Many data breaches have humble beginnings: A smartphone is lost at a conference; a busy healthcare provider uses a receptionist's login when visiting an office; IT doesn't get the notice to remove network access when an employee retires. Hackers are often the focus of data security conversations, while these more "garden-variety" risks are actually the greatest points of exposure. Employees don't need to be the weak link in your organization's data security chain. Instead, with a clear message from leadership and effective communication, employees can be your biggest security champions.
No one department or group can be solely responsible for implementing data security practices across the entire organization. And while risk management or compliance officers are increasingly involved in monitoring how data protection is handled, day-to-day activities that impact the security and privacy of sensitive data still remain in the hands of the employees. Rather than leave the security program to only the technology or compliance staff, savvy healthcare leaders are instead working to raise general awareness and develop an expectation across the organization that security is everyone's responsibility. Technology and compliance are important, no doubt. They are like the lock on the door — important to have, but they can't keep someone from leaving the door unlocked or propping it open and rendering the lock ineffective.
Data breaches can easily result from seemingly innocuous day-to-day decisions such as "Should I take the time to encrypt this email?" Or, "Can I leave my company laptop in my car while I go into the store, just briefly?" Sometimes the trade-off is simply to conserve time or effort, while in other instances the situation is less of a deliberate decision, such as not remembering to notify IT when an employee moves to a new department and no longer needs the same level of access to patients' medical records. In every case, the level of awareness and the diligence applied in the employee's decision-making process is critical to the outcome. Those day-to-day decisions will be consistently better if the individual has been given the training and support needed to make the right choice, no matter if it requires more time or energy.
Emphasize training
The first chance many employees will have to learn about your organization's data security practices is during new hire orientation. It's important to maximize the usefulness of that moment by making the discussion about more than just login credentials and help desk phone numbers. Instead, use it as an opportunity to discuss the organization's commitment to protecting patients' personal health information. Give human resources, IT and managers the tools they need to begin engaging new employees in a two-way conversation about data protection and the organization's expectations. It's also a good time to present new workers with a copy of the processes and procedures they'll need to follow to safely access sensitive data within your corporate network.
It can be difficult to set aside time for all the training new employees need, particularly in a busy healthcare environment, but it's imperative to initially emphasize to new employees that data security is important, as well as to follow up with frequent reminders and point-in-time instruction to provide reinforcement. Reminders don't need to be as detailed as initial training but should offer concise instruction provided at the moment when employees are performing the task that needs attention to security or privacy. Management can provide an environment where employees feel comfortable to ask questions and get clarification on any parts of the program they don't fully understand by being proactive in raising the topic of conversation in a non-threatening way. HR should work to ensure that training is provided when an employee's job duties change in such a way that warrants a different perspective or level of security. New supervisors will need to understand any expanded obligations on being attentive to the security practices of every role in his or her group as well as specific reporting requirements, like mandatory notification from state laws that typically apply when a mismailing occurs or a laptop is lost or stolen.
Every organization's culture begins at the top. Leadership matters for this reason. A leadership team committed to the security of PHI will engage department managers who then include their direct reports. Supervisors are often the first place employees turn if they have a question or concern. Arming managers and supervisors at all levels will enable the message to permeate your environment. Setting an expectation that all employees will be alert and correct and/or report deviations from protocol will convert daily activities across your organization from the risk of inadvertent exposure to attentive monitoring.
Plan your response
A crucial but often overlooked part of any comprehensive data security program is an incident response plan that guides employees on how to recognize a potential breach and what to do about it. In order for employees to be expected to notice, report and even prevent a security incident, you must define for them what an incident looks like in their environment as well as how to report it. A security incident can easily go unnoticed because you can't see information on a hard drive. It should be clearly explained to employees that a lost laptop or a medical bill sent via email or U.S. Mail is a reportable event. The reporting mechanism should be easily located and used even during non-working hours. An incident response plan that leaves identification of a security event to interpretation and does not describe objective signs and symptoms is too ambiguous to be effective, practically speaking. Instructing employees on the importance of protecting data is the first step and should be followed by a conversation about how data breaches happen, what they look like and what to do if those events or activities are observed. Not only should employees know what to do if a mobile device is lost or stolen, they should also have the training to understand what the next step is if they discover that a patient record has been sent to the wrong place or if a website requires a password or credit card information to be entered twice.
Well-crafted breach response plans incorporate resources of all necessary functions and not just IT. Resources from finance to HR to public relations, legal counsel and IT will all be needed and should be included in establishing, maintaining and practicing an incident response plan. In a healthcare organization, business associates who access, process or store PHI are also likely to be involved, and critical infrastructure vendors, such as your ISP should be included.
By laying out the steps each person on the breach response team will take if an exposure occurs, the entire organization will be better equipped to quickly implement a plan for early identification and a coordinated response that mitigates exposure and loss. Incident response planning is both good practice and a required component of HIPAA compliance.
Deena Coffman is CEO of IDT911 Consulting and information security officer for IDentity Theft 911.