The IT department may be the foundation of health care organizations' security efforts. But presenters at the Privacy and Security Forum in Boston said providers should look beyond technology to create a culture of security that protects patient information and helps avoid a potentially costly data breach.
It can be difficult to separate security from technology. As more hospitals implement electronic health records, or EHRs, and other IT systems, the amount of patient data stored in electronic formats continues to grow quickly. Furthermore, complying with the meaningful use rules, which is typically a project for IT departments, requires hospitals to take steps to protect electronic information.
More resources for creating a culture of security
How to avoid a data breach
Breaking down the costs of a data breach
Health IT Exchange expert: Health care security vulnerabilities
But avoiding a data breach is not simply about the technology used, speakers at the privacy forum said. The way workers interact with available IT resources will determine how successful privacy and security initiatives are. "Security is not really about technology, it's about people," said Jennings Aske, chief information security officer at Partners Healthcare. "There are many ways to secure a device or data, but are the people on board with what you're trying to do? That's what really counts."
Technology plays a necessary role in securing patient information, Aske said. Organizations can encrypt data and use access management software to prevent unauthorized individuals from viewing patient records. But technology can also introduce new security risks. Many hospitals now allow clinical staff to bring their own devices for use in patient care, which may store patient information in an unsecure form without the user being aware. This is why it's important for staff to understand how to use IT resources safely and securely, Aske said.
Taking action to create a culture of security
For hospitals to ensure staff are using clinical IT systems properly, organizations must first create detailed policies outlining how to appropriately access patient information and make sure everyone in the organization follows these policies, said Tim Zoph, senior vice president of administration and chief information officer at Northwestern Memorial Healthcare.
The stakes are too high to leave information security to the IT staff alone, Zoph said. Hackers are becoming more sophisticated, and the increasingly interconnected IT environment means vulnerabilities extend into all areas of an organization. Furthermore, providers that experience data breaches could lose patients' trust, which could lead them to seek care elsewhere. "Security is one of these blind spots," he said. "It's a subtle erosion that saps your patients' confidence."
There are many ways to secure a device or data, but are the people on board with what you're trying to do? That's what really counts.
CISO, Partners Healthcare
Evidence supports Zoph's comments about the role information security plays in a provider's reputation. One Ponemon Institute survey indicated that 62% of patients whose records have been compromised trust their provider less because of the incident.
Mac McMillan, CEO at CynergisTek and chair of the Healthcare Information and Management Systems Society (HIMSS) Privacy and Security Policy Task Force, said one of the best ways to get clinical staff to follow security policies is to make sure executives and other members of the leadership team also abide by the rules.
When doctors and nurses see executives walking around without their ID badges or bypassing other security requirements, it sends the message that security is not a high priority, McMillan said. Even though the repercussions of a data breach can be large, he feels many providers downplay the importance of security. Many hospitals place their security officer low on the organizational chart, security budgets are relatively low compared to those in other industries, and people don't talk about protecting information as if it is central to the hospital's mission.
"When you look at the breach statistics, I don't feel that it's unacceptable in health care to have a breach. That's what culture is all about," McMillan said.
Improving information security doesn't necessarily have to involve major IT initiatives. Simply raising employees' awareness of how to protect data can go a long way. For example, the majority of data breaches occur, not because of hackers penetrating a secure network but because employees lose portable devices containing patient health information, said Howard Burde, principal at Howard Burde Health Law. Additionally, laptops containing patient records are often stolen from cars. Explaining to workers the importance of physically securing devices and making clear the consequences of failing to secure data could dramatically reduce the number of breaches.
"There is no reason that anyone should leave any portable media on the seat of a car," Burde said. "If they're that thoughtless of the information of the patient, they ought not to be there."