10 Steps for Protecting Patient Data
With increasing numbers of access points to protected health
information under attack, the healthcare industry continues to be plagued with
damaging breaches. Just last week, CareFirst BlueCross BlueShield announced a
hacking that compromised the information of more than a million of its members.
A Ponemon Institute report released in May found that over
90 percent of healthcare organizations have been breached in the last two years
and the breaches are a growing $6 billion annual epidemic that is putting
millions of patients and their information at risk.
Although employee negligence and lost/stolen devices
continue to be primary causes of data breaches, one of the major findings of
the recent report is that criminal attacks are now the leading cause of
breaches in healthcare. While criminal attacks are often referred to as
cyber-attacks, they can also include malicious insider threats.
The study also reveals that most healthcare organizations
are still woefully unprepared to address the rapidly changing cyber threat
environment and lack the resources and processes to protect patient data.
However, Rick Kam, the chair of the PHI Protection Network, a cross-industry
collaboration of vendors formed to help expedite the adoption of PHI best
practices, believes there are some critical strategies healthcare organizations
can employ for protecting patient information.
“Probably the best place to start is really to do a risk
assessment,” says Kam. “It needs to be front and center as the starting place
to help decide and prioritize where—for the most part—a very limited IT
security budget might be allocated. What the risk assessment will do is
identify those assets and systems where PHI lives.” He sees this as an
inventory of where an organization’s patient information exists, not only
internally in a hospital or clinic, but also with external business associates
and partners that are involved in managing that data.
Specifically, the PHI Protection Network recommends 10 steps
necessary to protect patient data:
●
Demand organizational leadership
engagement. Workforce training and safeguards alone will not be effective.
Organizational leadership must embrace and champion compliance as it would any
other component of the organization’s value chain. Leadership must visibly and
actively foster a culture of compliance throughout the organization by setting
expectations and holding all workforce members accountable to the same
standards.
●
Find and identify your data.
Organizations need to know where their data lives, where it travels, and in
what form (encrypted, identified, de-identified, etc.).
●
Control PHI workflow and minimize
necessary workforce access. Organizations must find ways to better control PHI
workflow within the organization, and movement outside the organization. This
not only includes safeguarding it from impermissible uses and disclosures, but
also will require integration of HIPAA with other health information protection
activities to ensure a single point of control within the organization.
●
Assess risks. Organizations must
have solid processes in place for assessing risk with new systems, devices,
services and partners, and determine how best to use their power as purchasers
to weed out those that don’t meet best security practices.
●
Prioritize third-party vendor
management. Organizations will need help with third-party vendor management to
strengthen oversight and review processes. Smaller business associates are
particularly vulnerable since they may not have as many resources to devote to
security and compliance, and may be more likely to experience a data breach.
●
Get proactive. The healthcare
industry needs to take a proactive stance when it comes to regulations to
protect patient health information. Companies that go above and beyond baseline
protection requirements will be seen as industry leaders, and patients will
choose to use their services over others.
●
Make privacy an integral part of new
technology adoption. The pace at which new technology is being introduced into
the healthcare industry is increasing with thousands of new health-related
mobile applications available this year. But there is little evidence that
patient privacy or security features are being considered.
●
Measure to improve. You can’t manage
what you can’t measure. The healthcare industry needs to get better at
determining key metrics to continuously measure and improve security postures.
●
Look for “non-standard” systems as
potential PHI data stores. In particular, voicemail systems, customer service
call recording systems, and closed-circuit television systems could all
potentially be storing PHI, but may not be as carefully safeguarded as
traditional IT systems such as EHRs and patient billing.
●
Instill a culture of security.
Remember every employee is a guardian of the patient’s data.
(SourceMedia
website)
No comments:
Post a Comment