Medical institutions around the country continue to acquire and implement new IT services and update their infrastructure to provide better medical facilities. This trend could be attributed to the large number of initiatives that are in place for the promotion of medical information technology. As the accessibility to medical information for a patient continues to increase, the need for network security and virus protection also increases.
PHI (Protected health information) could include test results, demographic information, insurance information, medical history or other information, which has been collected by medical professionals to help with the assessment and care of patients.
It is very important for medical organizations to have the necessary administrative, technical, and physical safeguards in place to ensure the integrity, confidentiality, and security of all of this health information.
According to a report on PHI breaches in the United States from 2009 to 2012, 252 incidents of data breaches affecting more than 10 million patients occurred in that period alone
The five main reasons for these data breaches are:
· Loss of electronic media
· Unauthorized access
· Human error
· Improper disposal
The largest ever data breach to date covered an entity which had 57 un-encrypted hard drives stolen from one of their leased facilities. The hard drives contained data on more than 1 million individuals including their names, social security numbers, dates of birth, diagnosis codes, health plan numbers, etc.
The reason for this breach was because the company hadn’t implemented the right administrative safeguards for protecting the information and didn’t perform the recommended security evaluation for operational changes. The investigation also showed how the company didn’t implement the required physical safeguards with regard to facility access controls.
Such data breaches are significant issues. What’s at risk here isn’t just the personal information and privacy of a patient, but also the financial well-being and reputation of an organization. There is only one clear choice for Healthcare Administrators here: they need to have the right IT services in place to ensure their security procedures and policies are always up to date.
Given below are a few of the recommended best practices:
Performing risk assessments is the best way of understanding where threats and vulnerabilities lie within an organization when it comes to patients and their medical records. In a number of instances, risk assessments as well as mitigation plans are discussed only at executive levels and are usually about mitigation or risk transfer. These discussions also need to include processes for securing the medical records of patients against new threats like theft and viruses. Understanding when and how to access medical records are critical components, which need to be included in comprehensive risk assessments.
A sound security strategy will not only involve understanding where the medical records are stored but also developing a strategy to keep them safe. Once this is understood, it is integral for the decision to be properly communicated to employees and executives in the organization. It’s highly recommended for organizations to hire a third party to help develop this strategy.
This will lend a fresh perspective to the assessment and also help ensure that the strategy is air tight. There is a tendency for IT teams to study security strategies internally and develop check box solutions. In order to prevent this from happening, IT services need to ensure they hire a trusted partner to provide them a fresh outlook on their security vulnerabilities.
Processes, policies, and technologies
After the risk assessment has been completed and every potential issue has been identified, it’s important for the tools and technologies to be put in place so that it is easier for doctors and employees to secure the medical information of patients. Things like random inspections are very important to ensure compliance with the procedures and policies are in place.
As far as the protection of medical information is concerned, it is all about getting the employees to understand how to protect data and what to do if there is a breach. Training’s essential and needs to include not just administrative employees but doctors, nurses and all other clinicians in the organization too. All employees that have access to medical information should know how to keep security protocols in place. This isn’t just an IT issue.
Medical organizations need to be ready for breaches at any time. Most of these organizations operate their facilities as if they would never have to deal with unauthorized access or viruses. Organizations which assume such a posture usually believe they are effectively addressing all of their security risks. But having a response plan in place will only make it easier for an organization incase failure does occur. It should include detailed responsibilities and roles for all members of an organization in such a situation.
This isn’t just something which is being regulated by government agencies (America has never been this heavily regulated but that is another topic), it is the right thing to do for patients as well.