Over the past decade of reporting on healthcare sector breaches, I can probably count on one hand the number of entities who have impressed me that they really “get” that responding to a privacy breach is not primarily about data or statutory notifications. It’s about addressing any distrust or anxiety patients may feel about you protecting their confidentiality, because if they don’t trust you on that, they may withhold information or not seek treatment. Telling patients that you take their privacy seriously and that you’ve now added a firewall or will give them free credit monitoring will likely do nothing to restore trust that you will keep their confidential information confidential. So when I find a hospital or facility that is committed to developing an overall culture of really caring about privacy and restoring patient trust in the wake of a breach, I try to give them a shout out.
This past week, I had the pleasure of attending the 4th Annual PHI Protection Network Conference in Philadelphia. One of the highlights was a presentation by Henry Ford Health System‘s Chief Information Privacy & Security Officer, Meredith Phillips, who was given a well-deserved “Privacy Hero” award at the conference. Phillips’ passion and commitment to patient privacy are as infectious as her sense of humor in describing the steps she has taken and the challenges she has faced to create a culture of privacy in her large Detroit-based health system.
Phillips’ systematic efforts to transform the culture at HFHS – and it’s an ongoing effort – really kicked into gear in 2011 after a physician’s assistant’s laptop containing 4,000 patients’ unencrypted PHI was stolen from his unlocked office in 2010. Phillips dutifully made notifications up the chain and to HHS and affected patients, but she also began to try to engage C-suite to get them to appreciate that this was a cultural issue for HFHS, and not just a procedural one. More breaches would likely occur, she cautioned them.
Sure enough, several months later, a pharmacy resident lost an unencrypted flash drive with PHI on 4,000 patients in a McDonald’s parking lot. Phillips notified the board – again – and HHS – again, but when she learned that two of the affected patients had also been involved in the 2010 breach, she informed HFHS’s COO that no way was she going to make those two notification calls – that “he would have the pleasure” of telling those patients that their protected health information had been lost – again.
As Phillips tells the story, by the time he got done with the second phone call, he was in a bit of a sweat, but began to understand what’s involved in trying to restore patients’ trust in the system.
Over the past 4+ years, Phillips has been able to implement a number of changes to improve breach response and foster greater privacy awareness among employees at all levels. One change involved establishing a relationship with an external partner who handles breach notifications for HFHS, thereby reducing notification from 56 days to 18 days. Other changes have included establishing an always-ready-to-respond breach team with clear internal and external roles [the Code B(reach) Team], a centralized breach investigation program, and an executive policy council. The restructured privacy and security program is depicted below. For a smaller facility, the number of individuals involved in each component would be smaller, but it’s the roles, responsibilities, and coordination that’s key.
The centralized breach investigation protocols, summarized below, serve multiple important functions, not the least of which is maintaining crucial records for an HHS audit or litigation purposes. Note that the last steps involve corrective action and re-education for the entire department involved, and not just the one employee who may have screwed up or violated policy.
Of course, having a breach response plan doesn’t necessarily prevent or reduce the number of breaches, and there were other breaches over the past few years. In 2011, there was a second breach involving an FDA-approved device that was stolen from a secured infectious disease research lab after a door was left propped open while the employee ran to the restroom. That device stored the testing results for 520 HIV/AIDS patients. Once again, Phillips coordinated and led the breach response, but insisted that the Research Administrator co-sign the notification letter to the affected patients. It’s a useful reminder to staff that they need to accept responsibility.
Because education and ongoing education are key components of the program, Phillips has come up with some fun ways to engage staff in the process, even having a raffle for an iPad for employees who completed a privacy-oriented crossword puzzle. And every day, the workforce gets a message and system email that includes privacy and security messages to boost awareness. How great is that? There is also outreach to the patients and community using chat and social media.
Accepting that there will be breaches and that the team can learn from them is a given with Phillips. So when 15,000 radiology files scheduled to be destroyed were stolen from their storage vendor in 2013, HFHS addressed the issue of Business Associates by inventorying all their vendors and BAs, conducting a risk assessment to rank their risk, and then implementing management controls:
Of course, that’s exactly what we’re supposed to be doing – conducting risk analyses and assessments, ensuring that we have BAAs in place, and that we monitor or audit our BAs for compliance with the contract, but how often do entities actually do all that? How many recent HHS settlements have we seen that referenced that lack of a written risk assessment and plan?
But it’s HFHS’s iComply program to safeguard information that struck me as an ambitious and potentially useful model for other large entities. The iComply program has been implemented in phases since 2011:
Look at that first bullet above: in one month, HFHS swapped out 5,000 unencrypted flash drives. How many breaches and notifications were potentially avoided with just that one replacement program? Of course, that doesn’t address the tens of thousands of medical devices deployed throughout the system that may store PHI and cannot be encrypted. For those, other measures are necessary.
The iComply program is supplemented with increased workforce education and training.
Sometimes, of course, despite all the policies and training, employees do stupid things. In 2014, Phillips had to handle a breach due to a physician losing an unencrypted flash drive containing PHI of 2,336 patients. The physician had violated policy by using a non-IT-assigned flash drive. Once again, HFHS made the necessary notifications, and the employee and their entire department were re-educated. Phillips informs me that when an employee violates policy, they may receive re-education and counseling, but in some cases, their employment may be terminated.
According to Phillips, the iComply program is currently addressing Phase VII, and I asked her whether the number of breaches was now decreasing. She said that they’re not, and that the number of reported incidents of smaller breaches had actually increased. That suggests to both of us that the program has done a good job of increasing awareness of what is a breach that needs to be reported up the chain. Last year, she tells me, they had 186 reports of “small” breaches. In time, I expect that they will see a decrease in the actual number of small breaches. I will also guess that gaining control over employees’ BYOD & mobile devices to provide greater security and control will remain an ongoing challenge as employees lose devices, buy new ones, and either forget to notify IT or fail to bring the devices in to IT to have them registered and better secured. But if there’s anyone who can come up with a plan to address it, it’s Meredith Phillips.
So the next time you have to write a breach notification letter and start to insert the de rigeur “We take your privacy seriously” line, pause and ask yourself whether you really do walk the walk and not just talk the talk. Can your entity demonstrate the same level of commitment that HFHS has shown to creating a culture of privacy? Does your C-suite “get” it and support a comprehensive program from the top? Does your breach response really focus on restoring trust with patients and taking the time to address the emotional impact of the breach? If not, maybe you should invite Ms. Phillips to come do a presentation for your C-suite and employees. You’ll thank me later.
Fantastic report for a number of reasons:
1. Confidential information oozes from the pores of businesses like The Blob through the bowling alley
2. Implementing controls can be a game of Whack-a-Mole
3. Management buy-in is critical; without it, better update your resume, because you won’t win
4. People’s behaviors are the biggest problem
Kudos to Ms. Phillips and you for this information. If there were more high-profile sessions like this, it could go a long way toward integrating security into the culture.