DHIN Protects Its Data
At Delaware Health Information Network (DHIN), managing and protecting patient data is our business. With cyber threats and the organized targeting of healthcare data on the rise, the safety and security of patient data is paramount.
Protecting this data requires a multi-pronged approach, consisting of physical, organizational, system, procedural, and legal safeguards, as well as a “prominent” enforcement policy.
Federal and State Regulations
Key to DHIN’s data protection policies and procedures is the Health Insurance Portability & Accountability Act (HIPAA), which mandates that DHIN applies policy, procedure, and annual assessments to fulfill obligations as a Business Associate to Covered Entities.
Additionally, DHIN adheres to requirements put forth by the National Institutes of Standards and Technology, as well as other applicable federal and state laws and regulations.
These regulations govern DHIN’s legal and procedural protections of Protected Health Information (PHI).
HITRUST Common Security Framework (CSF)
DHIN has implemented a comprehensive information risk management and compliance program by using the HiTrust CSF which provides DHIN with an actionable roadmap. HiTrust CSF is one of the most widely adopted frameworks and the “Gold standard” for measuring and certifying security management programs and enhances information security, risk management and compliance programs.
The HITRUST CSF was developed by healthcare, technology, information security, privacy and compliance leaders, and combines requirements from both existing federal and third-party standards and regulations.
DHIN has performed a HITRUST Risk-based, 2-Year (r2) Validated Assessment and achieved certification. This assessment helps DHIN evaluate and understand the effectiveness of our cyber preparedness and resilience. In addition it:
- Demonstrates that DHIN is committed to managing risk, improving its security posture and meeting compliance requirements
- Provides ongoing assurance to DHIN and our customers
The two-year certification requires continued monitoring of privacy controls, no reportable data security breaches, and timely completion of interim reviews.
Receiving HITRUST CSF Certification gives practitioners, payers and consumers added assurance that DHIN meets the highest standards of security, privacy, and compliance.
Privacy and Security Program
In a recent interview, DHIN’s Director, Information Security, Denise Bowie explained “We find great value in using the HiTrust CSF to make sure our IT systems protect the sensitive information of the organization and our patients. A comprehensive program for safeguarding DHIN’s data – and responding to threats – is key to our ability to protect it.”
Risk assessments and continuous improvement
As the sanctioned provider of health information exchange for the State of Delaware, DHIN provides safeguards for PHI as the Business Associate for Delaware’s covered entities receiving information exchange services from DHIN.
This responsibility includes annual risk assessments, which alternate between external and internal reviews, with the goal of identifying risks and vulnerabilities.
DHIN responds to assessment findings with remediation and corrective action plans, as needed, and employs an employee education and awareness program for continuous improvement activities.
Risk management – system design, access constraints, system reviews and user audits
DHIN is required to implement and maintain appropriate safeguards to protect the health information we receive on behalf of Covered Entities and to prevent its unauthorized use or disclosure. Risk management includes:
- Organizational safeguards, designed to prevent conflict of interest and to detect control failures
DHIN is required to keep updated organizational charts and job descriptions, with auditing responsibilities assigned to those independent of the audited tasks
- User audits
DHIN routinely audits user access to our systems, both those with and without individually identifiable health information. Audit logs are stored for at least three years, per records retention schedules, and meet both State and HIPAA regulations for information contained therein.
Additionally, all DHIN users are notified that our systems are monitored, and disclosure reporting expectations are shared with DHIN’s Business Associates and Covered Entities, as well.
DHIN employs a formal sanctions process for personnel who fail to comply with information security policies and procedures. Each DHIN employee is required to read, acknowledge, and comply with DHIN’s privacy, security, and data access to PHI expectations. Violations are sanctioned accordingly, up to and including criminal charges.
Privacy and Security Components
Perhaps most critical to DHIN’s data protection efforts are the components that impact DHIN’s operations as a health information exchange.
Policy and Procedure Documentation
DHIN follows a comprehensive set of policies and procedures designed to safeguard patient data. These policies and procedures are reviewed annually, and approved versions made available to all employees and contractors.
Employee Privacy and Security Education Oversight
Employee education and oversight is key to a privacy and information security program. Each employee and contractor are responsible for reviewing and acknowledging DHIN’s policies and procedures related to acceptable use and protection of data.
Technology Software/Hardware Maintenance
The information technology business requires that DHIN’s technology partners and solutions meet the privacy and security requirements outlined above. Maintaining software and hardware technology includes embedded secure coding, with thorough testing protocols and defined change control.
External protections include encryption, anti-viral and anti-spyware monitoring. Multi-factor authentication is required for all external connections to DHIN’s network, and access to the internal network is restricted.
DHIN’s asset management inventory provides a comprehensive view of all software and hardware components, whether maintained by DHIN or its subcontractors.
Business Associates Oversight
Oversight of DHIN’s subcontractors is an expectation of privacy and security management. DHIN’s subcontractors are held to the same standards for protection of patient data as DHIN employees. Specialized agreements are put in place prior to DHIN granting access to data and are monitored and enforced by DHIN executive management.
DHIN Information Systems User Oversight
As outlined above, each User is required to sign a Data Use Agreement prior to accessing DHIN data. The agreement and DHIN policies specify user account management protocols, registration and de-registration and password management. Again, these agreements are monitored and enforced by DHIN executive management.
Business Continuity / Disaster Recovery
Data delivery timeliness and the ability to recover from disaster are critical to DHIN’s ability to serve as Delaware’s health information exchange. As such, DHIN developed and routinely tests our business continuity and disaster recovery plans, knowing that our services are imperative to the delivery of healthcare in the state.
Data Classification and Document Management
Classifying data is the first step to determining application of security levels and access controls. Once data is classified, document handling procedures, records retention and safeguard controls follow. DHIN’s data classification and management policies follow federal guidelines and requirements.
Today’s physical environment is more than just an office – remote offices, shared equipment and even supplies like printers are factored into security controls. 24/7 badge access, security system and monitored reception area present at DHIN’s main office, with additional safeguards in place for remote access.
Because safety never takes a holiday, as the saying goes, DHIN is ever vigilant with monitoring cybersecurity threats and assessing our ability to both prevent and react to a threat. In addition to monitoring cyber threats, our dedicated privacy and security officer also keeps an eye on access to and protocols pertaining to DHIN’s physical property.