Posted by: Jenny Laurello
Data breach, Data security, HIPAA
Guest post by: Sean Glynn, Vice President, Marketing, Credant Technologies
As the disclaimer on a non-prescription supplement or medicine tells you, it is important to consult your physician before beginning a new treatment plan, or continue an existing one that is causing an adverse reaction. When it comes to securing Protected Health Information, and preventing data breaches, I present the same advice — start by consulting your physicians and other health care professionals.
I read a report this month, based on an analysis of data breach information on the US Department of Health and Human Services website, which found the total number of patient records compromised in the US increased by 97% in 2011 compared with 2010. This followed a Ponemon report from December 2011 that found a 32% increase in the frequency of health care data breaches from the previous year – with 49% of respondents citing lost or stolen computing devices and 41% noting unintentional employee action.
By any interpretation of these numbers, it is clear that when it comes to data security and data breach prevention, our patient – health care professionals – could use some expert guidance.
Of course there are specialists in the area of data protection, (and in the spirit of full disclosure, my own company is one of those) offering technology solutions that can help you implement and manage data protection across your organization. But even the best experts can only help after a full consultation and examination of the patient is complete, and any recommendations made are discussed with and agreed to by the patient.
The health care industry in the United States is incredibly data-rich. As a function of delivering quality care, health care practitioners at hospitals, clinics and physician’s offices routinely access and update the sensitive Protected Health Information (PHI) of their patients – and that information in turn, be it medical, financial or administrative data — is often accessed and manipulated by any number of business associates in the course of their duties.
This easy and immediate access to valuable health information from any device, and from any location, is very beneficial to health care professionals. It helps them deliver the highest levels of care to patients. However, if an appropriate level of protection is not in place for the data residing on those devices, the risk of that data being breached grows exponentially.
How does a health care IT professional approach the problem of preventing data breaches?
We could take the approach of mandating a particular treatment plan — implementing data protection processes, technologies and policies that try to force health care professionals to act and work in a different way. But in the same way flavored medicines make it easier for me to convince my daughter to take her medicines than it was for my mother to convince me to take the foul-tasting concoctions I was presented with as a child, the treatment plan will be far more successful. Furthermore, the patient is far more likely to follow the treatment plan if they have been consulted in advance, and the tools put in place to protect the sensitive data they access on a day-to-day basis are designed to meet their broader needs.
Health care professionals are resolved to avoid causing harm to their patients, including as a result of a PHI data breach. While this is important, it is only a part of their overall goal of providing the highest quality of care to patients. If IT security professionals are to help them do so, then we must better understand their needs in delivering that care:
- Which devices do you use, or plan to use, to access the PHI data you need to provide quality care?
- o Dektops, Laptops, Tablets, Smartphones?
- When you need to share sensitive data with colleagues, how do you do so?
- o USB Thumb Drives, Cloud Storage solutions, Email, etc.?
- Do you have sensitive data stored on shared devices? (In the office / on hospital wards, etc.)
- o Should everyone with access to those devices also have access to all the data? Or if not, which users should have access and which should not?
- Who else will need to access PHI for your patients?
- o Colleagues? Outside consultants or experts? Business Associates? Etc.
Once we determine the answers to these questions, we can design and implement data protection solutions that protect data on those devices health care professionals are using; that allow for easy sharing of data with others, while maintaining protection for data throughout its lifecycle; that leverage existing identification and authentication tools, without having to burden users with additional steps to take in order to access relevant data and that allow health care professionals to deliver the highest quality of care, without putting sensitive patient data at risk of a breach.
By consulting early with health care professionals on the front lines we will not only be able to better understand and meet their needs for easy and immediate access to PHI, but we will also have created an environment where health care practitioners are fully trained, aware and engaged in taking advantage of the tools put in place to protect that data.
Please visit Credant Technologies for more information.