Health IT, MedCity Influencers

HIMSS Security Survey: Preparing to handle the worst data breach

In today’s data heavy landscape, data breaches are an unfortunate reality for organizations across all […]

In today’s data heavy landscape, data breaches are an unfortunate reality for organizations across all industries. When looking specifically at the healthcare industry we find that just last year, nearly one in five healthcare provider organizations reported having experienced a security breach, and about one in eight had at least one case of medical identity theft.1 While healthcare organizations recognize these security incidents as a real threat, the amount of data sharing is not keeping pace with the adoption of security practices and protocols.

According to the 2013 HIMSS Security Survey, conducted last month by the Healthcare Information and Management Systems Society in partnership with Experian Data Breach Resolution, 88 percent of healthcare organizations indicated they currently share information with third party vendors. Of the 283 healthcare information technology (IT) and security professionals surveyed however, most are not well prepared to protect that data. For example, only about half of physicians provide encryption while in transit (ie laptop protection). And although we are seeing an increase of organizations that both have and test a data breach response plan, nearly half are not testing regularly, which can leave them vulnerable.

The good news is there are several steps healthcare organizations large and small can take to help prepare for a breach, and protect the electronic health records shared with third parties.

1. Train Employees. Recognizing inappropriate data access by insiders as an area where organizations are at risk of a security breach, there has been increased use of several key technologies related to employee access to patient data, including user access control and audit logs of access to patient health records. Data from the HIMSS Security Survey suggest the greatest perceived “threat motivator” is that of healthcare workers potentially snooping into the electronic health information of friends, neighbors, spouses or co-workers (i.e., inappropriate data access).

Even the most basic security protocols such as encryption for employee mobile devices and laptops are important security practices. Check that physicians are keeping their work related laptops, mobile and digital devices secure at all times and remind them to change passwords every three months. It is also important to verify that staff is up to date on company policy regarding data security procedures, including what digital and paper documents to keep and how to securely discard what is not needed. Train staff to identify signs of cyber security threats in their daily work life and know the proper course of action in reporting a breach.

2. Practice Makes Perfect. More than half of respondents from the HIMSS security survey report their organization has tested their data breach response plan. Those working for hospitals were more likely to report that this was the case, compared to respondents working for physician practices. Two-thirds of those who responded that their organization tests their data breach response plan reported that their plan was tested annually. While great to see healthcare organizations are developing a data breach response plan, this should also be regularly practiced with the team.

3. Invest in Security. More than half of survey respondents indicated their organizations had increased budgeted spending on security, but 49 percent admitted they spent 3 percent or less of their overall IT budgets on security initiatives that will secure patient data. Recognizing the real threat of breaches, organizations should at minimum invest in employee training, a proper data breach response plan and security software. Check that automated software and operating system updates for the entire company are installed properly. Ensure automated security monitoring and reporting systems are up to date, and securely store sensitive patient data.

As more and more data is being shared by the healthcare sector, there is increased concern amongst security professionals about the safety of electronic records. Many organizations have yet to implement the technologies to protect this data, yet there are positive signs that breaches are being taken more seriously. We are likely to see an upward trend in the adoption of securities and tools in the healthcare industry to better prepare against potential incidents.


Michael Bruemmer

Michael Bruemmer, CHC, CIPP/US, is Vice President with the Experian® Data Breach Resolution group. With more than 25 years in the industry, Bruemmer brings a wealth of knowledge related to business operations and development in the identity theft and fraud resolution space where he has educated businesses of all sizes and sectors through pre-breach and breach response planning and delivery, including notification, call center and identity protection services. Bruemmer currently resides on the Ponemon Responsible Information Management (RIM) Board, the International Security Management Group (ISMG) Editorial Advisory Board and the International Association of Privacy Professionals (IAPP) Certification Advisory Board.

This post appears through the MedCity Influencers program. Anyone can publish their perspective on business and innovation in healthcare on MedCity News through MedCity Influencers. Click here to find out how.

Shares0
Shares0