- Q&A: Health orgs don't protect patient data for reasons going 'back to the industrial revolution'
- A glimpse inside the $234 billion world of medical fraud
- 7 health data privacy and security trends to track in 2012
- Year in review: Top 10 trends in healthcare data privacy and security
- Q&A: How a health 'data spill' could be more damaging than what BP did to the Gulf
- 4 data breach response best practices
- 9 steps to take during an OCR data breach investigation
- 3 Tips for surviving an OCR breach investigation
- 3 simple things consumers can do to curtail medical ID theft
- Event Log Management & Compliance Best Practices: For Government & Healthcare Industry Sectors
- Store and Organize All Types of Healthcare Data on a Single Information Infrastructure
- Better Outcomes in Healthcare IT | Key Lessons from an IT Leader
- Beyond the EHR: Seamlessly Connecting Nurses and Physicians Using an EHR-Extender (EHR-e)
- Your Cloud in Healthcare - How to Use the Cloud to Achieve Greater Business Agility
3. Develop PHI security strategy. Kam says it's key to develop a security strategy that's appropriate based on the information you have. "So, protectable information that you’re trying to protect or personally identifiable information. It's about trying to not only understand where it is, but also developing a strategy to protect it,” he said. After identifying the information, it’s essential to communicate it to employees and other associates who are part of your system. Kam also suggests having a third party come in to bring a fresh perspective during the assessment stages and to help with developing a strategy. “If you have an internal team, there's a tendency for it to be more of a check-the-box exercise,” he said. “Adding expert insight as to where breaches are occurring and how to protect against them is helpful. [It's about] finding someone who can be a trusted partner and an outsider who can take a fresh look at some of the risks your organization is exposed to, especially if you've already been exposed to audits and investigations."
4. Train employees. According to both Kam and Arevalo, the fourth step is where they see the most issues. "When it comes to protecting information, it's about getting your employees to understand how to best protect it and what to do if there is an unauthorized exposure," said Kam. Arevalo said training is essential and should include not only administrative employees, but also doctors, nurses and other clinicians throughout the organization. "They need to really understand how to maintain security hygiene when it comes to patient care," she said. Kam added that many tend to look at breaches as simply an IT issue.“It's much broader than that," he said. "[This misconception] is why there are so many breaches of personal information; it falls outside the technical part of the organization and happens because a business associate misplaces a lap top, for example."
[Editor's Desk: This Week in Government Health IT.]
5. Implement processes, technologies and polices. Once you’ve done an assessment and identified potential issues, Kam and Arevalo suggest taking the tools and technologies in place and making it easy for employees and doctors to secure information. “If you don’t put tools in place and they’re hard to use, no one will use them,” said Kam. “[It’s important to] identify ways to protect this information in an automated fashion so the system itself helps protect the information. At the same time, it shouldn’t disrupt the primary focus of healthcare professionals, which is patient care.”
6. Have an incident response plan ready. According to Arevalo, the most important tip ID Experts offers is to always be prepared in advance for a breach. "Human nature is basically thinking this type of incident, being an unauthorized disclosure of health information, could never happen to their organization," she said. "Especially at an executive level. Most cases we see are organizations that think they have everything covered; they've made appropriate investments and tools, yet there are thousands of unauthorized disclosures happening on a monthly basis all over the U.S. Being prepared in advance is critically important." She added that a knee-jerk response to a breach can be devastating on an economic and recreational level, so both she and Kam recommend utilizing a response plan in a more holistic way. "The document should be living throughout the organization, so it touches on every piece of the plan and the response includes training procedures and who’s responsible for what if a breach does occur."