Healthcare data breaches are on the rise. According to a Government Info Security report, there have been 385 data breaches affecting 19 million individuals since 2009. This is a major issue for the healthcare industry because data breaches are costly. They can damage reputations and violate the privacy of patients. Other industries are vulnerable to data breaches as well, but since healthcare deals with health, identity and financial information, the impact of healthcare data breaches could be more consequential.
Many hospitals and health systems have enacted extensive security and privacy measures to become HIPAA compliant and protect their patients' personal information. However, even with encryption, passwords and protocols, data breaches are still occurring. Many factors could lead to a data breach so it is important to eliminate any mistakes in data security. Here David Finn, health information technology officer at Symantec, discusses three major mistakes he commonly sees when healthcare officials approach data security.
1. Thinking data security is an IT issue. "Some hospital executives only engage in data security after they see the economic and reputational impact of a data breach on another healthcare organization. Until then, many officials think data security is an IT issue," says Mr. Finn. When hospital executives think of the hospital or health system's data security as an IT department project, it is a big mistake. Executives need to remember that what happens to healthcare data is the entire hospital's business. Data is integral to care delivery and it needs to be protected.
"At the end of the day healthcare data is what moves a hospital or health system. It is what physicians base their decisions on and the orders pharmacists fill — it is the underlying wheels of the hospital," says Mr. Finn. When executives fail to encourage enterprise-wide ownership of the hospital's data, security and protection may lag. The IT department needs support.
2. Forgetting to protect data integrity, availability. Many healthcare organizations realize the necessity to protect healthcare data's confidentiality. However, protecting the integrity and availability of the data is also important. Hospital executives need to have a broader security focus and implement protocols for all types of data threats. The goal is to have efficient as well as quality care, and data integrity leads to those quality outcomes. Additionally, the healthcare industry is increasingly reliant on technology so data availability is increasingly critical as well.
"What if the weight of a patient was entered incorrectly and the patient was accidently over-dosed," says Mr. Finn. "Or, what if the electronic medical record system broke down and physicians had to revert to pen and paper medical records, or worse, had no histories, allergy lists or medication lists. The hospital needs to protect its healthcare data for these instances as well." Protecting the privacy of the data is a moot point if the data is inaccurate or inaccessible.
3. Overlooking data storage protection. Officials need to understand where healthcare data exists when it is created, used, stored and transmitted. When healthcare data flows through a hospital — and outside the hospital — to pharmacists, specialists and healthcare professionals it is easy to forget about where the data might wind up, says Mr. Finn. Often, officials implement rules for data sharing and its usage but they forget the last step, data storage. When officials do not think about where the data goes it causes problems.
"It is easy to put information in the electronic medical record and believe that is where the data exists. When no one is considering where the data goes, it can get forgotten and unaccounted for. That leads to lost and stolen data. That leads to a data breach," says Mr. Finn.
Where the data is stored depends on who the information is shared with, the hospital's operations and how the data is used. The data could be stored in a warehouse off-site or on a specialist's laptop or a researcher's iPod — the location or the device is not important. What matters more are the policies and procedures about the data. An official that does not understand where the data is may have a hard time implementing effective procedures for its security.
3 Considerations for Evaluating Data Breach Insurance Policies
8 Tips for Strengthening Mobile Heath Security
Many hospitals and health systems have enacted extensive security and privacy measures to become HIPAA compliant and protect their patients' personal information. However, even with encryption, passwords and protocols, data breaches are still occurring. Many factors could lead to a data breach so it is important to eliminate any mistakes in data security. Here David Finn, health information technology officer at Symantec, discusses three major mistakes he commonly sees when healthcare officials approach data security.
1. Thinking data security is an IT issue. "Some hospital executives only engage in data security after they see the economic and reputational impact of a data breach on another healthcare organization. Until then, many officials think data security is an IT issue," says Mr. Finn. When hospital executives think of the hospital or health system's data security as an IT department project, it is a big mistake. Executives need to remember that what happens to healthcare data is the entire hospital's business. Data is integral to care delivery and it needs to be protected.
"At the end of the day healthcare data is what moves a hospital or health system. It is what physicians base their decisions on and the orders pharmacists fill — it is the underlying wheels of the hospital," says Mr. Finn. When executives fail to encourage enterprise-wide ownership of the hospital's data, security and protection may lag. The IT department needs support.
2. Forgetting to protect data integrity, availability. Many healthcare organizations realize the necessity to protect healthcare data's confidentiality. However, protecting the integrity and availability of the data is also important. Hospital executives need to have a broader security focus and implement protocols for all types of data threats. The goal is to have efficient as well as quality care, and data integrity leads to those quality outcomes. Additionally, the healthcare industry is increasingly reliant on technology so data availability is increasingly critical as well.
"What if the weight of a patient was entered incorrectly and the patient was accidently over-dosed," says Mr. Finn. "Or, what if the electronic medical record system broke down and physicians had to revert to pen and paper medical records, or worse, had no histories, allergy lists or medication lists. The hospital needs to protect its healthcare data for these instances as well." Protecting the privacy of the data is a moot point if the data is inaccurate or inaccessible.
3. Overlooking data storage protection. Officials need to understand where healthcare data exists when it is created, used, stored and transmitted. When healthcare data flows through a hospital — and outside the hospital — to pharmacists, specialists and healthcare professionals it is easy to forget about where the data might wind up, says Mr. Finn. Often, officials implement rules for data sharing and its usage but they forget the last step, data storage. When officials do not think about where the data goes it causes problems.
"It is easy to put information in the electronic medical record and believe that is where the data exists. When no one is considering where the data goes, it can get forgotten and unaccounted for. That leads to lost and stolen data. That leads to a data breach," says Mr. Finn.
Where the data is stored depends on who the information is shared with, the hospital's operations and how the data is used. The data could be stored in a warehouse off-site or on a specialist's laptop or a researcher's iPod — the location or the device is not important. What matters more are the policies and procedures about the data. An official that does not understand where the data is may have a hard time implementing effective procedures for its security.
More Articles on Healthcare Data Security:
Security Protocol Violation Caused Utah Health Data Breach3 Considerations for Evaluating Data Breach Insurance Policies
8 Tips for Strengthening Mobile Heath Security