When Protecting Patient Data, Remain Vigilant and Create a Plan

Patient data are essential to providing coordinator care, but more data also creates heightened risks.

With malware and ransomware attacks on the rise, being aware of dangers and proactively creating a plan to manage problems is essential to protecting patient data, according to a session at the Asembia 2022 Specialty Pharmacy Summit titled “Drugs, Data, and Defense: Protecting Patient Data While Providing Safer Care.”

Patient data are essential to providing coordinator care, but more data also creates heightened risks, according to presenter Shawn Griffin, MD, FAAFP, president and CEO of URAC.Data security carries both legal and reputational risks, and new systems are needed as health care evolves; however, these new systems also carry new risks.

One of the most notable security risks is through cyberattacks, which have increased significantly in recent years. Griffin emphasized that cyber attackers are smart, therefore educating employees on what to watch for is an important step in ensuring data safety.

“This is getting big, and this is getting serious,” Griffin said. “Medical providers have been facing this now for decades, and they’re not doing a great job with it, to be honest.”

Major things to consider with data security include physical risks, backup systems, technical precautions, malware or ransomware, and various types of systems and their respective security. With all of these concerns, Griffin said it is vital to proactively consider both how to protect the data and what to do if it becomes compromised.

Physical risks can include both protecting the servers in the pharmacy, as well as ensuring off-site data storage in case of a fire or other catastrophe. Minimizing the number of people who have access to the server room is important, and servers should be treated with the same caution and security as controlled substances, Griffin said.

More technical precautions can be encrypting the data—including on computers or devices that employees take home—and designating clear roles for anyone who has access to the data. Regular risk assessments should be conducted as well, although how regularly depends on the type of software and systems that the pharmacy employs.

Developing and regularly testing a business continuity plan is also an essential step to ensure that patients still receive necessary care if the data are compromised, or the systems go offline.

Finally, Griffin discussed systems interoperability and the benefits it brings as well as the risks. Any time internal systems are connected with a partner’s systems, Griffin said the risks for a data breach increase. If a cyber attacker were to access the partner’s system, they could then find their way into other connected systems. Despite these risks, however, recent legal developments do require interoperability.

For example, Griffin said the 21st Century Cares Act includes a requirement for interoperability because the data are owned by the patient, so it cannot be kept exclusively by a single health care provider. The Pharmacists eCare Plan is not widely used, but Griffin said it also includes requirements for interoperability and could emerge in state regulations or through pharmacy organization encouragement.

Griffin noted that there are also significant fines for non-compliance on interoperability due to federal laws with these requirements. Although smaller organizations may feel they are under the radar, Griffin said that will not last.

When considering data security overall, Griffin said the ultimate goal is to have a more complete picture of the patient in order to provide better care. The tools necessary to be a high-performing provider bring new risks to any business, but ensuring security while simultaneously updating and modernizing systems is essential.

Finally, Griffin encouraged pharmacists and pharmacy managers to seek help when needed, because data security is a complicated and constantly changing field.

“Know what you know, and admit what you don’t know,” he concluded.

Reference

Griffin S. Drugs, Data, and Defense: Protecting Patient Data While Providing Safer Care. May 3, 2022. Presented at Asembia 2022 Specialty Pharmacy Summit.