Originally posted by Kyle Murphy via EHRintelligence.com
The most recent wave of health data breaches has raised the red flag concerning the lack of administrative safeguards in place to prevent thefts caused by physical theft. While the individual employees who have lost their peripherals or had their hardware stolen are the easy scapegoats, management has not escaped unscathed. In fact, the most vocal of critics have placed the lion’s share of blame on those responsible for weak or nonexistent policies governing the protection of protested health information through administrative, physical, and technical safeguards.
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule guides covered entities toward establishing security standards that keep pace with new technologies and forms of access, evolving with the times to identify and fill in any gaps that emerge. As the Department of Health and Human Services asserts, the Security Rule is only a guide and not a complete rule in itself; therefore, the onus for safeguarding unauthorized access to patient information truly falls to covered entities.
In response to our coverage of recent health data breaches, our readership of health IT professionals have reached a consensus that all security begins with proper leadership and thorough educational programs for employees. That being said, these same professionals understand that the biggest threat to PHI is the result of the human element. To prevent the effects of human error, health IT managers and staff have recommended a series of technical measures that could forestall future breaches. Here’s what’s tops on their lists:
Encryption: The technology comes in three flavors: hashing, symmetric, and asymmetric. But for the purposes of a general conversation, it’s easier to think of encryption with regard to what’s being encrypted. For healthcare, encryption is pertinent to hard drives, peripherals, applications, emails, database, and networks. A loss laptop, flash drive, or other portable device should raise concerns but not signal a definite breach. Encryption is the ultimate failsafe.
Authentication: The number of healthcare providers and staff requiring access to PHI and proliferation of mobile devices mean that many users will be accessing patient data in numerous ways. But how do you prevent a lost device or password from turning into a data breach? Raise the number of factors. Multi-factor authentication requires that users verify their identities based at least two criteria. A password coupled with a token means that unauthorized users need to work harder to gain entry.
Registration: While we’re on the topic of smartphones and tablets, the concept of BYOD (bring your own device) has many health IT professionals scratching their heads and pulling their hair out. Requiring that users register their devices in order to access a private healthcare network allows the organization to stay on top of who is authorized to view what information.
Access: Downloading scores of patient records to a local machine is tempting fate. This practice raises crucial IT-related questions. What kinds of information do providers and employees need to carry out their tasks? And does that data require local access? The rise of SaaS (software-as-a-service) applications has proven that storing information locally on a laptop, tablet, or smartphone isn’t a necessity. Just-in-time data allow users to get the information they need in the moment and ensure that it’s safe once they’re done with it.
If management is not going to get with the program, health IT staff needs to demand that certain technical safeguards are in place. Respecting and trusting providers and employees are two different things. Putting too much trust into either, even those with the best of intentions, is a dangerous practice that shows little respect for the trust patients place in their healthcare systems.