Security: Employees Are Key

Since January 2008, more than 110 healthcare organizations have reported the loss of sensitive PII, according to the Open Security Foundation, affecting in excess of 5.3 million individuals. More than 46 percent of these reported data-loss incidents were caused by theft (stolen laptops, computers or media/tapes). The remaining 24 percent were the result of loss or negligence by staff or third parties, 12 percent were caused by malicious insiders and 12 percent were caused by Web exposure.

With data moving in, out and around a healthcare organization, Kroll Health Solutions advises that the burden of protection includes data at rest (in an electronic record or on a paper chart), data in use (accessed at the point of care) and data in motion (transferred from one location to the next). Stored data also frequently contains inactive patient information, as well as patients who are difficult to notify in the event of a breach, such as minors or decedents.

At the most basic level, healthcare organizations should inventory and map patient data flow, Kroll says, as well as coordinate and develop processes and procedures for sharing and protecting this data both internally and externally. One place to start is by assessing various departments within the organization – ask basic data questions of employees within IT (e.g., human resources and the billing department) and catalog the responses to get a comprehensive picture. Encourage staff to detail the ways in which data is used, retained or accessed to provide insight. This will help in identifying poor practices within the organization, such as collection of unnecessary data, inconsistency in data handling and improper storage.

As employees of healthcare organizations have widely varying responsibilities and touch points with patient data, constructing a training program that is relevant to job function and level of sensitive data handling is important, Kroll adds. The goal should be to make necessary pre- and post-breach training a part of the overall program. For healthcare organizations, the primary focus should be on privacy and security-breach prevention and detection.

Healthcare employees should be trained to detect and report a breach as the notification 60-day "stopwatch" starts, when they knew or "reasonably should have known" that a breach occurred. Furthermore, to encourage detection and escalation of an incident, a "whistleblower" hotline can facilitate and expedite breach reporting.

Tags:

Search HMT

RedRG

Bookmark Us

 

HMT Digital Edition

Solutions
(HIS)HOSPITAL/HEALTHCARE INFO SYSTEMS
GE Healthcare
Health Mgmt SYS Inc
Wolters Kluwer Health
BAR CODING & ID TRACKING SYSTEMS
Honeywell
CLASSIFIED
Ross Capital Management
COMPUTERIZED PATIENT RECORDS/EMR
Psyche Systems Corp
DATABASE/DATA WAREHOUSING/MINING
Marshfield Clinic
ELECTRONIC DATA INTERCHANGE(EDI)
Allscripts Healthcare Solutions
Florida Shots
Imagenow
FINANCIAL/BILLING SYSTEMS
Ontario Systems
HDWRDPA
Sprint
OTHER PRODUCTS & SERVICES
Subway
POC
CDW
RADIOLOGY SYSTEMS/DIAGNOSTIC IMAGE MANAGEMENT/PACS
NEC Technologies
VIDEOCONFERENCING/TELECONFERENCING
Panasonic Digital Document Comp
VOICE-RECOG
Nuance Healthcare
WORKFLOW/OFFICE AUTOMATION
EDIMS