6 steps to keep security issues at bay
Healthcare institutions should emulate best-of-breed privacy polices developed by financial services firms rather than other hospitals, recommends William Tanenbaum, partner at New York-based technology law firm Kaye Scholer LLP.
When it comes to privacy and data security, healthcare institutions face tremendous exposure to regulatory violations and monetary damages, Tanenbaum said in a news release. Tanenbaum advises clients on a wide range of technology and Internet issues, including data security and privacy.
“Criminals pay more for stolen personal health information than they do for stolen credit card information,” he said. "The top of a medical chart contains all the information needed for identify theft. While better IT is the solution, not all wheels have to be reinvented.”
[See also: Security shortages exacerbating breaches.]
Tannebaum advises hospitals to adopt the IT solutions, privacy and data security procedures and employee education programs that already have been developed and tested by leading financial institutions to protect sensitive personal information in a regulatory environment.
According to a recent study on patient privacy and data security, conducted by the Ponemon Institute, 94 percent of healthcare organizations surveyed suffered at least one data breach in 2011 and 2012, with 45 percent of these organizations actually experiencing more than five data breaches during the same period. Lost devices, employee and third-party error, criminal attacks and technology glitches were listed as a few of the leading causes for the breaches, which Ponemon estimated could be costing the U.S. healthcare industry an average of $7 billion annually.
An April 2013 ITRC Breach Report by the Identity Theft Resource Center showed that in the first three months of 2013, the medical and healthcare sector experienced 58 breaches, or 40 percent of all breaches reported in the country (a total of 562,577 compromised records with 63 percent of them lost). By contrast, ITRC found that so far in 2013 the financial services industry experienced seven breaches, or 5 percent of all reported data breaches, for a total of 14 records compromised and with no records actually lost.
“Customers rightfully worry about protecting sensitive financial information such as social security numbers, and checking and credit card accounts,” says Tanenbaum. “But healthcare data in many ways can be viewed as even more sensitive because electronic medical histories, laboratory tests and prescribed medicines, if compromised, could harm patient health.”
[See also: Top 5 security threats in healthcare.]
According to the Poneman survey, 73 percent of healthcare organizations cited insufficient resources to prevent and find data breaches.
“Hospitals that fail to commit the necessary technology resources to secure systems up front may face exponentially larger costs in the event of a security breach,” Tanenbaum warns.
Tanenbaum recommends healthcare organizations take six steps to ensure better security:
- Hack your own system. Test the strength of your IT and data security systems to find and fix potential problems before criminals and hackers exploit them.
- Keep storms out of your cloud. Chose the right data protection protocols before you send data to the cloud, and use even more careful planning if you use cloud as computation platform as well as a data storage system.
- Investigate your IT vendors. Ensure that they understand that HIPAA and HITECH regulations are not ordinary business requirements and that your vendors will be effective partners if you have to implement your database breach remediation plan. Make sure the vendors will keep key personnel assigned to your account.
- Use checklists for data health. Healthcare workers should follow checklists to ensure data health and protect against computer viruses in the same way that medical staff follows checklists to ensure patient health and prevent infection.
- Encrypt but verify. Encryption provides security, but only if used consistently and as designed.
- Audit and then audit again. Ensure that each link in the chain of electronic record collection, storage, analysis and transmission is secure, and that carefully crafted procedures are followed consistently.