Would a data breach make you consider switching healthcare providers? With consumers’ concerns about privacy at an all-time high, a slew of recent high profile breaches in the healthcare industry has shown that many healthcare delivery organizations’ (HDOs) current security practices and controls are inadequate.
“Identifying risks and protecting electronic health information can be challenging. HDOs house personal health information and payment information, and all are lucrative targets for hackers, as well as malicious or curious insiders,” says Zafar Chaudry, research director at Gartner. “Most HDO employees, however, want to help people, not become technologists, and may view information security protections as obstacles to delivering healthcare.”
Studies show that the leading cause of data breaches in the healthcare industry are lost or stolen devices containing personal health information. However, many healthcare organizations are still failing to dedicate resources to provide adequate security for devices and infrastructure.
For this reason, Chaudry develops four guidelines to help HDO CIOs prepare for the challenges, effectively assess risks, and develop appropriate security policies to protect electronic health information. These guidelines include:
Undertake a Current-State Assessment of the Data the Healthcare Organization Owns, Manages and Uses
Before taking further concrete action, a CIO must take stock of everything — in terms of both technology and information — the HDO owns, manages and uses. Security cannot operate in a vacuum, and even the savviest CIO cannot know the details of every department’s operations. This makes it critical that the information security team meet regularly with the HDO’s end users to discuss their pain points, wishes and preferences.
Review Existing Health Information Security Policies to Identify All the Risks to Electronic Health Information That the Organization Faces
Undertake a formal review of the organization’s current security policies. This means identifying all the risks to electronic health information that the organization faces, trying to understand the likelihood of an undesirable action or event occurring as a result of that risk, and evaluating the impact of such an action or event on the organization or its patients.
Formulate a Comprehensive Plan to Educate and Train Healthcare Users on Security
HDO CIOs must provide training on the legal and ethical requirements of patient data privacy for all impacted end users, and solicit feedback on how procedures and systems should be developed to meet future needs. Security awareness and security practices must be ingrained in every department and every employee. The most successful processes and products will be those that seamlessly integrate into workflows, while protecting data.
Carefully Review All Network Security Plans, Especially If BYOD Is an Organizational Consideration
HDOs’ data is now spread across a broad and growing range of devices, which improves care but also increases the risk of data loss or misappropriation. HDOs are embracing bring your own device (BYOD) policies, and many device purchases occur without input from the IT organization. It is critical that the CIO review BYOD-related risks and implement appropriate protections.