CastleHill Managed Risk Solutions Blog

The Costs of Storing Protected Health Information (PHI) in Spreadsheets

Posted by Michael Duggan on Aug 8, 2017 2:29:00 PM

Cost of PHI in spreadsheets.png

There is a data war being waged in many healthcare organizations – spreadsheets vs. overall data security and integrity. In fact, in our experience, the number one risk to data protection and management is the common spreadsheet. Excel has been around since 1985, and, while a long-proven data workhorse, carries with it a multitude of security risks. In fact, according to the Identity Theft Resource Center, 2016 data breaches overall increased 40%, and the Healthcare sector accounted for about 35% of those breaches which were largely driven by hacking or similar practices (over 50% and climbing sharply).

PHI is not just personal patient information; it covers any information which could reasonably be connected to an individual. The Department of Health and Human Services (HHS) provides detailed information on protected data and guidelines for safeguarding electronic PHI (ePHI). Protected information includes detailed patient history, even without specific patient identifiers, as well as medical device numbers, medical record or health plan numbers, dates of treatment, etc. Organizations must show strong controls around data storage, transmission, and audits. The penalties for failing to exercise adequate measures can be severe. Case in point is the recent $5.5M OCR HIPAA settlement agreed to by Memorial Healthcare Systems which largely stemmed from a lack of audit controls as covered in this Health IT Security piece.

According to a 2014 Health IT Analytics article,  one study found that 39% of health organizations were using basic Excel spreadsheets to track and report on their clinical and financial analytics, including protected health information (PHI). So, how do you mitigate spreadsheet risks when it comes to protecting PHI? Simply put, to protect PHI, you need to know where it is and control its management. Allowing different individuals or functions to maintain their own records, or to have your central data reside in spreadsheet form invites replication, inaccurate data manipulation, and exposure. It’s only human.

Consider these additional risk factors inherent in a spreadsheet approach for PHI:

Not centralized: Think of the number of employees you have who work with PHI. Security workarounds are common as they promote convenience and flexibility, allowing quick capture and transmission of patient data to speed workflow. Every time a worksheet is downloaded, altered, or transmitted it exposes your PHI to potential compromise.

“Snapshot” vs. “Real-time:” Spreadsheets are relatively static vehicles. Often, updates lag the actual point of service, waiting for the owner to access a stored document and update it. They carry no assurance of accuracy or currency.

Inaccurate Data: With multiple input sources and capture vehicles, your data is simply not reliable. Consider human error in such activities as copying/pasting, cell entry, range specification, etc. In fact, the potential to overwrite one patient’s PHI to another file is a real threat in a decentralized data management system.

Not collaborative: Excel simply does not retain transaction history or support multiple users in the same file – a recipe for inaccuracy and costly management errors.

Poor basis for rapid decision-making: Without central control of data and analysis, leaders lack the quick and accurate access to information they need to make critical business decisions.

Not auditable: Internal auditing is nearly impossible with a spreadsheet approach that brings with it data variances, lack of transaction history, and loose user controls. When organizations are found liable for compromised data, a key finding is a lack of due diligence in protecting PHI.

Given all this, how do you build trust in your PHI data integrity and security, both for you and your patients? Just pieces of the data puzzle aren’t enough. First, determine where your PHI is residing. Next, implement a system that is based on a centralized database with PHI that is complete, accurate, and consistent. Ensure you have critical visibility on how that information was derived -- who created it; why it was created, and when it was created. Simply put, it’s time to take control of and protect your PHI. Go here to learn more about our healthcare GRC solutions.

Topics: healthcare