Patient records contain extremely private information, from diagnoses to bank account numbers, and that data is consistently under attack. The Ponemon Institute estimates that during the last year, 40 percent of healthcare organizations faced some type of criminal data attack. In the past five years, more than 29 million patient records have been compromised. Healthcare CIOs who are responsible for overseeing their organization’s IT operations will have to answer for any security breaches.
“The negative consequences of a breach are significant from a reputation, distraction and financial penalty perspective,” says Rob Giffin of Avalution Consulting, which specializes in business continuity and IT disaster plans. “While many healthcare executives are worried about the risk, I have found that they often feel stuck with relying on the CSO and their assurances. Executives need to go deeper in understanding the risk and also mandate a measurement of what risks exist and what the organization is doing about it.”
No healthcare executive wants to hold a press conference explaining how data was lost or stolen and what steps are being done to fix it. Giffin recommends that in order to protect patient information, healthcare leaders should at minimum take the following actions:
Conduct a Risk Analysis.
Healthcare leaders should analyze and implement safeguards for their organizations from technical, physical and administrative standpoints. That includes training and education, security breach tests and cable locks and trackers for unencrypted devices.
“Establishing an information security management system, similar to what is described in the ISO 27001 standards, is the industry’s standard way to ensure that potential risks are identified and mitigated,” says Giffin. “This also provides management with a mechanism to understand the status of information security threats.”
One of the biggest threats to security is when unencrypted laptops and devices are lost or stolen. Although hackers tend to get more press, cyber-attacks account for about 6 percent of lost healthcare data. Unauthorized disclosure accounts for 22 percent of healthcare data security breaches while the biggest offender is theft or loss of devices or computers at 35 percent.
“[Another] recommendation is to encrypt tape backups if they are leaving your buildings,” says Giffin. “In many hospitals, a full set of all patient records are written to tape each night and carried out the door by a third party vendor. Loss of those tapes has been a frequent cause of data breach.” Healthcare data security breaches can result in criminals accessing patient bank accounts or obtaining prescriptions.
Educate Healthcare Employees.
Giffin says that organizations should educate their employees and follow up by measuring employees’ understanding of their responsibilities when it comes to data protection. Staff members in charge of security awareness training can send out quizzes at random times throughout the year and stop by workstations to ensure that computers and patient data are protected. Leaders should also monitor results and make sure that any employees who don’t pass the test or workstation assessment have further security education.
“Healthcare organizations also need a mechanism for reporting potential breaches or security violations,” says Giffin. “That should include both anonymous and non-anonymous reporting.” Depending on the severity of the violation, staff may need to undergo intense data security education or possible disciplinary action.
Creating a culture that embraces security is critical to protecting patient data. Patient data has been lost because of both hackers’ access and employee error. Healthcare leaders should begin by conducting a risk analysis, ensuring that data is encrypted and educating employees. That way the only press conference they’ll hold will be about their exceptional patient data security, not about stolen data.
Want to better manage your patient data? Learn about McKesson’s Medical Imaging Professional Services.