With cyber criminals actively targeting healthcare, Rick Kam, president and co-founder of security firm ID Experts, argues that the threats to protected health information have never been greater. As chair of the PHI Protection Network, a collaboration of vendors working to expedite adoption of PHI best practices, Kam also believes there are some critical strategies healthcare organizations can employ for protecting patient information.
The best place to start, he says, is with a risk assessment that serves as an inventory of where an organization’s patient information lies within and outside of the organization. But the other 10 strategies for protecting patient data are just as necessary.
1. Demand Organizational Leadership Engagement
Workforce training and safeguards alone will not be effective. Organizational leadership must embrace and champion compliance as it would any other component of the organization’s value chain. Leadership must visibly and actively foster a culture of compliance throughout the organization by setting expectations and holding all workforce members accountable to the same standards.
2. Find and Identify Your Data
Organizations need to know where their data lives, where it travels, and in what form (encrypted, identified, de-identified, etc.).
3. Control PHI Workflow and Minimize Necessary Workforce Access
Organizations must find ways to better control PHI workflow within the organization, and movement outside the organization. This not only includes safeguarding it from impermissible uses and disclosures, but also will require integration of HIPAA with other health information protection activities to ensure a single point of control within the organization.
4. Assess Risks
Organizations must have solid processes in place for assessing risk with new systems, devices, services and partners, and determine how best to use their power as purchasers to weed out those that don’t meet best security practices.
5. Prioritize Third-Party Vendor Management
Organizations will need help with third-party vendor management to strengthen oversight and review processes. Smaller business associates are particularly vulnerable since they may not have as many resources to devote to security and compliance, and may be more likely to experience a data breach.
6. Get Proactive
The healthcare industry needs to take a proactive stance when it comes to regulations to protect patient health information. Companies that go above and beyond baseline protection requirements will be seen as industry leaders, and patients will choose to use their services over others.
7. Make Privacy an Integral Part of New Technology Adoption
The pace at which new technology is being introduced into the healthcare industry is increasing, with thousands of new health-related mobile applications available this year, devices such as Apple Watch and the Internet of Things. But we have little evidence that patient privacy or security features are being considered. The healthcare industry and its technology service providers need to take advantage of existing technology as well as how they design, construct and deliver new tools.
8. Measure to Improve
You can’t manage what you can’t measure. The healthcare industry needs to get better at determining key metrics to continuously measure and improve security postures.
9. Look for “Non-Standard” Systems as Potential PHI Data Stores
In particular, voicemail systems, customer service call recording systems, and closed-circuit television systems could all potentially be storing PHI, but may not be as carefully safeguarded as traditional IT systems such as EHRs and patient billing.
10. Instill a Culture of Security
Every employee is a guardian of the customer’s data. Although employee negligence and lost/stolen devices continue to be primary causes of data breaches, as Kam points out, one of the major findings of a recent Ponemon Institute report is that criminal attacks are now the leading cause of breaches in healthcare. While criminal attacks are often referred to as cyber-attacks, they can also include malicious insider threats, according to Kam.
Original Post By: Health Data Management