I didn’t know that the U.S. Department of Health & Human Services (HHS) had a “wall of shame.” In fact, they do. It’s a list of health care organizations that have experienced security breaches of 500 or more patients. Organizations end up on this list because of the requirement in the Health Information Technology for Economic and Clinical Health (HITECH) Act that breaches of unsecured protected health information that affected 500 or more individuals must be posted. (If you want to see what organizations have landed on this infamous list, check out Breaches Affecting 500 or More Individuals.)
That was one of a number of useful facts that were part of the session, Preventing A Data Breach: How to Protect Your Data In a World of Electronic Health Records, Health Information Exchange & HIPAA, at last week’s The 2014 OPEN MINDS Technology & Informatics Institute, led by my colleague and OPEN MINDS Senior Associate Sun Vega; with panelists Kate Borten, President, The Marblehead Group and Kathy Jobes, Chief Information Security Officer, Sentara Healthcare. The topic of the day – how can you prevent a data breach at your organization and, if it happens, are you prepared?
The big answer to these questions had two components – documentation and executive leadership.
Document, Document, Document
One recommendation was to complete a Security Risk Assessment (see What Is Your HIPAA Security Score? and Security Risk Assessment (SRA) Tool User Guide – our previous pieces on these risk assessments) and complete it often. For organizations that have to comply with meaningful use, the federal law dictates that a risk assessment must be completed every year. For organizations that do not have to comply with meaningful use this is whatever your organization decides to include in its (written) security plan, although once again, once a year is generally the accepted time frame.
However, just having a security risk assessment and filing it away in a drawer is not enough. If your organization experiences a security breach, you might have to prove that your organization attempted to mitigate the risks identified in the analysis. Even if you choose the wrong solution to mitigate the risk, it is better to have the documentation and the reason you choose that course of action, rather than no documentation at all. And then there is the part that everyone loathes – every security breach must be documented and reported even if it was one patient and the intent was not malicious. Try to see the breach as a learning tool and a chance to improve your organization’s security in the future.
Create an organizational culture that values security
Technology can be a part of the problem as much as the solution. If employees don’t have the right mindset no amount of security will prove infallible. For example, if your employees are accessing e-PHI on personal device, it means that your organization no longer has control over where your-e-PHI is being stored or how it is being shared. To build the right culture:
- Get your company’s leadership team involved. If security is not a priority for leadership, it will not be a priority for anyone.
- Educate your employees and establish consequences. Security should become part of every employee’s processes and thinking. If it is at the forefront of everybody’s minds you are taking the first step to mitigate risk.
- Security is not a democracy. Some IT policies need to be dictated to employees and enforced. For example, the strength and length of employee passwords are not optional or up for discussion. There are proven rules to developing a password that is secure and they should be followed. However, the policy that surrounds security is an organizational discussion and group decision.
- Security cannot effectively be managed if it is siloed. Security is not just for the IT department, it involves coordination with risk management, legal, and privacy measures.
If any of this sounds impossible to you, then you will always have to live with the risk of your organization experiencing a security breach. Ask your team – do you have the documentation and the organizational culture in place to minimize this risk and deal with a lengthy investigation? For more about technology, stay tuned in the coming week for our post-institute coverage of The 2014 OPEN MINDS Technology & Informatics Institute; and check out our archived coverage on Twitter @openmindscircle #TII14, and on Facebook at www.facebook.com/openmindscircle.