Healthcare organizations are under attack. Hackers and other criminals want medical records and patient personal information since these can open up easy access to bank accounts and other financial systems. The recent data breach at Anthem is a perfect example of how vulnerable organizations are. The latest count from Anthem is 80 million people may be affected by this breach.
Information in the healthcare industry is growing exponentially. According to a study in 2014 on big data analytics in healthcare, the amount of stored data in the United States may soon reach zettabyte (1021 gigabytes) scale and, not long after, the yottabyte (1024 gigabytes). Historically this information has been in paper format, but because of information technology advances and Health Information Portability and Accountability Act (HIPAA) regulations, healthcare providers are moving more and more to electronic form.
As it becomes easier to do business with tablets and PCs, the risk to privacy and the security of the information increases. Not only can privacy and security breaches damage your organization’s reputation and compromise patient relationships, but they can have a high cost. The penalties for HIPAA noncompliance are based on the level of negligence and can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for violations.
Hospitals, insurance companies and other healthcare providers need to ensure they protect both clinical and non-clinical information from a potential data breach. If a healthcare organization does not protect a patient’s date of birth, medical record number or Social Security number, executives and other culpable individuals may be charged with criminal negligence and could be doing jail time.
The HIPAA Security Rule defines Technical and Administrative Safeguards meant to govern access to electronic protected health information (PHI) and includes specifications for unique user identification, automatic log-off and encryption of data.
Here are some steps your organization can take to help reduce your risk:
- Improve user authentication – ensure only authorized users can access clinical systems, sensitive files and any information system containing patient data. This includes billing, payment and other systems involved in insurance reimbursement. Make sure that IT and other administrators can only access information they are authorized to view.
- Encrypt files when you create them – healthcare organizations create a lot of documents containing sensitive patient and medical practitioner’s information. You should implement encryption and security policies that protect the files as soon as a user creates them. The policies guarantee that only authorized users can access the content within them regardless of location.
- Encrypt localized data – many people download sensitive data from EHR and database systems into spreadsheets so they can analyze the information. They also download documents, X-rays and other images for clinical and administrative reasons. Encrypt and apply security policies to that information so that a file can’t get into the wrong hands.
- Create an audit trail – track all data access to meet both the HIPAA Security Rule and to ensure only authorized users have access to sensitive information. This is also helpful to trace the source of a potential data breach if you suspect a security violation.
Meeting HIPAA compliance and reducing the risk to your business are critical as healthcare organizations try to serve their patients and protect their privacy. Implement these four steps and you are well on your way to protecting your patients, meeting regulations and letting your CEO sleep better.
Photo credit NEC Corporation of America