Keeping Privacy Afloat During a Pandemic

Chalice Beam, Senior Manager, Health & Life Sciences, Coalfire

It’s our responsibility to protect the privacy of patients’ health information.

The world is navigating uncharted digital waters and facing evolving challenges to maintain patient privacy. Protected Health Information (PHI) is a ship sailing in a sea of digital risks and vulnerabilities. Humans wreak havoc at every turn – not always intentionally – and actions during times of uncertainty will have long-term effects.

Today, we are all facing a pandemic with limited healthcare resources and limited connection opportunities, while at the same time quickly evaluating new ways to diagnose. Through this transformation, PHI becomes too easily and inadvertently shared or leaked if we do not stay on course. This means that before we share PHI, we must ask: “can we?” We can easily remember this using the acronym “C.A.N.” in the following steps:

  • Confirm – that the information we are sharing is relevant – am I only sharing what is relevant?
  • Allow – make sure that the information is allowed to be shared with the individual/organization – is what I’m sharing allowed to be shared with or without authorization?
  • Necessary – verify it is necessary – is it required that I share the information?

When we maintain this “minimum necessary” mentality, we strengthen the integrity of our vessel. We humans are our first line of defense, which means being vigilant, not clicking emails and links, going to the source of truth (e.g., directly to the CDC/government websites), and only giving out information where appropriate (remember: Confirm, Allow, Necessary). When we leak PHI or give out information to those who do not have a need-to-know business reason, we’re taking water on our ship.

This also applies to employers who can implement some small privacy best practices, such as providing security and privacy reminders to employees on topics like:

  • Social engineering:
    • Phishing emails (Don’t click on links or attachments!)
    • Phone calls (Don’t give out information over the phone!)
  • Management:
    • Ask C.A.N. before sharing information about an individual who may be infected at your organization.

Not protecting PHI results in sinking our ship, and failing our patients, employees, and organizations that trust us with their information. This is a ripe time for the “bad guys” to steal identities, so our privacy practices must be stealthy and steady. As the professionals, we have a responsibility to keep the ship afloat and be more vigilant than ever.

Additional resources:

https://www.us-cert.gov/ncas/current-activity/2020/03/06/defending-against-covid-19-cyber-scams

https://www.hhs.gov/sites/default/files/hipaa-and-covid-19-limited-hipaa-waiver-bulletin-508.pdf

Chalice Beam

Author

Chalice Beam — Senior Manager, Health & Life Sciences, Coalfire

Top