A recent study by the Ponemon Institute showed that not only has the frequency of data breaches increased 32 percent in the past year, but their estimated cost is at $6.5 billion. 

Eric Darbe, director of product marketing at Nashua, N.H.-based compliance specialists HiSoftware, believes more organizations can stand to learn a thing or two about working with sensitive data. He suggests six tips for handling personal health information.

1. Create a governance board. Darbe said having buy-in across the organization is key, and that gaining support to address PHI and other security issues is the first step to creating awareness and building a security strategy. “Does everyone agree there’s a problem?” he said. “And [do they know] what that problem is? This [board] should involve all stakeholders in the organization.” Darbe said the board should include IT security folks, but also practitioners and other professionals using the information, “so they understand what the risks are,” he added. And vice versa: IT personnel need to understand what practitioners are trying to accomplish day to day with these tools. “The first thing is to have a cross-functional board that looks at all the various issues around information security risks, while also putting policies down on paper,” said Darbe.

2. Take time to implement policies. It’s not enough to write down your policies, said Darbe. Although defining them is important, he suggests having some sort of automated monitoring in place to make sure policies are being followed. “You need to actually understand what’s happening with that content, and the risk there is to PHI,” he said. Training is another component to implementing policies, and according to Darbe, it needs to take place on automated monitoring tools as well. “It’s understanding, in detail, the risks that require some sort of training as well as the automated monitoring,” he said. “And the automated monitoring shouldn’t get in the way of people doing their job; it should provide reminders to them to not put information into areas they shouldn’t or move it from one spot to another.” 

[See also: Breach leaves docs at risk.]

3. Don’t assume everything in your organization is secure. “There are different levels of risk, and firewalls and end-point security are important pieces of the puzzle,” said Darbe. “But what your employees do with that information in your own vaults and having a program in place to understand that is important.” He suggests taking a good look at information and understanding what may contain sensitive data. In turn, this is “getting in front of a potential problem by monitoring how folks are using the information.” Darbe also referenced a recent instance in which a Hershey Medical Center employee was fired after the breach of former college football coach Joe Paterno’s electronic health records. “This is one of those bad things that happens, and it spins out into this whole big controversy,” he said. “That’s an important point: know what you don’t know. Take a look at yourself and don’t assume things are secure.”

Continued on the next page.