Healthcare organizations may be overconfident regarding the security of electronic health information, according to a new report from HIMSS Analytics. Respondents ranked themselves high for compliance with state and federal regulations and guidelines. However, 19 percent of organizations reported having a data breach in the past 12 months.
Although much of the fretting over healthcare IT has focused on hackers, the white paper notes that the majority of data breaches actually result from theft and carelessness. A stolen laptop, a forgotten mobile device, or improperly disposed-of documents can be as devastating to data security as an unprotected network. Since January 2008, over 110 healthcare organizations have reported data loss incidents. Over 46 percent of these incidents were caused by theft, and 24 percent were the result of loss or negligence. By comparison, only 12 percent resulted from web exposure.
Healthcare information is a particularly attractive target for attack due to the sensitivity of the data and the number of people who may handle it. Data breaches can be inconvenient and costly for healthcare organizations, and downright frightening for patients whose medical records may end up in the wrong hands. The Health Information Technology for Economic and Clinical Health Act (HITECH), which was signed into law last year, requires that data security breaches be disclosed to patients within 60 days of the incident.
Lisa Gallagher, Senior Director of Privacy and Security at HIMSS, says that human error is a training and awareness issue. “Every employee in the organization needs to understand that they’re responsible for protecting the patient data,” says Gallagher. She suggests that healthcare organizations invest time and resources into employee training. Gallagher also recommends periodic audits of employee performance to ensure that employees are complying with security practices.
The white paper, which was commissioned by Kroll Fraud Solutions, also emphasizes the importance of training. The paper proposes a four-pronged approach to improving data security: Know your data, know your employees, know your partner, and know your response plan. Healthcare organizations should take steps to understand how patient data is used and managed. Employees must be carefully hired and trained. Third-party vendors should be made aware of their responsibilities in protecting patient data. Finally, organizations need to formulate a response plan that minimizes the risk of a repeat incident. The white paper can be downloaded for free here.
Companies that work in healthcare IT security include McKesson, Computer Programs & Systems, SAIC and IDX Systems Corporation. Of course, the best security system in the world won’t help if employees lose their laptops or mismanage patient data. What does your organization do to reduce human error when it comes to healthcare IT?