How can you secure your organization without knowing how patient data travels?

Tod Ferran, CISSP, QSA
By: Tod Ferran
Every privacy/security/compliance official should understand the specific details of how patient data flows in their organization. For example, the point of entry, where it flows within an organization, where it is stored, what format it's stored in, exit points for the data, and where it travels.
Free webinar: Is healthcare ready for cyber attacks?
That’s a lot of information to keep straight, especially for large providers and hospitals with dozens of departments. How does an official keep track of that? Data flow diagrams.
PHI flow diagram example
Example of a patient data flow diagram
Data flow diagrams are the graphical representations of PHI flow throughout your systems. They are a crucial part of every healthcare’s HIPAA security efforts, especially while creating a complete and thorough risk analysis.

SEE ALSO: HIPAA Security Tip: Understand Your Data Flow

Unfortunately, lack of data flow diagrams is the #1 problem I see when auditing healthcare entities. Organizations simply don’t have them. How are you supposed to implement appropriate safeguards if you don’t know which areas to safeguard? Maintaining a current PHI flow diagram is absolutely foundational to your security program and HIPAA compliance.

Besides being a great overview of your systems, here are a few specific reasons you should be creating data flow diagrams:

  • IT doesn’t always set up networks with security in mind. Tracking where PHI travels, enters, and exits will help you track any strange processes and adjust for efficiency.
  • By recording every instance of PHI, you can determine which systems, computers, and users require extra (or less) security technology.
  • Data flow diagrams help IT when it comes time for upgrades, as the diagram shows every computer/role, database, and network that should be included in an upgrade.
  • If your organization undergoes a breach, you will be able to track the possible weaknesses that could have led to the compromise.
  • Your HIPAA audit will go significantly faster if a PHI data flow diagram is already created. I speak from experience here. Your auditor will absolutely love you for it.

What does HIPAA say about data flow diagrams?

Data flow diagrams can greatly enhance network security and can make your HIPAA compliance process easier.

While HIPAA doesn’t specifically state providers must provide a data flow diagram to be HIPAA compliant, the OCR Audit Protocol does state that auditors must, “determine if the covered entity has identified all systems that contain, process, or transmit ePHI.” What better way to do that then to request a healthcare provider to deliver a PHI flow diagram?
The healthcare security audits I conduct would go much faster if the entity simply had detailed PHI flow diagrams of their system.
The following is a step-by-step process to help you correctly create flows in your healthcare security environment.

Step 1: Scope definition

The first step is learning where your data resides. This is also the first part of a HIPAA Risk Analysis. (Need help with your risk analysis?) Scope is an inventory of all the places your organization accesses, creates, stores, transmits, or maintains PHI. The following may or may not be in scope (containing PHI), depending on your environment:
  • EHR
  • Database
  • Server
  • Security appliances
  • Patient admissions
  • Email system
  • Data warehouse
  • File shares
  • Ticketing systems
  • Telephone recordings
  • Tablets/smart phones/mobile devices
Take a few minutes and try to identify everything in scope.

Step 2: Interview workforce members

Oftentimes, it’s simply not possible to create a data flow diagram on your own. The only way to ensure accuracy is to interview every single workforce member who has access to PHI. Your employees might know about random processes or data exits that no one else knows about. Interview process owners, web developers, sales force, physicians, third parties, etc.

SEE ALSO: 5 Things You Should Know About Minimum Necessary PHI

This step is the hardest of the bunch. Trying to track down every PHI location, its flow, and what process put it there is exhausting and extremely time consuming. That’s why keeping detailed documentation of your findings is crucial to your flows…and your sanity.

Step 3: Create flow diagrams

In congruence with your findings from steps 1 and 2, flow diagrams further help you illustrate the location and flows of PHI. It often makes sense to have a separate diagram for each different in-flow and for each different out-flow. Once a diagram is completed, you never have to create it again! All you have to do is update it if processes change, or you change vendors.

Data flow diagrams will make your life easier. I promise.

It’s somewhat embarrassing when healthcare organizations don’t have something so important to their data security as flow diagrams. If your organization is actively working toward its HIPAA compliance, your data flow diagram will play a crucial part in that development.

Let me know if you need help with your flow diagrams by commenting below, or schedule a consulting session with me by emailing audits@securitymetrics.com or calling 801.705.5656.



Tod Ferran (CISSP, QSA) is a Mensa aficionado, Cancun expert, and Security Analyst for SecurityMetrics with over 25 years of IT security experience. In addition to his many speaking engagements and webinars, he provides security consulting, risk analysis assistance, risk management plan support, and performs security, HIPAA, and PCI compliance audits. Connect with him for recommendations on excellent places to stay, activities, and restaurants in Cancun, or check out his other blog posts here.

Is Healthcare Ready for Cyber Attacks Webinar