Interfaced Diagnostic Equipment
A hospital was hacked via a backdoor security flaw in their diagnostic laboratory equipment. The massive amount of PHI in these data systems was a goldmine for the hackers but the hospital had to pay out millions in fines due to the data-breach. Total financial impact was in the hundreds of millions of dollars in fines, remediation, patient churn and brand damage.
Doctrly determined that the only required fields were Patient Name and Patient ID. All remaining 37 patient demographics fields (including Mother’s Maiden Name, Marital Status and Drivers License Number) were not required for the LIS to properly interact with Cerner EHR. Doctrly now redacts all sensitive demographics fields across their entire ACO network in real-time.
Laptops and Thumb Drives
A large hospital system hired a nationally recognized consulting firm to do financial analysis on 2 clinical profit centers. The consultants weren’t allowed to take laptops home, as a result of security policies. In order to circumvent the security policies, a consultant downloaded patient data to a thumb drive to work on at home over the weekend. Unfortunately, the thumb drive was lost and 15,000 patient records were breached.
Using Doctrly, the hospital system implemented an automated data redaction system to ensure future consultants do not have access to any PII except for a Patient Identifier. Financial consultants don’t require access to any other piece of identifying information.
3rd Party Software
A California-based hospital group wanted to use a Continuity of Care Application to help reduce patient readmissions after a patient’s hospital discharge. The hospital’s IT department determined the new software wasn’t worth the data-security risk, so the deal never moved forward.
The IT department, using Epic EHR, told the Software company that it would get access to the hospital via Epic’s App Orchard. Using Doctrly (a partner with Epic), the hospital’s IT department was able to filter which specific PHI fields the application received. In this case, they were only to receive a Patient ID number, First Name and Primary Diagnosis code during the patient’s inpatient visit - and nothing else. The IT department was satisfied that nothing of significant value was being transmitted to the application and the Continuity of Care application went live. Subsequent readmissions were reduced by 23%.