What should a hospital or health system include in its New Year's resolution? Completing preparations to protect patient records and reduce data breach stress.
The "Third Annual Benchmark Study on Patient Privacy & Data Security" by Ponemon Institute reports that data breaches in healthcare are growing; insider negligence is the root cause; and mobile devices pose threats to patients' protected health information. Despite the fact that 94 percent of healthcare organizations surveyed suffered data breaches in the report, data breaches don't have to be disastrous if organizations take steps to operationalize pre-breach and post-breach processes to better protect patient data and minimize breach impact. So, how can hospitals and health systems do this?
In order to help organizations keep a New Year's resolution of better patient data protection, ID Experts, a data breach solutions provider, compiled 11 tips from industry experts.
1. Establish mobile health policies. Hospitals should establish mobile device and "bring your own device" policies that include technical controls and employee and management procedures, according to Rick Kam, president and co-founder of ID Experts.
2. Understand cloud policies. "Control the cloud or it will control you. Make it a point to fully understand what cloud service-level agreements mean in practice and then push for meaningful information on failover and disaster recovery practices," says Richard Santalesa, JD, senior counsel of InfoLawGroup, a law firm focusing on privacy and data security.
3. Have breach response plan ready and tested. Marcy Wilder, JD, partner and director of the global privacy and information management practice at Hogan Lovellis, recommends hospitals have an updated breach plan that has been tested. "This will help pave the way for a well-executed response that can mitigate the financial, legal and reputational harm caused by a security incident involving patient information," she says.
4. Conduct risk assessments. "Conduct small but focused risk assessments rotating control review on a monthly basis to continually understand and measure risk. Most importantly, have a plan to address the risk, through remediation, mitigation or risk transfer activities," says Chad Boeckmann, president and chief strategy officer of Secure Digital Solutions, an information security, privacy and compliance management provider.
5. Protect mobile health devices against viruses. "Immunize mobile devices against viruses that might steal patient data, says Larry Ponemon, MD, chairman and founder of Ponemon Institute.
6. Educate leadership on phishing and social engineering. Hospital executives should be educated on phishing and other social engineering campaigns, according Michael Boyd, director of information security management of Providence Health & Services in Renton, Wash. Phishing is the act of acquiring information by masquerading as a trustworthy entity in electronic communication. Social engineering is a term explaining the manipulation of others to encourage them to divulge confidential information. Hospital staff should be educated on these terms as well as how to avoid falling prey to them.
7. Use a checklist. "Use a checklist to evaluate periodically whether covered entities and business associates are in compliance with all privacy and security requirements. Sign and date the checklist to show that your organization is not guilty of willful neglect in complying with privacy and security laws," says Jim Pyles, JD, founding partner of Powers, Pyles, Sutter & Verville.
8. Educate staff. "Educate all staff to recognize applications, mobile devices and medical equipment that collect, contain or transmit patient information and/or biometric data; and train them to communicate the risk to those responsible for information security management," says Christina Thielst, vice president of Tower Strategies, a patient experience consulting group.
9. Evaluate residual risk of data breach. According to Christine Marciano, president of Cyber Data Risk Managers, a data breach insurance provider, hospitals should decide how to handle the residual risk of a data breach, how much risk to accept and how much, if any, risk to transfer through cyber insurance.
10. Foster input from the board. Boards should ensure their hospitals have robust, board-reviewed and -approved security policies and procedures, says Larry W. Walker, president of The Walker Company, a healthcare consulting company.
11. Look for applications and software that can handle big data. "Currently, [hospitals] have to deal with data minimization, but in the future, [they must] look for applications that may collect [data] broadly, but protect against unauthorized disclosure or misuse very, very well," says Jon Neiditz, JD, partner of Nelson Mullins Riley & Scarborough. "'Big data' is a source of both the disease and the cure for privacy and information security symptoms."
