In this article, I will present a series of questions that health care organizations should ask their IT service providers to address before providing such service providers with identifiable patient health information in electronic format (electronic patient health information or ePHI).
1. Do you encrypt electronic patient health information in-motion, at rest, or both?
There should be two parts to this answer: in-motion and at-rest. Encryption of electronic patient health information “in-motion” means that data is protected against eavesdropping on untrusted networks – think of a physician reviewing a patient’s lab results on their smartphone while getting afternoon coffee down the street. If the service provider doesn’t encrypt transmissions of the data, then someone else using the coffee shop’s network may also be able to review the patient’s lab results. Service providers should also offer encryption of data at rest, although interoperability limitations can sometimes make this practice infeasible.
2. When did you last test your business continuity and disaster recovery plans?
Not only does your service provider need business continuity and disaster recovery plans, you need to know they work as designed. Many organizations go through the process of planning for service interruptions, but then wait until a real emergency rises to “test” them. Needless to say, these plans often do not work, leaving customers waiting on erratic and unpredictable updates. Your business can’t tolerate poor planning, and neither can your patients.
3. How do you dispose of electronic patient health information?
This is a point often overlooked since your service provider is focused on getting your business, not giving it up. A number of data breaches have occurred because the data was not properly discarded or disposed of. Your service provider should be able to identify how, when, and under what circumstances electronic patient health information is disposed of or destroyed.
4. How do you identify security breaches?
There’s an old joke in computer security that goes something like “Why use anti-virus? I’ve never been infected!” The punch line here is that the person’s computer is likely infected with hundreds of viruses and they just don’t know it. The same is true for any kind of electronic attack. Most attacks that may result in a data breach are silent and require effort to detect, so what is your service provider doing to identify them?
5. When is your next risk assessment?
Everything changes, and technology changes faster. The risks today are not the same as the risks of a year ago, and service providers must keep pace with changing threats and countermeasures. It is important to confirm that the service provider has a policy in place requiring the performance of regular risk assessments, and can document that it adheres to the required schedule.
6. Are you willing to sign a business associate agreement?
The response to these questions will give you an idea of whether the IT service provider is thinking about healthcare security, or if they’re just thinking of their services. The provider should also be able to produce some kind of evidence of routine audits, like SSAE 16 reports or PCI certification.