In a familiar story line for many CIOs, an employee of the NY Fire Department accessed ePHI (electronic protected health information) from a department system, then transferred it to a personal portable drive which was subsequently lost. The department learned of the missing hard drive on March 4, and started notifying impacted individuals in August. From the outside, it is too easy to cast stones at the FDNY for what appears to be an obvious procedural issue that should not have happened. The reality is much more nuanced.
Most everyone on a healthcare team is just trying to do the right thing and support what is best for patients. But when you add the complexity of the patient care delivery process with complex organization structures, lots of third party applications, and portability requirements for patient data, you create an environment that is always one click, one device, one decision, one configuration away from an incident. The key is to determine where the risk is greatest for an incident, then work to reduce the risk.
In this scenario, a bunch of issues added up to create the incident. While you could point to the unencrypted portable drive as the most egregious issue, the reality is that the drive was just one link in a chain of actions that increased the risk of an incident. After all, if the data had never been downloaded off the system in the first place, then there would have been no data to lose. At each step in the process, the risk for an incident went up. The scenario at FDNY is very similar to what other organizations deal with on a daily basis. Yet, the toleration for this risk is required in most cases for healthcare providers to operate.
Accessing 10,000+ records increases the risk of an incident. It is one thing to grab a record, but 10,000 records is 10,000 more chances for an incident. Worse, the potential scope of the incident increases dramatically. While you can't necessarily limit these types of queries, they do raise the risk for an incident. In the pre-ePHI days, 10,000 records would have been harder to lose. Ten thousand records would have weighed about 2,500 lbs. - tough to misplace!
Portable drives are notorious for getting misplaced or forgotten. Transferring data to an unencrypted drive guarantees an incident if lost. Using a personal drive instead of an employer supplied drive also increases the risk of incident.
The lost portable drive was uncovered in March. The data set was from 2018. For 90 days or more it appears the data was on the drive. The longer sensitive ePHI data is left on a storage device, the greater the chance it will be forgotten and potentially lost. If the data is on a portable storage device for a period of time, the risk is that much greater. It is almost like taking money out of the ATM and putting it in an envelope. It is not unsafe, it is just not as safe as the ATM. The longer it sits in the envelope, the greater the chance of it being forgotten or thrown away by accident.
For a portable drive, once a portable drive is detached, the risk of an incident goes up every minute until the drive is reconnected to another device. ePHI on a portable drive no longer connected into the network is completely unsecured. Is it sitting in someone's drawer securely or is it being exfiltrated from the building? It is impossible to know unless there is some kind of physical custody system to track portable drives.
So while the loss of an unencrypted drive was the ultimate issue that caused this incident, the risk of an incident actually increased in a meaningful way at each step of this ePHI journey.
The challenge for organizations is to get visibility into their ePHI as it travels around the organization and to understand the risk of an ePHI incident in real time.
These are the types of topics we are thinking about at Tausight. Stay in touch as we emerge from stealth mode over the coming quarters.