Paging Medical Information: Examining Access Issues

Page 2 of 3

      Bookmark and Share

BEST PRACTICES SERIES

Legal Interest
These medical information management issues are not just being handled on the policy level—often they are contentious and must be resolved in court. A number of cases centered around document management, retention, and disposition could be headed for the U.S. Supreme Court in the next year, as companies run into challenges resulting from a disorganized or inadequate document management strategy.

The Supreme Court has, in past rulings, provided guidance for companies' document management policies. Companies should be aware that they must have document retention policies in existence, outlining how long they retain data and when it is destroyed. "Without the right technology and strategies in place, any company or organization can be at serious risk," says Joe Fantuzzi, CEO of Workshare Technology, Inc., a document management company.

U.S. judges are increasingly ruling against companies with harsher penalties for failing to properly handle email and other pertinent corporate data. The National Security Agency (NSA), the government's electronic spy center, last year released guidelines to help federal government agencies properly redact, or sanitize, metadata in documents that are released to the public. Metadata is "data about data" that is contained in digital content, like Microsoft Word and Adobe files, which indicate things like the author, date of latest revision, and edits that have happened on a particular file. Several recent news reports have exposed metadata controversies at the White House and Pentagon.

Recent regulations—especially on healthcare records—and lower court rulings have made fines mandatory for violations of data retention regulations, experts say. Companies must have documented policies that they must follow to the letter. They must also be able to act swiftly in the event of legal investigation or audit to provide access to their archived data.

The same is true for routine processes, like billing. "In order to get paid properly for their services, physicians must carefully document every step of the treatment process," says James Weintraub, a medical doctor and chief medical officer of Digital Physicians Network. 

Trouble Spots 
Yet when making all this information available digitally, doctors offices, hospitals, or companies that work with health data—drug developers, for instance—must work hard to avoid problems arising from medical information retention.

And it's not easy.

Hacking databases or obtaining information from a stolen computer get a lot of press, but there are many other opportunities for sensitive data to cause problems. Increasingly, healthcare companies will have to monitor workflow, set new policies, and install IT solutions to intercept illicit content. 

The problem is, many companies skip the first step, which involves evaluating work practices and noting how and where secure knowledge is transferred, before investing in IT, says David Drab, director of information content security services at Xerox Global Services. "By conducting a company-wide risk assessment, organizations can identify the information that represents the greatest threat to the company, if exposed," says Drab, who is also a former FBI agent. 

As soon as the document-management policy is set, company networks need IT to maintain the integrity of documents that flow over the network. Workshare offers one such solution. The company's software, Trace! version 2, is a free metaware utility for Microsoft Office users that automatically alerts them to the risk level of the documents they are about to open. The software scans for sensitive or inappropriate content, both visible and hidden, within electronic documents. 

"Each year, trillions of documents are exchanged electronically," says Ken Rutsky, Workshare's EVP for worldwide marketing. "There are serious compliance risks and liabilities over the exposure of personal private data and other sensitive information." 

The risks are increased, due not just to potential lawsuits from employees who feel violated by obscene links in a document, but also to certain laws. The federal Sarbanes-Oxley and Gramm-Leach-Bliley Acts, as well as the California Breach Law, require that certain information be kept secure for reasons of financial disclosure, intellectual property management, privacy and identity, and related matters. 

For example, if a document contains the word confidential in a header or footer, it probably contains corporate secrets and should be handled with care. If the word is in the text body, it probably is more benign. Content-filtering software can determine whether the file contains benign or sensitive information before someone opens it.

A recent survey of 332 large American enterprises conducted by Proofpoint, a software security firm, found stopping such leaks was the top concern for those who manage outbound email. More than 35% of companies surveyed had investigated a suspected email leak of confidential or proprietary information over the past year. For example, a proprietary customer list may exist in an Excel spreadsheet, but if the document is converted to a PDF, it might be easier to smuggle it out of the company. 

So, software developers are developing "audit trails" for individual documents, such as Excel spreadsheets and Microsoft Word files, so each modification to a file can be monitored along the way. The software includes encryption and authentication measures so the sending and receiving parties can be tracked from start to finish of the transfer process, according to Tumbleweed, a maker of enterprise-class secure managed file-transfer software.    

Page 2 of 3