Human error is one of the top causes of health data breaches. HHS' Annual Report to Congress on Breaches of Unsecured Protected Health Information for Calendar Years 2009 and 2010 found that human error was the fourth main cause of data breaches affecting more than 500 people. In September, an employee's failure to follow an encryption policy for data on his or her laptop may have exposed more than 14,000 Minneapolis patients' personal information when the laptop was stolen. John Brooke, general manager of healthcare, and Scot McLeod, vice president of marketing for Compliance 360, offer five steps to minimize the possibility of human error causing data breaches.
1. Know the laws. The first step in securing health data is to understand the federal and state laws regarding privacy and data breaches. A health system with hospitals in several states may need to institute slightly different policies in different states to comply with the appropriate regulations. Mr. Brooke suggests "harmonizing policies everyone is going to be subject to while allowing for local variability for specific locations."
2. Conduct a risk assessment. The second step is for hospitals to conduct a risk assessment to identify areas of vulnerability that they should target when establishing data security policies. The assessment can determine if the controls currently in place meet the law's data protection standards.
3. Establish policies. Based on the risk assessment, hospitals should establish policies and procedures to ensure data is secured and distribute the policies to all employees. For example, a hospital can institute a policy that restricts where people can access certain applications. Hospitals can program automation software for IP access restriction "so you won't have the opportunity to present potentially sensitive information in a public setting just because you're on the Internet," Mr. Brooke says.
4. Assess employees' understanding. After distributing data security policies to employees, hospitals should create a questionnaire that evaluates their understanding of the policies. An automated system that sends these questionnaires can then score employees based on their responses. "See where the gaps are in compliance and understanding of policies and regulations. Those highlighted gaps allow the compliance officer to proactively decide if [employees] need extra training or outreach," Mr. McLeod says. This step is key for mitigating the risk of human error causing a data breach because it allows hospitals to assess employees' ability to safely access protected information. Mr. McLeod suggests hospitals conduct these surveys every six months, or at least once a year, to check employees' awareness of policies and procedures.
It is important for hospitals to document the results of these assessments because they can serve as evidence that they took data security seriously. "Being able to prove that you had these [safeguards] in place is one of the ways to minimize, from an investigation standpoint, the finding of negligence or carelessness on the part of the organization," Mr. Brooke says.
5. Address any misunderstanding of the policies. Results from the employee questionnaire will show hospital leaders trends in how employees understand security policies and provide targets for additional training. "Address potential issues before they become headline news with regard to data breaches," Mr. McLeod says.
Learn more about Compliance 360.
Keeping Data Out of the Wrong Hands: 10 Tips for Hospital Data Security Training
5 Security Features Every Health Tablet Should Have
1. Know the laws. The first step in securing health data is to understand the federal and state laws regarding privacy and data breaches. A health system with hospitals in several states may need to institute slightly different policies in different states to comply with the appropriate regulations. Mr. Brooke suggests "harmonizing policies everyone is going to be subject to while allowing for local variability for specific locations."
2. Conduct a risk assessment. The second step is for hospitals to conduct a risk assessment to identify areas of vulnerability that they should target when establishing data security policies. The assessment can determine if the controls currently in place meet the law's data protection standards.
3. Establish policies. Based on the risk assessment, hospitals should establish policies and procedures to ensure data is secured and distribute the policies to all employees. For example, a hospital can institute a policy that restricts where people can access certain applications. Hospitals can program automation software for IP access restriction "so you won't have the opportunity to present potentially sensitive information in a public setting just because you're on the Internet," Mr. Brooke says.
4. Assess employees' understanding. After distributing data security policies to employees, hospitals should create a questionnaire that evaluates their understanding of the policies. An automated system that sends these questionnaires can then score employees based on their responses. "See where the gaps are in compliance and understanding of policies and regulations. Those highlighted gaps allow the compliance officer to proactively decide if [employees] need extra training or outreach," Mr. McLeod says. This step is key for mitigating the risk of human error causing a data breach because it allows hospitals to assess employees' ability to safely access protected information. Mr. McLeod suggests hospitals conduct these surveys every six months, or at least once a year, to check employees' awareness of policies and procedures.
It is important for hospitals to document the results of these assessments because they can serve as evidence that they took data security seriously. "Being able to prove that you had these [safeguards] in place is one of the ways to minimize, from an investigation standpoint, the finding of negligence or carelessness on the part of the organization," Mr. Brooke says.
5. Address any misunderstanding of the policies. Results from the employee questionnaire will show hospital leaders trends in how employees understand security policies and provide targets for additional training. "Address potential issues before they become headline news with regard to data breaches," Mr. McLeod says.
Learn more about Compliance 360.
Related Articles on Data Breaches:
10 Best Practices for Securing Protected Health InformationKeeping Data Out of the Wrong Hands: 10 Tips for Hospital Data Security Training
5 Security Features Every Health Tablet Should Have