By Isaac Kohen, Originally published in HFMA
- Start from the inside to mitigate top healthcare data risks.
- Protecting patient data in a dynamic healthcare environment is replete with unique challenges.
- From accidental data leaks to malicious theft, insiders account for the vast majority of healthcare-related data breaches.
When healthcare organizations fail to protect patient personal information, they may face damage to their reputation and lose patients to other healthcare providers viewed by the public as more responsible and reliable. In addition, when privacy laws are violated, financial penalties and other sanctions may ultimately make it more challenging for these healthcare providers to deliver quality patient care.
While it makes sense to protect patients’ health-specific data, social security numbers and home addresses from external bad actors, the most significant threats are on the inside. From accidental data leaks to malicious theft, according to a HIPAA Journal April 3, 2018 article, insiders account for the vast majority of healthcare-related data breaches.
Healthcare providers need to develop plans for protecting patient information. Unfortunately, there isn’t a silver bullet that ensures 100% security under every circumstance, but every organization can do a better job of protecting patient data.
Here are five steps that every healthcare provider should take to guard against insider threats in 2020.
1. Detect and prevent insider threats. Insider threats are more than just an abstraction, and they occur with frightening regularity both from accidental data disclosures and malicious theft.
According to Verizon’s 2018 Insider Threat Report, more than half of all healthcare companies were impacted by an insider threat, and carelessness is one of the main culprits. Everything from ubiquitous access to mobile technology to the blurring lines between personal and professional data creates an environment that’s poised for data misuse.
For example, nearly 30% of all healthcare team members use personal devices to transmit patient information, a practice that creates data privacy concerns on many levels, according to an article in JMIR Human Factors.
In this dubious digital environment, IT administrators can’t be expected to protect what they can’t identify. Fortunately, there are many indicators of an insider threat, and software solutions, like robust monitoring software, that can detect those bad actors while preventing them from misusing personal health information (PHI) and personally identifiable information (PII).
Regardless of an employee’s intent, healthcare companies have a responsibility to detect and prevent data misuse, and deploying the right tools is the first step in the process.
2. Provide guidelines and policies for data mismanagement. If employees are expected to protect patients’ data, then healthcare organizations need to provide clear guidelines and policies to help prevent data mismanagement. These might include:
- Specifying the devices that can be used to access patient data
- Identifying appropriate time and place of data access
- Maintaining a need-to-know posture toward healthcare data
- Prioritizing discretion when transmitting patient information
- Utilizing approved communication channels for professional discourse
At the same time, healthcare leaders need to provide employees with real-time awareness to execute this priority.
Protecting patient data in a dynamic healthcare environment is replete with unique challenges. Even the most well-
intentioned employees can violate HIPAA privacy regulations, so checks and balances such as real-time alerts to promote data awareness are both helpful and necessary.
In addition, automated technical safeguards that control access to PHI can significantly reduce patient data exposure while lessening the possibility of a compliance violation.
3. Data-driven training and retraining. HIPAA requires that companies handling PHI and PII prepare their employees to handle this information. While the HIPAA regulation requires companies to “train all workforce members on its privacy policies and procedures, as necessary and appropriate for them to carry out their functions,” the tangible expression of this training is largely left up to individual entities.
Regardless of the methodology, data security and privacy training should be consistent, clear and accountable. First-day orientation and annual meetings are not enough to protect PHI and PII.
It needs to be baked into the company’s ethos, and that only occurs with repetition and regular instruction.
Other training-related keys include:
- Data security training should be specific and data-driven, ensuring that employees are prepared to protect patient data.
- Healthcare companies can leverage their monitoring software to address specific shortcomings within an organization.
For example, it’s estimated that nearly 500,000 records are compromised every day because of mobile devices, according to HIPAA Journal. If a company finds that its employees routinely access patient data from a mobile device, they can target their training to restrict or prioritize data access from these devices.
4. Endpoint data loss prevention. Whenever possible, preventing a data loss event is a top priority for healthcare IT administrators, and software is the best weapon in this ongoing battle. Employee monitoring software can provide real-time notifications to suspicious data activity. This can reduce response time from hours or days to minutes, potentially preventing a data disaster before it starts.
To put it simply, identifying possible threats is important, but stopping them from stealing or revealing sensitive data is the goal.
5. IT forensics in the aftermath of a data breach. Of course, data security is an evolving threat with many manifestations, and, when something does go wrong, healthcare providers need to learn from the episode and demonstrate a burden of proof.
Today’s employee monitoring software allows hospitals and other healthcare providers to produce detailed incident reports derived from session recordings, access logs and other data points. This information can be shared with privacy officers and can be analyzed to improve best practices going forward.
Meanwhile, IT forensics allows companies to hold perpetrators responsible, ensuring that malicious data theft is detected and appropriately punished.
To adequately protect patient data, healthcare companies need to turn their attention to potential insider threats, implement guidelines and policies for data mismanagement, focus on employee training and retraining, prevent data loss in the first place and enable IT forensics to manage and analyze data breaches.
This article was originally published on HFMA and reprinted with permission.