Does your HCO have a EMR security plan? |
A couple of weeks ago we talked about your social
media network getting hacked. While potentially embarrassing to those
hacked and a slight risk to other accounts on your network, it is a problem
easily remedied in the grand scheme of things.
What happens when an entire HCO is hacked and EMR / EHR
information is compromised?
Patient records, dating back perhaps to prenatal checkups
for mom, to that surgery 10 years ago, to a suspicious lump that was
successfully removed, are at risk. And once they’re out there in cyberspace,
how can they affect the rest of a person’s life?
In all likelihood, people after the information
are looking to snatch your identity. For the longest time, medical records have
been linked to social security and driver’s license numbers not only for ID
purposes but for billing purposes as well. When a criminal makes off with a
couple million of those numbers, there is bound to be at least a few prime names
and numbers to target.
I am making a big leap here but, in this age of social media
and cloud computing, what if your medical records were compromised and made
available online to background check services without your knowledge?
Might an internet search bring up a health record file
stating that you are being treated for severe depression, causing your renowned
career as a motivational speaker to come to an abrupt end? A more plausible
scenario: Could a past positive malignancy test keep you from getting a job,
even though you’re one of the top two candidates, because you may cost your
potential employer group a higher health insurance premium than the candidate
without such a medical past?
A study performed last year reported that upwards of 51% HCO’s and
private practices intended to apply for Meaningful Use dollars during the first
year, yet only 11% of them had the EHR systems in place to be able to meet 10
of the 15 Stage One requirements. Wouldn’t make sense that many of these
same physicians intending to implement EHR systems might not be completely locked
-down security-wise as well?
One thing is certain, healthcare providers are going mobile.
Laptops, smart phones and tablets make up 40 % of the healthcare data breaches,
but only 50% of the respondents to a recent HIT
survey said that anything was being done to protect the data on their
mobile units.
With cloud computing replacing SaaS and proprietary systems,
new tablets coming out seemingly overnight, and limited quality mobile device
protection it’s a daunting task for any HIT professional to stay ahead of the
game. In addition, although I suspect many would like to, the heads of HIT
security can’t staple a tablet to the practitioner’s hand to avoid leaving it
at the café table. Even with security
measures in place, most healthcare professionals are not practicing any form of
security best practices.
Since 2009, there have been nearly 400 major EMR
and EHR security breaches affecting
nearly 20 million people, or, about 6.5% of the US population. Chances are,
the numbers are similar all over the world.
The result? Several lawsuits have arisen out of these
breaches in security. Special security breach insurance policies are available
now and they are selling, meaning healthcare cost are going to rise even
further. The public image of institutions, much like that of a hacked social
media user, is tarnish at the time of the incident and beyond.
So what can HIT departments do to minimize risk?:
- Get a security plan in place. Many of the largest data breaches occurred at institutions with inadequate or no security plan in place
- Learn the cloud and all the intricacies of its communication with your staff’s mobile devices.
- Standardize equipment. If everyone has the same devices, it is much easier to stay ahead of the game and update security software.
- Bolster security training and make it mandatory.
- Use encryption tools to keep data protected.
- Have a social media policy in place covering practitioner conduct to protect patient information.
- And most importantly, explain to staff why it is important to the HCO, the professional and the patient (customer) to adhere to your security plan.
It’s one thing for your social media account to get hacked.
When personal health information is hacked, a breach has the potential to evoke
a different level of embarrassment for HCO’s and patients.
Does your institution have a data breach or security action
plan in place? Have you had any security training on your mobile devices? I
invite HIT and practitioners alike to share your stories with us.
B8KKWQRQHWE8
B8KKWQRQHWE8