Tuesday, June 9, 2015
“It’s Time to ‘Up Periscope’ Before you Breach the Surface”
By: Susan Pretnar, President KeySys Health, LLC
Many healthcare practices think data security is purely an IT issue, hoisted on them because they have been FORCED to use electronic technologies in their business, especially an EMR. “We wouldn’t be exposed if we were still on paper” they groan. In truth, it doesn’t take any time to reflect on plenty of incidents around paper charts and negligent employee actions. Until very recently, network breaches were rare in comparison to how PHI has been compromised by trusted employees and vendors. But, times do change, and rapidly. Hackers have discovered a very porous new frontier: healthcare.
Now that your doctors have the latest smartphones and tablets, how are you dealing with the new reality that your “perimeter” has changed? Where is your patient’s PHI coming from and going? If you don’t really know, it is time for a deep dive until you can come up safely.
The only way to get a grip on your PHI is to do a thorough risk assessment. Scratching the surface with a checklist to ‘get er done’ as they say, will not really do that. In the past, you might never have known until you were sued that an employee copied a bundle of your paper charts to get money to pay off a loan. Who can be sure of who has touched a paper record? If you are not critically looking at your network traffic, your devices and software applications, you are wading into the sea of electronic technologies without acknowledging what is right at the surface that could destroy your practice or devastate your patients. In truth, with the proper monitoring, you might be the first to know, instead of the last, that an employee is out of bounds, because properly configured electronic technologies often leave a trail.
Compromised PHI is big business. The value of a single medical record is estimated to be more than $300 on the Black Market. At a minimum, data loss prevention, the buzzword around information security, requires that you know where your data is coming from, where it is going, how it gets from point A to point B, how it is stored and who has access to it. It takes some time and commitment to document this inventory. It also takes time and commitment (especially financial) to select and maintain the right technologies that support your operations and security efforts.
Don’t underestimate the value of training, so often overlooked as just another interruption to a busy day. If you handed your employees a manual on their first day of hire that includes your expectations for them to protect the privacy of your patient’s information, but you have never reinforced the procedures that might actually assure that will happen, you are indeed breaching the surface of the vast electronic sea, without a look at what is sitting right on top of the water.