Q: Your report mentions the risk of a "malicious insider." What are some strategies for creating a culture of security – steps an organization might take to foster an environment where all employees take patient privacy seriously, and that minimize the risk of a data breach?

A: That culture has to start at the top. Senior managers have to make it clear that you can provide the highest quality of service while protecting sensitive information. By the way, don't forget that healthcare organizations typically have a lot of sensitive information that does not constitute ePHI. Financial information, donor listings, employee files, confidential plans and many other documents or databases can be just as sensitive. Simply protecting ePHI is not enough, you have to understand what the sensitive data is for your particular organization, where it's stored, how it's processed and how best to protect it.

As you look across organizations, you see various ways of creating the culture of security. It's often stated as a basic principle of the organization's operations -- it can be tied into the code of ethics. Organizations with effective programs usually have ongoing information security awareness programs, so that people know what's expected of them.

Interestingly, one of the things that seem to differentiate really good programs from others is the recognition that people will have questions or issues they need to discuss with someone. Providing a point of contact for information security and HIPAA/HITECH questions – which could be an email address that gets distributed to the right people – where no question is off limits, is important.

Another strategy to consider is having a couple of questions about the protection of PHI and other confidential information integrated into employee performance reporting systems. Having coverage of security and privacy protection in a document that can have an effect on a staff member's compensation and advancement makes it real, and can provide an early warning of problems.

Finally, we often use the concept of "trust but verify" in our work. We want to trust our team members to do the right thing, and to know when to call for assistance or information. But there are tests that can be performed as part of information security reviews, internal audits or other internal reviews that will help to understand that people are doing what you expect them to do.

Q: How much of a risk does hacking pose to healthcare IT? Is it on the rise? Could you see a day where black-hats as interested in personal health information as they are in bank account and Social Security numbers?

A: With the exception of state-sponsored hackers looking for health intelligence on specific persons or activists going after an institution because of some political or social stand that the institution took, most hackers are after money or things they can turn into money. To the extent that healthcare institutions deal in things like credit card data, they are targets, just as anyone else with such data.

But patient data can also be of value for things like medical care fraud. Someone that can get data that enables them to impersonate you and tap into your health insurance, for example, can be motivated to steal it, and to seek treatment while impersonating you or a family member. We've seen cases where this has been a serious issue.

Also, hackers know that many institutions accept credit cards, and we've seen them diligently search networks looking for credit card numbers in files. If you need to store this information, you're probably well aware of the PCI DSS regulations from card issuers, as it's another set of rules you have to follow, and, like HIPAA/HITECH, they've been recently updated.