Health IT and Electronic Health
Activate your FREE membership today |
Log-in
Internal threats: Data access and patient information
Much attention has been given to protecting EHR data from hackers who might break into a database and steal or alter information. However, I am more concerned about another kind of threat: the inside job. What is being done to prevent people and institutions that already have access to personal health care information from using the data in a way that compromises the confidentiality of this data? All it will take is one or two well-publicized cases of leaked information to undermine the patients’ faith in the confidentiality of their relationships with their physicians.[o:p][/o:p]
Software/Hardware used:
Software/Hardware used:
ASKED:
September 20, 2010 8:34 PM
UPDATED:
November 3, 2011 5:23 pm
Answer Wiki:
Information is existing for some people to view and take action on them.There is a possibility of compromising of confidentiality of that data.However what we can take certain measures from technology persepctive to prevent breach of privacy and security and those are as follows
1)we can reduce means of copying those data in portable devices such as CD,DVD and USB stick.
2)We can prevent users from print those documents.
We can do certain things from Administrative aspect as well as mentioned in HIPAA regulation to prevent breach of privacy and confidentiality of data and those are as follows
1) We can educate those e who are having access to the patient's data .
2) We can get the business associate contract signed with them for not sharing the data
To see all answers submitted to the Answer Wiki: View Answer History.
To manage the risk of an inside job, there are some other steps that should be taken in addition to those Nitinarora suggests.
Enable the logging functions of the EHR system to capture the data (i.e., who, what, when) concerning accesses to the system.
Review the logs regularly, looking for unusual activity. For voluminous logs, there are software tools to facilitate the review.
Make sure everyone knows that activity is being logged and regularly reviewed.
For all new hires, do a BCI (background criminal investigation) and update the BCI every couple of years.
Encrypt all data at rest (i.e. in all storage media) and in transit.
Document these policies and audit for compliance annually. If the audit produces findings, take corrective action promptly.
The potential damage to a practice in the event of a breach, whether inadvertant or malicious, is severe. The cost, which includes notification and follow-up monitoring, has been estimated to be $200 per patient. Moreover, insurance companies (to the best of my knowledge) refuse to cover losses of this type. Perhaps someday there will be laws enacted to limit liability of a practice which has followed best practices to manage this risk, but so far politicians have done nothing.
I do agree with the different steps listed above. I also want to add the fact that software vendors need to make an effort to allow tracking as part of the audit train of specific tasks such as printing patient demographics (batch printing as described above), and this will ensure that if an employee attempts to steal information, there would sufficient proof to identify the use. Many applications simply don’t track printing of specific reports. We also must understand that there will need to be more education to not only the staff that have access to the info, but also the IT department. Whether you are a DBA with full access to the database or simply having administrative access, IT must be just as involved in protecting the data as any other staff member.
BAAs are important, as well as HIPAA employee training. Even making employees aware of the fines, penalties and job loss risk can help deter internal data breaches.
Logging, background checks, and training should track or cut down on potential data theft. It’s important that people with access to the PHI only access it for good reason.