Posted by: RedaChouffani
data breach, HIPAA, security
Protecting patient electronic medical records continues to be a very key focus area for all organizations who have adopted EMR. However, the approach and steps that are being taken to ensure that tend to vary significantly from one organization to another.
Security experts agree that regardless of size everyone should take all the appropriate steps to ensure they properly safeguard the medical records of the patients. But for many of the smaller medical organizations there tends to be many obstacles they face that increase their vulnerabilities.
Despite some of the recent events such as the announcements by HHS in November of 2011 where the Office for Civil Rights (OCR) began auditing selected covered entities’ compliance with the privacy and security (Article link), as well as a recently fined small surgery practice in Phoenix (fined $100,000.00), many small to mid-size medical groups are still not adequately protected against data breaches. Parts of the challenge they face are:
Scans and network assessment scans: For many of the smaller practices, getting a thorough assessment can be costly. From receiving network penetration testing, to deploying the appropriate tools to evaluate their network and systems periodical does not always get the highest priority. This can cause a physician’s group to overlook potentially dangerous vulnerabilities within the network that can co allow for serious breaches.
Inadequate security practices: I discover from time to time poor security practices when I visit some medical organizations. Simple things such as leaving a workstation in the exam room unlocked and the patients sitting in that room can potentially enable one to install malicious applications and possibly allow for data theft. Not only that, but there are actively many cases where clinicians and nurses are communicating via email and transmitting patient information without the use of encryption and secure channel. One must ensure that any and every information communicated about patients or is made available through any device is a potential point of entry for data seeker.
Mobility: Mobile phones have gained significant momentum in the healthcare market. Clinicians are using these devices to view patient charts, prescribe medication and communicate with their colleagues and patients. But there are many risks associated with those devices when they are lost or stolen. These mobile units are in some cases an easy way to gain access to significant data if they are not properly protected. Furthermore, with the recent reports of malware targeting mobile devices, it becomes even more critical to adopt mobile app and mobile device policies that ensure the protection of the data being accessed through them.
Social media use: Staff from different organizations periodically check into their preferred social site. Social media has been the source of virus infections, in addition to creating a decline in productivity and distracting employees. It become very important to set expectations and controls in place to ensure that if access is allowed to these sites adequate safeguards are put in place to ensure that systems stay protected.
There are few steps to take when evaluating the risks and what to do to manage them within an organization regardless of size:
EXAMPLE RISK ANALYSIS STEPS:
- Identify the scope of the analysis.
- Gather data.
- Identify and document potential threats and vulnerabilities.
- Assess current security measures.
- Determine the likelihood of threat occurrence.
- Determine the potential impact of threat occurrence.
- Determine the level of risk.
- Identify security measures and finalize documentation.
EXAMPLE RISK MANAGEMENT STEPS:
- Develop and implement a risk management plan.
- Implement security measures.
- Evaluate and maintain security measures.
Many things motivate data breaches, such as cyber warfare, black mailing, slanders, or just the need for recognition. Ultimately, patients are the the stakeholders who lose the most. While there are requirements that have not been fully enforced, every organization must take security very seriously. A data breach can be the beginning of the end of organizations, and there are some very simple steps to take to ensure patient’s data is protected.