Tips for protecting the confidentiality and integrity of patient data

On April 26, 2022, Tenet healthcare Corporation (NYSE: THC) announced that a cybersecurity incident occurred a week before. “The Company immediately suspended user access to impacted information technology applications, executed extensive cybersecurity protection protocols, and quickly took steps to restrict further unauthorized activity.” In essence, and in accordance with HIPAA, the two hospitals that were impacted immediately invoked its disaster recovery and business continuity plans in order to, first and foremost, mitigate the impact on the delivery of patient care.

Tenet is a publicly traded company, so the timing of its disclosure to the market is also crucial in avoiding potential liability under a variety of SEC rules and regulations. On March 9th, the SEC issued proposed rules on a variety of items related to cybersecurity, including incident disclosure by public companies. As SEC Chair Gary Gensler stated, "cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks. A lot of issuers already provide cybersecurity disclosure to investors.”

What can organizations do to be proactive in protecting personally identifiable information (PII) and protected health information (PHI)? The National Institute of Standards and Technology (NIST) published SP 800-122 - Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), which provides sage advice for maintaining the confidentiality, integrity, and availability of data through prevention, detection, and correction. When I conduct audits, one item that never ceases to amaze me is the use of the following for passwords: PASSWORD, LAST 4 DIGITS OF SS#, OR a DATE OF BIRTH. These partial identifiers are also “considered PII because they are still nearly unique identifiers and are linked or linkable to a specific individual.” (p. 2-2).

NIST proscribes the following action items:

• Identifiability. Organizations should evaluate how easily PII can be used to identify specific individuals. For example, a SSN uniquely and directly identifies an individual, whereas a telephone area code identifies a set of people.
• De-identify records and information so that the individual cannot be identified.
• Update policies and procedures and have tiered sanctions in place for failing to adhere to the basic tenet of not using PII or PHI as part of or a whole a password.

The scrutiny on cybersecurity measures will only become more intense. In healthcare, one must always consider the ultimate adverse patient outcome – death. As cybercriminals ratchet up their tactics on hospitals and other providers, prevention and detection are going to be critical to mitigating the risk of an attack, as well as responding to one.

Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.