According to a Department of Health & Human Services tally of data breaches since 2009, about 260 incidents occurred that went on to affect more than 10 million patients. And, it gets worse -- the second largest breach occurred not because of a hacked password but when computer back-up tapes were stolen from the back of a truck.
Security within the industry is changing, and health data breaches are a significant issue. According to Rick Kam, president and co-founder of ID Experts, now is a critical time in determining the future of health security.
"We're at the convergence of technology becoming more pervasive in healthcare," he said. "Patients want to share information and have multiple providers. This includes more sophisticated criminals as well as healthcare reform. Coming on the horizon in the area of healthcare, you could say we're at the crux of a potential data breach disaster -- if not within the next few months, within the next year you’ll see a data breach oil spill, so to speak."
[See also: Data breaches top of mind for IT decision makers.]
"We operate with three core values," added Christine Arevalo, director of healthcare identity management at ID Experts. "One is the importance of taking preventative action. The second is doing the right thing for patients and the data you're entrusted with; the system as a whole is based on the trust patients have in physicians and safeguarding their sensitive information. And the third is being compliant -- it's a regulatory matter that can’t be ignored. We’re seeing a lot more of those rules being enforced, specifically data breach notifications. Companies can't hide from those issues anymore."
With that said, Kam and Arevalo gave us the six best ways to plan for, mitigate and protect against health data breaches.
1. Perform a risk assessment. According to Kam, the first step is to understand where the threats and vulnerabilities are in regard to the patient. He suggests performing a risk assessment. "We're seeing risk assessment and mitigation in general become a discussion that’s happening at the board level," he said. "It's a lot about risk transfer and mitigation, but also about how we accomplish that in the wake of new emerging threats." And how organizations mitigate threats is changing, said Kam. In the past, directions are often given to the IT department, and money is spent deploying the latest technology. Now, Kam claims that's not where a lot of vulnerabilities lie. "It's also a narrow view on the scope of the problem," he said.
2. Inventory your PHI. Understanding what information you have that's sensitive and where it exists within the organization is key. Considering business associates and sub contractors is also vital to taking inventory of your PHI. According to Kam, it's important to note anyone who may be getting authorized access to important information. "Bringing experts in from the outside is an emerging risk," added Arevalo. "For example, as the stimulus takes hold and organizations and providers can have potential revenue growth through rising Medicare and Medicaid rates, it puts pressure on them to move patients to places like clinics as well as home healthcare outside of the facility," she said. "It's utilizing global technology, and a lot of individuals who work outside the hospital may not have a secure environment. It increases risks, and you may not even be aware of what’s happening."
[See also: Security a matter of guns and butter.]
Continued on the next page.
3. Develop PHI security strategy. Kam says it's key to develop a security strategy that's appropriate based on the information you have. "So, protectable information that you’re trying to protect or personally identifiable information. It's about trying to not only understand where it is, but also developing a strategy to protect it,” he said. After identifying the information, it’s essential to communicate it to employees and other associates who are part of your system. Kam also suggests having a third party come in to bring a fresh perspective during the assessment stages and to help with developing a strategy. “If you have an internal team, there's a tendency for it to be more of a check-the-box exercise,” he said. “Adding expert insight as to where breaches are occurring and how to protect against them is helpful. [It's about] finding someone who can be a trusted partner and an outsider who can take a fresh look at some of the risks your organization is exposed to, especially if you've already been exposed to audits and investigations."
4. Train employees. According to both Kam and Arevalo, the fourth step is where they see the most issues. "When it comes to protecting information, it's about getting your employees to understand how to best protect it and what to do if there is an unauthorized exposure," said Kam. Arevalo said training is essential and should include not only administrative employees, but also doctors, nurses and other clinicians throughout the organization. "They need to really understand how to maintain security hygiene when it comes to patient care," she said. Kam added that many tend to look at breaches as simply an IT issue.“It's much broader than that," he said. "[This misconception] is why there are so many breaches of personal information; it falls outside the technical part of the organization and happens because a business associate misplaces a lap top, for example."
5. Implement processes, technologies and polices. Once you’ve done an assessment and identified potential issues, Kam and Arevalo suggest taking the tools and technologies in place and making it easy for employees and doctors to secure information. “If you don’t put tools in place and they’re hard to use, no one will use them,” said Kam. “[It’s important to] identify ways to protect this information in an automated fashion so the system itself helps protect the information. At the same time, it shouldn’t disrupt the primary focus of healthcare professionals, which is patient care.”
6. Have an incident response plan ready. According to Arevalo, the most important tip ID Experts offers is to always be prepared in advance for a breach. "Human nature is basically thinking this type of incident, being an unauthorized disclosure of health information, could never happen to their organization," she said. "Especially at an executive level. Most cases we see are organizations that think they have everything covered; they've made appropriate investments and tools, yet there are thousands of unauthorized disclosures happening on a monthly basis all over the U.S. Being prepared in advance is critically important." She added that a knee-jerk response to a breach can be devastating on an economic and recreational level, so both she and Kam recommend utilizing a response plan in a more holistic way. "The document should be living throughout the organization, so it touches on every piece of the plan and the response includes training procedures and who’s responsible for what if a breach does occur."