Maintaining Data Security: Interview with Lee Barrett – Part 1

By Sarianne Gruber
Twitter: @subtleimpact

Can you highlight some of the unique aspects of working with Healthcare data? What kind of data security problems do you look into when assessing a vendor for accreditation?

There are several that we focus on as far as unique aspects of healthcare data, as part of the overall accreditation model that we use. We are looking at things like how is data being used from the stand point of clinical and administrative (function). We are looking at the various connection points of the exchange of that data between the various stakeholders. The things like the authentication between the various stakeholders and trading partners is critical. We are looking at how the data, and if it is encrypted especially for clinical data. Any type of PHR (Personal Health Record) or EMR (Electronic Medical Record) type data, we want to make sure all is encrypted. We’re looking at password length. As part of accreditation model, we are looking at making sure it is complex enough. And it is comprehensive enough as far as a password to assure that the level of strength is high to mitigate some of the risk of a potential breach. We are looking the frequency of how often it is changed. As part of our model, we require organizations to change passwords every 90 days. We are looking at audit trails as to how organizations are managing and tracking when information or data is accessed, whether it is printed, whether or not it is revised, and whether or not it is viewed. We are looking at what type of audit trails they have in place so that in the the event of a breach or incident they have an audit trail of when data was in fact last touched. It’s a lot easier to determine who may have compromised the data. We are also looking at role based access. We want to make sure organizations maintain a system that determines basically “right to know”. In some cases, individuals may have viewing rights but may not be able to modify data, or individuals who should have no access to a particular records don’t.

Our process is very comprehensive as far as the all unique aspects that we are looking at, as well as the kind of security problems, so that what we are focused on is really the intent to mitigate the risk of a breach or incident. We have four different areas that are core components throughout all of our accreditation programs: security, privacy, confidentiality including some aspects of cybersecurity, and technical performance and operational aspects of the network. We look at best practices and resources that the organization has to support the services and products that are offering. And make sure that they can support those adequately, including things like customer service and customer support aspects.  Those are the areas that we focus on for assessing vendors and the various networks that are a part of our 14 different accreditation programs that we have today.


To read the full article, visit RCM Answers.