Securing Personal Data at the Service Desk

Woman with headset smiling

With such a preponderance of information, one of Information Technology’s primary roles is not only securing the data from an infrastructure management standpoint but controlling how such data is disseminated at the service desk. Particularly for organizations in the healthcare and financial industry, the disclosure of secure data is considerably regulated and, as a result, incorporated in its agreements with all IT vendors. Even for clients outside of healthcare and financial, agents are required to follow all code of conduct and technology usage policies upon completion of related training. For this reason, all service desk outsourcing personnel are required to sign non-disclosure or confidentiality agreements and adhere to the employer as well as client operational terms and conditions.

In the course of supporting the client’s end users or external customers, service desk agents are continually exposed to healthcare information, new hires and terminations, and credit data. While knowing how to handle sensitive records in terms of HIPAA and SOX compliance is crucial, following thoroughly document procedures specific to the client is an equally unwavering part of the incident management process. Clearly, including a customer’s credit account information in a ticketing system is a violation of the Sarbanes–Oxley Act (SOX), but there are comparatively more ambiguous situations that are expressly addressed in client protocols. Although the specifics of scripts, ITSM platform usage, and agent processes vary from client to client, the non-proprietary essentials include some combination of the following service desk processes:

  1. Compliance training and accountability for agents
  2. Multi-field verification for authorized client access
  3. Deletion or redaction of unsecured data received
  4. Instruction to caller not to disclose such data either verbally or on their desktop
  5. Use of encryption and secure messaging tools
  6. Network access restrictions at the service desk

Before performing in-depth troubleshooting on the desktop via a remote connect tool such as TeamViewer, agents instruct callers to close or minimize anything containing Personal Health Information (PHI) or Personally Identifiable Information (PII) before gaining access to their systems. PHI and PII include such information as medical procedures, diagnoses, first name, last name, personal address, social security number.

In those rare instances that the individual contacting the help desk discloses the particulars of their medical condition or other personal information, the agents are instructed to focus the dialogue on the technical aspects of the issue. ABS Senior Phone Analyst Meredith Kelvington (pictured above), who fields contacts for a medical insurance industry client, explains. “The agents remind callers that they should not be sharing PHI or PII information at the time of the call, but if necessary, it can be added by the insurer’s plan support team as an encrypted, password protected attachment after the ticket has been created or subsequently assigned to the appropriate group. If for some reason, the service desk receives a ticket with an unsecured attachment containing PHI or PII, agents are instructed to promptly delete it and request the sender resubmit it in the secured format.”

Kelvington adds, “Occasionally, the service desk will receive errant contacts from medical insurance customers that aren’t seeking technical support, but plan related guidance. In such cases our agents are at risk of hearing personal identifiers, particularly social security numbers, so they are trained to immediately redirect the caller to contact the customer service number on the back of their insurance card.”

Although medical records are handled by the client’s own Health Information Management team, the service desk does enable authorized access to patients and medical professionals themselves using a multi-field format. For example, if a doctor can’t access lab results or review their patient’s chart due to a hung session, the service desk would clear the session in Citrix only after verifying the caller’s name, employee ID number, position, title, location, etc. So procedurally the Level 1 team remains HIPAA compliant without viewing the medical records themselves. Similarly, if a patient wants to access medical charts or schedule an appointment with a doctor, but is locked out of the MyChart portal in Epic, the service desk would unlock the account only after verifying unique fields such as patient ID, last four digits of the SSN, and date of birth.

If escalating the ticket to an appropriate on site medical or financial support group, the agent documents only the relevant IT related information. In some instances, this entails redacting screen shots from client customers that inadvertently capture bank account information, complete social security numbers, or other personal details. Screen shots including error codes or other visual root cause symptoms are intended to expedite the resolution process; however, the service desk needs to perform that first line of defense against unintentionally passing along credit information or medical records by redacting exposed data contained in those images.

Understandably, medical and financial industry clients prefer to manage and host their own network infrastructure and messaging systems so they can control how their secure data is disseminated leveraging an automated layer of protection. In addition to internal messaging encryption controls, email traffic sent to external recipients is scanned for personal information in both the subject line and body of the message. The Exchange server identifies and blocks the submission of PHI or PII in the rare instances that it may have been overlooked by the individuals previously handling the issue or not flagged as “secure” in the subject line. But so long as sensitive data is relayed between clients and IT professionals, the service desk will remain the primary line of defense against secure data disclosure using vigilant discretion, procedural attention, and care.