- Patient data security needs to be a top priority at every healthcare organization, regardless of the size of the covered entity. This is especially critical as more facilities begin to implement mobile devices, use new EMR systems and even connect to HIEs. However, recent research shows that some organizations might not be properly utilizing data access, which may lead to patient data security issues.
Even with restrictions to electronic patient data access, 63 percent of healthcare staff are still able to logon to different devices and workstations concurrently, according to a recent report by IS Decisions. Furthermore, 49 percent of surveyed healthcare employees are required to manually logoff, while 30 percent do not have unique logins.
The report, Healthcare: Data Access Compliance, also found that only half of US healthcare employees are aware of their organizations monitoring network access, while 46 percent stated that they believe their actions on the employer’s network can be attributed to them.
A slightly disturbing fact in the research showed that 57 percent of US healthcare staff said their organizations had formal agreements to security policies in their contracts.
“To take the standard of security training beyond the base level in on-boarding staff, it is sensible to include adherence to security policies within employee contracts,” the report stated. “This ensures a level of responsibility on the part of the employee, providing a line of culpability in the event that they take action to subvert a policy.”
In terms of security training during the on-boarding process, 29 percent of surveyed healthcare professionals did not receive any security training when they were employed, the report found. Moreover, just 55 percent of existing employees stated they received IT security training.
While HIPAA regulations require risk assessments, and regular security audits are encouraged, the report found that only 34 percent of US healthcare staff are aware of their organization conducting regular security audits. The report’s authors acknowledge that such audits could be conducted without staff knowledge, but added that “transparency with regards to auditing is recommended as it reminds employees to be vigilant, and may even deter any potentially malicious activity.”
“Healthcare organizations need to protect the patient’s right to privacy while ensuring healthcare professionals get the necessary access to provide the best treatment for their patients,” IS Decisions CEO Francois Amigorena said in a statement. “Information of this critical and confidential nature should only be accessible by authorized users and it really should not be a complicated process.”
Amigorena added that this goal could be achieved by properly implementing and combining access control policies, user identity verifying, and user activity auditing.
Restricted employee access is becoming an increasingly popular issue in the healthcare industry. Earlier this year, a Ponemon Institute survey commissioned by Varonis Systems, Inc. revealed that 56 percent of IT practitioners said they believe their organizations place just a moderate to low priority on protecting company data, or no priority at all.
The survey found that 73 percent of health and pharmaceutical employees said they have access to sensitive or confidential patient information. Of those respondents, 41 stated that they and their co-workers can see “a lot of” sensitive data.
“The damage can be greatly reduced by managing data access permissions, making sure employees only have access to the data they need to do their jobs, and by monitoring for unusual activity,” explained Varonis Co-Founder and CEO Yaki Faitelson.