June 13, 2022
CloudWave and Tausight: Protecting PHI
Leaders from CloudWave and Tausight healthcare teams sat down to discuss the strategic partnership between the two organizations and how Tausight’s new PHI Awareness Platform offers healthcare providers a way to identify and safeguard PHI data in the EHR and the entire healthcare enterprise.
Frank Nydam, Chief Executive Officer, Tausight
Tim Quigley, Chief Client Officer, CloudWave
What changes are happening in healthcare this year that make protecting PHI data even more critical?
FN: Hospitals and healthcare organizations are already feeling the enormous impact that distributed care, remote working, and telehealth has had on security, and it has only added to the burden of their over-worked IT Security teams.
This year, there are two deadlines in the 21st Century Cures Act that will exacerbate the challenge of protecting data. On October 6, the definition of electronic health information will expand beyond the USCDI (United States Core Data for Interoperability) Standard and will apply to all protected health information (except psychotherapy notes and certain records to be used in a civil or criminal action) that is transmitted or maintained electronically. On December 31, standardized FHIR (Fast Healthcare Interoperability Resources) APIs (Application Programming Interfaces) will facilitate interoperability that will create an ecosystem to ensure that health care providers, insurers, public health agencies, ACOs, and other entities can access and use patient data in new ways to manage their patients’ health and care.
TQ: Frank’s points about the coming regulatory changes are exactly right.
With these recent mandates to make ePHI available for access, exchange, and use between providers the detection and analysis of data will be critical to healthcare organizations. As these national deadlines approach, PHI will need to be managed differently. and those changes don’t seem to be getting the attention they usually receive.
Separately, the industry is still trying to adapt to the major expansion of cyberattacks aimed at U.S. hospitals. According to the U.S. Department of Health and Human Services, in the last decade, ransomware incidents increase by 254%. At CloudWave, we’ve helped hospitals recover from these attacks and the frequency with which we are called has been astounding.
Cybersecurity is first on hospital’s minds in 2022. What makes Tausight’s platform unique in a marketplace of perpetual security offerings?
FN: Healthcare providers have no shortage of security solutions to choose from today. And when it comes to data protection, we see IT Security teams layering on multiple solutions, often addressing overlapping areas, in their best attempts to adequately secure information.
What makes Tausight unique is that we understand that healthcare is unique. We are a team of healthcare people with a detailed understanding of clinical workflows. Ours is the only data protection solution built specifically to meet the needs of clinicians and staff around creating, copying, sharing, storing, moving Protected Health Information (PHI) in order to perform their jobs successfully.
Tausight was designed for the information-sharing age in healthcare. PHI is being increasingly shared between providers, patients, third parties, vendors, and applications. We detect data inside and at the edges of the care continuum. Other solutions were built to protect data by keeping it inside the organization.
Unlike legacy solutions that that require thousands of hours and code to manually train, Tausight uses pre-trained machine learning and natural language processing to provide real-time visibility into how structured and unstructured PHI is being used between providers, patients, third parties and applications. As the system sees more data, it becomes continually smarter, and automatically updates the model. We are the only company that provides this level of Situational PHI Awareness™.
TQ: As I mentioned, we have helped scores of customers with cyberattacks. With alarming regularity during these events, customers have discovered previously unknown caches of PHI on laptops and servers. Most of this data storage has been done health professionals with the best intentions – improving communications at shift hand-offs, taking data home to complete more work, downloading data to research issues – but it creates a liability for the hospital.
We continually evaluate security options and think that Tausight’s platform truly is innovative, using leading edge technology to identify and protect ePHI especially in non-standard locations. As an IT Leader, you can no longer afford to discover these items during a cyber event, Tausight is unique in helping you solve this problem.
Why aren’t the basic cybersecurity measures hospitals are already implementing enough?
TQ: At CloudWave, we often say that as soon as you build a 10-foot wall, the bad guys find an 11-foot ladder. They are constantly looking for the weak spots in your environment and these pockets of ePHI are residing in those weak spots – old file servers, individual PCs, etc.
Network and endpoint security-focused tools play a key role in a healthcare organization’s security strategy for sure. But with the shifts to decentralized networks, remote care and increased virtualized desktops, clinical workforces would benefit immensely from fast, secure access to electronic data, healthcare data outside the firewall. There’s a need for real-time visibility and insight into the PHI stored and used at each endpoint and at the point-of-care.
FN: Even before all the recent factors I just mentioned came into play, data protection was not working in healthcare. According to the April 12, 2022, HIPAA Journal, 714 organizations were breached last year. That’s up from 642 in 2020, 512 in 2019 and 368 in 2018. Traditional perimeter security tools focused primarily on identifying network devices, traffic, and defending against perimeter attacks are not doing enough. We need to take an inside-out approach, starting with the PHI and following it to where it is being used.
What would you say to today’s savvy CIO who is confident he or she has enough protections in place against ransomware attacks?
FN: I have yet to meet a CIO who knows where all his/her patients’ PHI is. And, as NIST (National Institute of Standards and Technology) makes clear, the first step to protecting PHI, or any asset, is identifying it. I don’t think anyone out there feels that they are fully protected. Unfortunately, it is not a matter of if you are attacked, it is a matter of when.
TQ: Frank is correct – any savvy CIO knows this is an issue. I think the natural inclination is to say that “I already have too much on my plate and it’s better not to know”. Trust us, finding out about these caches of PHI during an attack is really bad.
Why did Tausight choose CloudWave to partner with?
FN: The healthcare industry is built on trust, collaboration, and partnership. When it was time to bring our solution to the market, we knew from past experience with the CloudWave team that their integrity, innovation and commitment to customer success would make them a great fit for Tausight. CloudWave is well known for industry-leading HITECH- and HIPAA-compliant managed services for hosting, disaster recovery, archiving and remote systems management. Situational PHI awareness is a natural complement to that suite and CloudWave has the expertise to see that our joint customers are successful.
What can hospitals do to ensure their PHI data is better protected in the event of a cyber-attack?
FN: We advise our customers to follow the 405(d) Health Industry Cybersecurity Practices (HICP) Guide, which aligns with the National Institute for Standards and Technology (NIST) Cybersecurity Framework (CSF), and identifies ten practices that are tailored to small, medium, and large organizations. Not only will following these practices help to protect healthcare organizations, but it can also help them to qualify for lower cybersecurity insurance rates and reduced OCR penalties in the event of a breach. Tausight can also help by providing an immutable audit trail for evidence of adherence to HICP.
TQ: As these deadlines approach, CloudWave also recommends our customers look to these guides as they begin to identify vulnerabilities and ways to protect patient information. Our team is responsible for operating and securing hospitals and recognizes the important role the Tausight platform plays in providing ongoing protection of PHI data within clinical workflows. We’re excited about the partnership and look forward to working with Tausight to offer a new level of data protection to healthcare.