While few health care providers intentionally put protected health information (PHI) at risk, many are careless and fail to take adequate measures to actively protect sensitive data, leading to HIPAA compliance problems.
That is the message of a paper published this week in the New England Journal of Medicine. It was written by a trio of officials from the Department of Health and Human Services’ Office of Inspector General (OIG) and the Centers for Medicare and Medicaid Services’ (CMS) Center for Program Integrity. The authors said providers have to start taking PHI security more seriously, particularly as the adoption of networked technologies makes this data more liquid.
To highlight the problem, the team pointed to a recent OIG investigation in which auditors were able to obtain patient health records from several hospitals simply by logging on to unsecure wireless networks from the hospitals’ parking lot.
This kind of vulnerability obviously leaves hospitals open to hacking attempts. But it is not just the malicious actions of criminals that providers need to guard against. The authors of the report said that hospital staff often take careless attitudes toward security protocols. In fact, PHI is much more likely to be lost than stolen, and lax compliance with hospital policy is one of the main reasons why.
In order to combat these problems, the authors pointed to a set of recommendations from the Office of the National Coordinator for Health IT. They said hospitals should take these precautions – which sound elementary, but from OIG’s point of view, are not standard operating procedure at many facilities:
- encrypt patient records
- password-protect documents
- remotely wipe lost or stolen devices
- disable file-sharing programs
- install firewalls
- enable antivirus software
- keep software up to date
- understand the risks of mobile devices
- maintain physical control of devices
- consider wifi security
- delete information from devices that will be discarded.