Data security is a serious and growing problem for all sectors, but healthcare is taking the biggest hit. According to the Identity Theft Resource Center, in 2015 the magnitude of healthcare breaches was higher than any other industry, with 68.1% of victims coming from healthcare data breaches. This trend is predicted to continue. In fact, an IDC Health Insights report predicts 1 in 3 health records will be breached in 2016.
The simple reason for this increase is that personal patient data is valuable. Medical information is enticing for hackers because it includes personal details such as height and eye color that can be used to create fake identities. According to a recent FBI presentation, stolen health insurance information fetched a price of $60-$70 on the black market while a Social Security Number went for less than a dollar.
One contributing factor is the fact that the majority of healthcare IT leaders rely heavily on traditional security solutions such as firewalls, audit logs and data encryption. Technology by itself can't provide an adequate defense. Protecting patients' data requires a complete program including clear proactive policies, employee education, and verification of compliance integrated with technical solutions.
Here are five steps that healthcare organizations can take to keep their patients' data secure:
1. Create Corporate Culture of Protecting Patient Privacy
Educate and re-educate employees on current HIPAA rules and regulations including state regulations involving privacy of patient information. This training should be part of employee orientation and include periodic refresher courses. This includes everyone with access to sensitive patient data and computing systems (whether full-time, part-time, temporary, or transferring), medical staff (including both admitting and referring physicians), contractors, vendors, students, and volunteers. If employees are reminded of the implications of data breaches, the risk that security policies will be violated can be drastically reduced.
2. Conduct Regular Validation and Verifications
Internal audits should verify that all fundamental health care fraud management activities are adequately performed using independent tools for verification. Sanitized results of audits that catch employees not following policies and procedures can be made available to raise awareness that management is serious about protecting patient's data. Releasing official reports internally measuring the organizations progress at preventing data theft helps keep all the employees diligent.
3. Manage User Identity and Access Stringently
With so many members of the healthcare system frequently accessing patient information – for a multitude of different reasons – it is important to carefully manage identity of users. Make sure users at each level are only granted access to information pertinent to their position. For example, some organizations allow all staff and admitting physicians unrestricted access to all patient files, but limit the access privileges of referring physicians to their patients of record. Also ensure that log on/off and other security related procedures are clearly communicated and carefully enforced on shared machines. Automation of user access helps create an audit trail and ensures efficiency and safety for everyone involved.
4. Monitor Users, Applications, Devices and Records
Make sure you have a record of when electronic files are viewed and not only when they are modified or created. It is also just as important to make sure employees know that they are being monitored. Inappropriate access is deterred when users understand that their actions will be recorded and reviewed and that sanctions can be applied for violating patient privacy. However, don't overlook low tech data theft. Remind employees to be watchful of electronic devices and paper records left unattended. More often than not, data breaches occur due to theft of these items from a home, office or vehicle. Secure data exchange systems can catch when an employee sends an email or a file without the appropriate authorization, but carelessness is impossible to detect until it's too late.
5. Proactively Take Action to Prevent Snooping
Take a special note when there are events that might increase the incidence of unauthorized access of patient data. Automated solutions have the advantage that business rules can be added quickly based on targeting those circumstances that are the most likely to result in data theft, for example when your organization is providing services to high profile people such as celebrities. Also it is recommended to monitor when workers might have family members treated to make sure they are not breaching security policies by accessing their records.
By being proactive and planning ahead, health care organizations have a better chance of avoiding data breaches and keeping their patients' personal data secure. Formal policies regarding information system security, employee training, and procedures for monitoring and penalizing breaches of privacy and security are essential. Investing up front in protect patient privacy is preferable to the long painful process of fixing a problem after it has already happened. Once trust in your organization has been damaged, it can be difficult – if not impossible – to repair.
Hagai Schaffer leads Product Management at Bottomline Technologies for the Cyber Fraud and Risk Management division. He has over 25 years of experience in the software industry in both technology and business positions.
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.