CISO Describes 10-Point Plan for Data Privacy Improvements

April 12, 2018
Following a 2012 breach, Florida-based Memorial Healthcare System CISO Rich Leon outlined 10 areas MHS has addressed to beef up its privacy protections.

In 2017, South Florida-based Memorial Healthcare System (MHS) paid the U.S. Department of Health and Human Services $5.5 million to settle potential violations of the HIPAA privacy and security rules and agreed to implement a robust corrective action plan. During a recent webinar, CISO Rich Leon outlined 10 areas MHS has addressed to beef up its privacy protections.

In its description of the settlement, HHS noted that the protected health information of 115,143 individuals had been impermissibly accessed by MHS’ employees and impermissibly disclosed to affiliated physician office staff. The log-in credentials of a former employee of an affiliated physician’s office had been used to access the ePHI maintained by MHS on a daily basis without detection from April 2011 to April 2012, affecting 80,000 individuals. Although it had workforce access policies and procedures in place, six-hospital MHS failed to implement procedures with respect to reviewing, modifying and/or terminating users’ right of access, as required by the HIPAA rules, according to HHS.

This example highlighted the need for organizations to implement audit controls and review audit logs regularly, HHS noted.

Leon said that MHS has worked to raise awareness about privacy requirements through extensive training and video campaigns and has implemented privacy monitoring systems and managed privacy services. He also said MHS changed its privacy motto to “Privacy is Everyone’s Responsibility” to remind people that they wanted to obligate other entities that are accessing PHI at MHS.

During the webinar he spoke of 10 potential weaknesses and what MHS has done to address them.

1. No Automated Periodic Access Review Process. MHS has implemented a quarterly automated periodic access review process for employees, physicians, students and vendors, Leon said. It also has created a monthly, automated periodic access review process for non-employed physicians office staff, ACOs and population health organizations. This process wasn't automated or well-documented before the breach, he noted. “We are dialing in deeper trying to get this as close to perfect as possible,” he said.

2. Limited or Inaccurate User Identity Data. MHS now has comprehensive identity data available to the privacy program. Extensive metadata has been added for non-employees.

3. No Dedicated Privacy Department. MHS has hired Pascale Prepetit as corporate director of privacy, and he has created a team to work on privacy issues.

4. Flood of Access Requests for Physicians and Their Staff. MHS now has a strict and binding Enterprise Systems Access Policy with defined sanctions for policy violations. Every new organization it works with must identify the leaders in their organization who will be responsible for monthly verifications. “Those entities are bound to a monthly access verification process and a yearly re-certification process,” he said.

5.  Lack of Documentation of Vendor Access and Business Associate Agreement Tracking. All vendors are now comprehensibly vetted, including a privacy checklist review before they obtain access. “We say, ‘no BAA, no access'" to PHI, Leon said.

6. Limited IT Resources for Provisioning and De-provisioning Users. MHS now has a dedicated System Access Team that manages all automated and manual provisioning processes. The team also manages the periodic access review process.

7. Lack of Adequate Sanctions of Policy Violations. MHS adopted a zero tolerance policy for privacy violations. The privacy program investigates all violations. Employment terminations have occurred. “That was a challenge,” Leon said. We had to have discussions around impacting the rights of employees.”

8. No Dedicated IT Security Team. Leon said he has worn many hats in IT at MHS over the years, but now he is laser-focused on privacy and security as CISO. He also has a manager of IT security.

9. Lack of Tools to Support a World Class Privacy Program. MHS put out a request for proposal for a privacy monitoring solution partner, and chose FairWarning in 2017. A plan of action is in place for eight monitored sources and eight enforced policies.

10. Solely Reactive Privacy Monitoring Program. MHS has contracted with FairWarning Managed Privacy Services and seen a reduction of false positive investigations, he said.

Looking Ahead

MHS is working with accountable care organizations, population health programs, and providers in its Epic Community Connect program.  It is obligating those entities to do their own privacy review of access outside of their patient roster/list. Leon said MHS has identified a need to continue to obtain and document identity data for rapidly moving organizations with high turnover. They must document their workflows and defined access rules to maintain the “Minimum Necessary Standard.”

Leon said he keeps his eyes on technology enhancements that might help with the privacy program. For instance, he is interested in building location awareness into privacy monitoring, as well as developing risk scoring for roles, salary ranges, shifts and locations.

Sponsored Recommendations

How Digital Co-Pilots for patients help navigate care journeys to lower costs, increase profits, and improve patient outcomes

Discover how digital care journey platforms act as 'co-pilots' for patients, improving outcomes and reducing costs, while boosting profitability and patient satisfaction in this...

5 Strategies to Enhance Population Health with the ACG System

Explore five key ACG System features designed to amplify your population health program. Learn how to apply insights for targeted, effective care, improve overall health outcomes...

A 4-step plan for denial prevention

Denial prevention is a top priority in today’s revenue cycle. It’s also one area where most organizations fall behind. The good news? The technology and tactics to prevent denials...

Healthcare Industry Predictions 2024 and Beyond

The next five years are all about mastering generative AI — is the healthcare industry ready?