- ID Experts, an IT services vendor that offers customers assistance with security and compliance projects, released a list of 10 data breach vulnerabilities today. While the items mainly revolve around what the experts considered general security weaknesses, a few certainly apply specifically to healthcare IT.
Three vulnerabilities, to no one’s surprise, were related to mobile devices. From policy/protocol reservations to technical fears such as malware and hackers, this is a space that has many IT directors and CIOs up at night.
BYOD – Most organizations now allow employees to access company data via personal smartphones, yet lack appropriate security protocols to protect the data, thus adding significant risk exposure to patient records. (Robin Slade, development coordinator, Medical Identity Fraud Alliance)
Malicious mobile applications – Smartphone applications are fun, useful, and prevalent. But malicious code can be easily embedded within applications, with the sole intention of grabbing and stealing consumer data, including credit card numbers and other personally identifiable information. (Robin B. Campbell, senior counsel, Crowell & Moring)
Wireless medical devices – A wireless pacemaker can wirelessly transmit patient data 24/7 that could be used to steal, exploit, or tamper with patient’s health records, with potentially life-threatening consequences. (Rick Kam, president and co-founder, ID Experts)
Cloud computing and internet concerns were also prominent on the list, as potentially leaving data exposed on the web is a major worry for healthcare organizations. This section also serves as a reminder to consistently check all firewall activity.
Cloud-based file sharing tools – Storing unencrypted files and documents can put data at risk for loss or hackers. Organizations should take precautions when using file-sharing services in the cloud so they don’t expose sensitive information. (Larry Ponemon, chairman and founder of the Ponemon Institute)
Web crawlers/Web spiders – Search engines utilize software applications to systematically browse and index content available over the World Wide Web. An improper firewall setting could allow for the contents of a server containing sensitive personal information to be indexed and for that information to appear in search results. (Eric A. Bukstein, associate, Hogan Lovells)
Other potential landmines aren’t necessarily high-tech. There are still a number of healthcare organizations using paper records, which can easily be mishandled or put in the wrong place. Paper records are just part of one of the biggest issues for these organizations: Human error.
Paper records – Covered entities are now so focused on IT security matters, that there is a danger that basic privacy safeguards for paper records will not keep up with changes in work processes. Safeguards for handling paper records are needed, as much as ever, to keep protected health information out of the wrong hands during routine use, as well as en route to storage, the shredder, or disposal. (Terrill Clements, equal opportunity specialist, U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) – Region X)
Human error – A growing majority of breaches occurs because of a human error on the inside of an organization; we recognize this based on the claims we are paying. Organizations should be asking how personally identifiable information is being handled, stored, accessed, and who is accountable for protecting it. An organization should have the right policies, procedures, and training in place to build awareness around the importance of protecting this data. It should be from the top down. (John Gambale, head of professional liability, U.S. and Canada, AIG)