"Most hospitals don't know all the data breaches they have," says Mac McMillan, current chair of the privacy and security task force at the Healthcare Information and Management Systems Society. He had very recently worked with a large hospital system that inadvertently provided a patient online access to another patient's record as the result of an administrative error. The hospital wouldn't have known about the error had the patient not called to let them know, he says.
"That's still where we are today — a lot of hospitals don't find out they've had a breach until someone tells them," says Mr. McMillan. Therefore, "from a strategic perspective, data protection has to be a combination of user awareness and reaction to incidents, and how we handle information management going forward."
Brett Short, chief compliance officer at the University of Kentucky's Chandler Medical Center in Lexington, has made a point of urging all medical center employees to report any potential breach. This year's employee training has emphasized teaching employees to identify circumstances that could result in compromised data, and report all such instances to his office for further investigation.
Recently, a medical center employee reported her car was broken into, and her work laptop was stolen. "We almost didn't call it a breach because we didn't think anything was on the laptop" as the data was stored on an external hard drive and the computer was said to be encrypted, says Mr. Short. Yet when his team verified the laptop's encryption with the medical center's IT staff, they were told not only was the laptop not encrypted, but all the information stored on the external drive was also saved to the laptop in a temporary folder.
"It had looked like a safe situation," says Mr. Short. "But when we began to look through those screenshots from the laptop we realized data has been compromised."
The incident highlights why Mr. Short wants to hear about every situation that could have led to a breach so the proper investigation can be launched. "We know that if someone's home or car is broken into, this isn't going to be the first thing on their mind," says Mr. Short. "If something happens we don't want them worrying about analyzing the situation, just call us and we'll come in and start looking for potential risk."
"Hospitals really need to focus on the right kind of training and awareness," agrees Mr. McMillan. "You really want staff to understand how to recognize a situation when a system might have been compromised. And, if they see something that doesn't look right, they should know who to call."
In addition to strengthening the hospital's response to potential breaches, Mr. Short has been working to limit the risk of data breach by more carefully controlling dissemination and access to patient data. "If we have data everywhere, it makes us more susceptible to breach," says Mr. Short. "We've been thinking in a more thoughtful and intentional way who needs to access what data and when, and eliminating risk by eliminating what we don't need."
Mr. McMillan agrees. "There are more and more ways [hospitals] could lose or compromise information," he says, from lost or stolen devices to unsecured wireless connections. "One way to eliminate some of the risk is to eliminate access that is not necessary."
To properly guard information that does need to be accessed by hospital staff, Mr. McMillan says CIOs and other hospital leaders need to be involved in purchasing decisions regarding data management systems. "We still have a lot of health systems that are acquiring IT systems that don't have the necessary functionalities to meet even the most rudimentary federal data protection requirements," says Mr. McMillan. "It puts an organization in a risky position from the get-go." These system decisions, therefore, need input from leaders responsible for both complying with regulations and protecting patient privacy.
Data protection comes down to "a combination of controlling data currently out there and rethinking how and where we allow information to be presented to the user," says Mr. McMillan, requiring CIOs and other leaders to both work to discover potential breaches as well as design policies and purchase systems that minimize the risk of a future breach.
More Articles on Data Breach:
Dartmouth Receives $4M NSF Grant to Improve Cybersecurity in Healthcare
Ahead in the Clouds: Benefits, Drawbacks and Best Practices for Cloud-Based Storage
OHSU Notifies Patients of Data Improperly Stored in Cloud