Friday, April 19, 2013
Experts offer healthcare data breach strategy recommendations
While data breaches are a serious problem for organizations in every industry, they are a particularly serious issue for hospitals, clinics, physicians' offices and other healthcare providers. For these organizations, data breaches can often expose extremely sensitive patient information. In addition to medical histories, healthcare providers also must posses individuals and employees' credit card numbers, Social Security numbers and many other types of information that can be used by cybercriminals for identity theft and fraud.
Recently, a number of security experts spoke at the PHI Protection Network's forum in Cambridge, Massachusetts, to offer advice and insight into the data threats faced by healthcare organizations and how to prevent them, SearchHealthIT reported.
Understanding the risks
One of the most important steps that healthcare providers can take to protect themselves, according to Debbie Wolf, principal at Booz Allen Hamilton, is to first acknowledge that it is not possible to totally eliminate the risk of a data breach.
"We should not expect any organization to never have a data breach," she said, the news source reported. "I think that there are incidents happening every day … if you can use technology to minimize the risk, minimize the breaches, get them down to the lowest possible number [of breaches and patients affected], you're doing due diligence."
Allison Dolan, privacy project specialist at Massachusetts General Hospital (MGH), emphasized the point that cybercriminals are not necessarily interested in committing identity theft as a means of using the victim's credit cards and accessing bank accounts, as is commonly the case in other industries. In addition, cybercriminals are stealing personal health information (PHI) to gain access to the victim's insurance plan, the news source noted.
BYOD and collaboration
Another key point touched on by the experts at the PHI Protection Network forum is the growing importance of bring-your-own-device (BYOD) policies. Specifically, attendees highlighted the need for hospital administrators and decision-makers to work closely with both the IT department and physicians to optimize data security as BYOD becomes increasingly accepted.
Meredith Phillips, chief information privacy and security officer for Henry Ford Health System, noted that the combination of BYOD's inherent utility and the somewhat entitled attitude many physicians possess can lead to vulnerable security standards. They realize that using their personal smartphones and tablets can be extremely convenient and useful, improving the quality of care they provide for patients. However, they do not want to approach IT to ensure their devices are secure, and so instead take matters into their own hands. Without knowledge of cybersecurity issues, though, this trend can result in physicians using unprotected mobile devices to access, send and receive sensitive information.
Phillips asserted that healthcare providers must encourage collaboration between IT and physicians to ensure that BYOD is pursued in a safe, secure manner.
Additionally, hospitals should invest in secure file sharing tools specifically designed for BYOD environments. These tools can operate in the background, allowing physicians and other employees to securely leverage BYOD without imposing extra, time-consuming steps on users.