Lessons on Protecting Patient Data

Leaders at Boston University and Boston Medical Center have collaborated to produce a new guide to protect patient data. The full article, by Thomas J. Moore, MD; Quinn R. Shamblin, CISM, CISSP, PMP, GIAC GCFA; Sumit Sehgal, CISSP, CISA; Robert Sprinkle, MS; Stanley M. Hochberg, MD; and Ravin Davidoff,MBBCh; can be found at https://dcc2.bumc.bu.edu/ocr/ClinicalResearchNewsletter/article.aspx?article=484.

Data breaches have made big news in recent months, and Boston-area hospitals are not immune. It is well known that hackers stole personal financial data, including credit card numbers, for millions of customers at Target and Neiman Marcus. The threat to private medical information, however, often comes from low-tech carelessness, not hackers – lost smartphones, laptops or paper documents. In 2009, a Mass General Hospital employee misplaced paper records on the MBTA with information on 192 MGH patients, which subjected the institution to $1 million in federal fines.

Tracking patient data in databases and spreadsheets is an essential part of both clinical practice and biomedical research. Even when used for legitimate purposes, however, all protected health information (PHI) is subject to HIPAA Privacy and Security rules. Databases revealing PHI must be on an encrypted, passport-protected device. PHI identifiers range from the person’s name and phone number to his fingerprints and facial photo.

Ways to Protect Sensitive Information:

1. Once all identifiers have been stripped from a dataset, it is no longer HIPAA-protected. Consider labelling patients with unique identifying numbers that are not part of PHI, linked to a master code stored on a separate, secured computer.

2. Nowadays, much work time is spent on portable devices: easy to use, easy to lose. Tablets, laptops, flash drives, and smartphones with access to PHI must be password-protected and encrypted, which greatly reduces the risk of a breach.

3. Email containing PHI must be sent securely. BU provides a secure email solution known as DataMotion SecureMail. BMC email automatically detects and encrypts BMC email containing PHI, but users should add the word “secure” to the subject line before sending PHI outside BMC.

4. When off-site, use only an approved secure remote access method when accessing sensitive information, especially when logged onto public wi-fi or travelling abroad.

5. Finally, training colleagues in proper security techniques is essential to protecting valuable and private patient data.

When patients and research subjects allow us to collect and store private information about themselves, they have a right to expect that we will keep those data secure and use them only for clinical and research purposes. Following these simple steps will help all of us adhere to this responsibility.

For additional information on how to secure devices visit http://www.bu.edu/infosec/howtos/securing-your-devices/