With security breaches
dominating news headlines daily, those responsible for securing our systems,
networks, and devices are struggling to keep pace with the evolving threat
landscape. Perhaps some of the most concerning potential breach data comes from
the healthcare industry where we entrust our most personal information—social
security number, birth date, medical history—as well as our immediate family
members’ sensitive information to medical care providers. Further, medical
devices rely on secure IT networks to function properly and deliver continuous,
critical care to patients with heart conditions, diabetes, and other ailments.
In the event of a security breach, the malfunction of devices could have
potentially life-threatening consequences.
So what can we do to create
a more secure environment for protected health information and equip healthcare
IT staff with the security skills they need to fulfill this task?
First, we must start with a
level of awareness. Calling attention to the alarming number of data breaches
in today’s healthcare industry certainly helps the cause. According
to Redspin’s Breach Report 2013 – Protected Health Information
(PHI), the number of PHI breaches were up 138 percent from 2012, with 199
incidents reported to the U.S. Department of Health and Human Services (HHS),
impacting over 7 million patient records. HHS even has a “wall of shame”
webpage for the world to see lists of U.S. healthcare organizations that have
had a security breach of protected health information affecting more than 500
individuals.
Part of the problem with
security awareness lies in current processes, which don’t take into account how
to mitigate fraud or medical identity theft. If a patient’s healthcare record is
compromised by someone who stole the identity to receive care and consequently
had false information entered into that patient’s electronic health record,
there’s no process in place that allows medical providers to go in and fix the
record because it’s considered a legal document. Right now, we’re still at the
awareness level for security and what has to be done is to help hospitals and
other healthcare organizations recognize when an instance of medical identity
theft has occurred so they can improve processes to protect patients.
Medical records are more
susceptible to identity theft because the online systems for medical records
and the networks on which they operate are not as locked down and sophisticated
as other industries. We must also realize that healthcare is one of the last
industries to move data from paper to online systems. Many physicians still use
paper records for their patients. And others are only beginning the process of
transitioning patient records to digital systems.
When it comes to educating
healthcare IT staff, they need the resources, experience, and continuous drive
to ensure they possess the latest knowledge and skills required to secure
protected health information. Many
stressed the lack of security even at the basic awareness level in their
organizations.
Let’s face it, making
security a priority for the healthcare industry won’t happen overnight. It will
require a concerted effort that begins with security awareness, followed by
education and training of healthcare IT staff, and finally adoption and
acceptance from the healthcare industry to create a secure digital environment
for protected health information.
No comments:
Post a Comment