10 Best Practices for Data Breach Prevention, Response Plans
11 Ways to Protect Patient Data on Mobile Devices
The "Third Annual Benchmark Study on Patient Privacy & Data Security" by Ponemon Institute reports that data breaches in healthcare are growing; insider negligence is the root cause; and mobile devices pose threats to patients' protected health information. Despite the fact that 94 percent of healthcare organizations surveyed suffered data breaches in the report, data breaches don't have to be disastrous if organizations take steps to operationalize pre-breach and post-breach processes to better protect patient data and minimize breach impact. So, how can hospitals and health systems do this?
In order to help organizations keep a New Year's resolution of better patient data protection, ID Experts, a data breach solutions provider, compiled 11 tips from industry experts.
1. Establish mobile health policies. Hospitals should establish mobile device and "bring your own device" policies that include technical controls and employee and management procedures, according to Rick Kam, president and co-founder of ID Experts.
2. Understand cloud policies. "Control the cloud or it will control you. Make it a point to fully understand what cloud service-level agreements mean in practice and then push for meaningful information on failover and disaster recovery practices," says Richard Santalesa, JD, senior counsel of InfoLawGroup, a law firm focusing on privacy and data security.
3. Have breach response plan ready and tested. Marcy Wilder, JD, partner and director of the global privacy and information management practice at Hogan Lovellis, recommends hospitals have an updated breach plan that has been tested. "This will help pave the way for a well-executed response that can mitigate the financial, legal and reputational harm caused by a security incident involving patient information," she says.
4. Conduct risk assessments. "Conduct small but focused risk assessments rotating control review on a monthly basis to continually understand and measure risk. Most importantly, have a plan to address the risk, through remediation, mitigation or risk transfer activities," says Chad Boeckmann, president and chief strategy officer of Secure Digital Solutions, an information security, privacy and compliance management provider.
5. Protect mobile health devices against viruses. "Immunize mobile devices against viruses that might steal patient data, says Larry Ponemon, MD, chairman and founder of Ponemon Institute.
6. Educate leadership on phishing and social engineering. Hospital executives should be educated on phishing and other social engineering campaigns, according Michael Boyd, director of information security management of Providence Health & Services in Renton, Wash. Phishing is the act of acquiring information by masquerading as a trustworthy entity in electronic communication. Social engineering is a term explaining the manipulation of others to encourage them to divulge confidential information. Hospital staff should be educated on these terms as well as how to avoid falling prey to them.
7. Use a checklist. "Use a checklist to evaluate periodically whether covered entities and business associates are in compliance with all privacy and security requirements. Sign and date the checklist to show that your organization is not guilty of willful neglect in complying with privacy and security laws," says Jim Pyles, JD, founding partner of Powers, Pyles, Sutter & Verville.
8. Educate staff. "Educate all staff to recognize applications, mobile devices and medical equipment that collect, contain or transmit patient information and/or biometric data; and train them to communicate the risk to those responsible for information security management," says Christina Thielst, vice president of Tower Strategies, a patient experience consulting group.
9. Evaluate residual risk of data breach. According to Christine Marciano, president of Cyber Data Risk Managers, a data breach insurance provider, hospitals should decide how to handle the residual risk of a data breach, how much risk to accept and how much, if any, risk to transfer through cyber insurance.
10. Foster input from the board. Boards should ensure their hospitals have robust, board-reviewed and -approved security policies and procedures, says Larry W. Walker, president of The Walker Company, a healthcare consulting company.
11. Look for applications and software that can handle big data. "Currently, [hospitals] have to deal with data minimization, but in the future, [they must] look for applications that may collect [data] broadly, but protect against unauthorized disclosure or misuse very, very well," says Jon Neiditz, JD, partner of Nelson Mullins Riley & Scarborough. "'Big data' is a source of both the disease and the cure for privacy and information security symptoms."
More Articles on Data Security, Protection:
4 Health IT Security Predictions for 201310 Best Practices for Data Breach Prevention, Response Plans
11 Ways to Protect Patient Data on Mobile Devices