs made for employing additional experts or external software solutions for regulatory compliance.
According to KPMG, human error accounts for 35% of all data security breaches in the healthcare sector. A sloppy employee might inadvertently leak confidential patient data. A non-compliance incident can incur considerable costs and result in scandals and tarnished reputation of your medical institution. Although a massive bulk of messages exchanged among your employees are strictly business-related and harmless, there is a chance you might run into some personal content, some of which might be inappropriate or include sexual harassment and gossip about patients.
An email archiving solution will detect the potentially incriminating messages while their metadata will provide plenty of additional proof. This will allow you to address the issue and prevent further damage. Secure data storage is particularly important if you handle sensitive and confidential information because it mitigates the risk of leaks and gives clear insight into who has access to what.
Archiving Beyond Email: Social Media Risks and How to Respond
At the end of 2017, it is clear that social media and instant messaging have become an inseparable part of our daily routine. We use them to read news articles, look for nutrition advice, even have quick chat with our physicians. Enterprise social media is growing too, and organizations, including hospitals, have embraced the trend enthusiastically. Some recent data shows that over a thousand hospitals post on Twitter regularly, 31% of healthcare professionals use social media for professional networking, while 49% of patients have follow-up discussions with their doctors via social media.
53% of physician practices in the US have a Facebook page and 3000 hospitals have a company page on LinkedIn.
The benefits are obvious. Social media and instant messaging are immediate and less formal. They are both superb ways to quickly communicate with a colleague, a business partner or your patient who’s recovering at home. But with benefits come risks.
Nearly all laws governing the preservation of email have recently been amended to include social media content, which can now be considered evidence as legal proceedings. However, it seems that the most problematic thing about social media and IM in business is that most companies, even those in regulated industries, don’t properly retain and archive their employees’ online content other than email. Many organizations are aware that they need to archive email, but only 2-7% archive social media, instant messages and mobile. While it’s evident that we cannot prevent the use of IM and social media in the workplace, we need to establish mechanisms in order to monitor and control it.
Statistics reports are also pretty bleak, as 23% of drug companies admit that they have not addressed their social media security and privacy. 1 in 8 organizations suffers security breaches because of social media-related cyber attacks. Social also ranks as the number one channel of perceived compliance risk, but 19% of healthcare providers do not have a staff member solely responsible for cybersecurity. Well-known examples of non-compliance on social media include nurses posting sensitive patient information (including info on patient condition or celebrity patients) on Facebook.
What hospital staff don’t seem to understand is that it is the content of their post or message that determines its status as a business record rather than the device or network from which it was posted. Compliance officers will need to inspect all work-related messages, including those on personal devices. As a hospital executive, a compliance officer or an online security expert, you need to have complete insight into your hospital’s social media landscape in order to prevent the sharing of sensitive information or posts that can negatively affect your reputation. You need to be able to identify the employees who ignore best practices and who can expose your organization to security threats and cyber-attacks.
Email archiving solutions can now be expanded to include additional social media archiving options and capture and archive social media posts as well. Instead of having to search each social media account or platform individually, an archiving solution can track social media data automatically (data such as posts, tweets, comments, mentions, direct messages) and allow you to search from a single interface, the very same interface you use when searching through your email archive.
In the digital age, when email and social media permeate both our leisure time and office lives, the amount of email traffic and the information we exchange daily often seems untrackable. However, in highly-regulated industries such as healthcare, all this electronic information must be tracked, preserved and made retrievable for various purposes including compliance, litigation support or business intelligence.
However, complying with the recent HIPAA changes does not have to be time-consuming and expensive. An easily deployable email and social media archiving solution does not require extensive training, as is a “set it and forget it” solution. An email archiving appliance will facilitate compliance, ensure a smooth eDiscovery procedure and the end-to-end security of patient data while keeping it at your fingertips. Finally, your archiving system will provide continuous support regarding potential security breaches, improve staff productivity and free up a lot of storage space.
For more information on email archiving benefits in the healthcare sector and how Jatheon can assist you in finding the right archiving solution for you, contact us or schedule a personal demo.