Healthcare is increasingly digital and mobile with electronic records, cloud computing, smart phones and tablets. With all of the benefits of technology in healthcare, there are also some downsides. One of those downsides is difficulty protecting patient personal information. Since data breaches are unpredictable, even organizations that implement security and privacy controls and are fully HIPAA compliant can suffer a data breach. According to David Finn, health information technology officer at Symantec, even with a heightened focus on data security, healthcare organizations still make mistakes. Here, Mr. Finn offers five tips to help hospitals and health systems reinforce the safety of their health information.
1. Remember to conduct risk assessments. Although required by HIPPA, the risk assessment cannot be overlooked. Data flows in and out of hospital's EMR and other systems in a variety of ways creating a variety of potential risks. Officials need acute awareness of their hospital's data flow — the use and transfer of the data as well as when and where the data leaves the hospital. A risk assessment is a critical way to identify the risks associated with the data flow.
2. Tailor the protection to the data. Often, once officials identify the data's flow and where it is stored, they assume it is protected and safe, says Mr. Finn. The problem is that different data needs different data protection. If the data is never exchanged, security like endpoint protection, which requires each computing device to comply with certain standards before network access is granted, may not be necessary. On the other hand, if data were exchanged, endpoint protection would be necessary. According to Mr. Finn, it is important to understand that the security needs to be customized. "It goes back to data security as not just an IT issue. The right data protection entirely depends on who needs the data and how it is used. For example, if the data is used for a research presentation it needs different restraints and protection than if it is clinical data used by caregivers in the active treatment of a patient. Data for a research presentation may not need the same level of encryption," says Mr. Finn.
2. Train employees. Do not forget to train staff. "At the end of the day, health information security is about people," says Mr. Finn. "The security is only going to be as strong as the individuals using the systems." Physicians and clinical staff are usually well intended when they share data because they are trying to accomplish their jobs. However, it may not always be on their minds to protect and secure the healthcare data. According to a study by Symantec and the Ponemon Institute, insider negligence caused 39 percent of the data breaches in 2011, whereas malicious attacks by a third party only caused 25 percent. Proper and repeated training will raise the likelihood that the hospital staff remember proper security measures. Even the CEO and the hospital grounds keepers should be trained. If employees are trained — they know what to do and what not to do — they become another level of protection.
4. Upgrade data loss protection tools. Obviously data can be shared in a variety of ways — person to person, on social networking sites, by email, through hard copies or on a USB. Mr. Finn recommends that hospitals spend the necessary money to purchase and upgrade data protection tools because they help monitor all the touch-points of data transfer. "Some of the data tools allow hospitals to monitor and watch data flow in real-time. You can tighten enforcements and install settings to flash warnings for employees before the data is emailed or shared," says Mr. Finn.
5. Think outside the box. Mr. Finn believes it is integral healthcare professionals think outside the box for ideas to protect healthcare data. Often, the cause of a data breach is unexpected. Even organizations that complete a risk assessment, implement security protocols and use data breach tools can experience a data breach.
"We have to tax our minds a little bit to think of solutions from the standpoint of how the data is used and how it is exchanged. The following questions need to be addressed continuously as new technology emerges: Where is the data? How does it move? Who is using the data and at what locations? What is the data's purpose? We need to be creative in assessing the data flows and offering the right kind of security at each transfer point," says Mr. Finn.
3 Considerations for Evaluating Data Breach Insurance Policies
8 Tips for Strengthening Mobile Heath Security
1. Remember to conduct risk assessments. Although required by HIPPA, the risk assessment cannot be overlooked. Data flows in and out of hospital's EMR and other systems in a variety of ways creating a variety of potential risks. Officials need acute awareness of their hospital's data flow — the use and transfer of the data as well as when and where the data leaves the hospital. A risk assessment is a critical way to identify the risks associated with the data flow.
2. Tailor the protection to the data. Often, once officials identify the data's flow and where it is stored, they assume it is protected and safe, says Mr. Finn. The problem is that different data needs different data protection. If the data is never exchanged, security like endpoint protection, which requires each computing device to comply with certain standards before network access is granted, may not be necessary. On the other hand, if data were exchanged, endpoint protection would be necessary. According to Mr. Finn, it is important to understand that the security needs to be customized. "It goes back to data security as not just an IT issue. The right data protection entirely depends on who needs the data and how it is used. For example, if the data is used for a research presentation it needs different restraints and protection than if it is clinical data used by caregivers in the active treatment of a patient. Data for a research presentation may not need the same level of encryption," says Mr. Finn.
2. Train employees. Do not forget to train staff. "At the end of the day, health information security is about people," says Mr. Finn. "The security is only going to be as strong as the individuals using the systems." Physicians and clinical staff are usually well intended when they share data because they are trying to accomplish their jobs. However, it may not always be on their minds to protect and secure the healthcare data. According to a study by Symantec and the Ponemon Institute, insider negligence caused 39 percent of the data breaches in 2011, whereas malicious attacks by a third party only caused 25 percent. Proper and repeated training will raise the likelihood that the hospital staff remember proper security measures. Even the CEO and the hospital grounds keepers should be trained. If employees are trained — they know what to do and what not to do — they become another level of protection.
4. Upgrade data loss protection tools. Obviously data can be shared in a variety of ways — person to person, on social networking sites, by email, through hard copies or on a USB. Mr. Finn recommends that hospitals spend the necessary money to purchase and upgrade data protection tools because they help monitor all the touch-points of data transfer. "Some of the data tools allow hospitals to monitor and watch data flow in real-time. You can tighten enforcements and install settings to flash warnings for employees before the data is emailed or shared," says Mr. Finn.
5. Think outside the box. Mr. Finn believes it is integral healthcare professionals think outside the box for ideas to protect healthcare data. Often, the cause of a data breach is unexpected. Even organizations that complete a risk assessment, implement security protocols and use data breach tools can experience a data breach.
"We have to tax our minds a little bit to think of solutions from the standpoint of how the data is used and how it is exchanged. The following questions need to be addressed continuously as new technology emerges: Where is the data? How does it move? Who is using the data and at what locations? What is the data's purpose? We need to be creative in assessing the data flows and offering the right kind of security at each transfer point," says Mr. Finn.
More Articles on Data Security:
3 Major Data Security Mistakes to Avoid3 Considerations for Evaluating Data Breach Insurance Policies
8 Tips for Strengthening Mobile Heath Security