Dealing with data breach from the inside
Data breach costs the healthcare industry more than $6 billion each year. But protecting patient information isn't always as easy as using encrypted e-mail and requiring physicians to carry password-secured, remote-data-wipable laptops.
As a recent incident of a Cleveland hospital staff member inappropriately snooping patient records highlights, data breach is often an inside job whereupon someone inside an institution—such as a nurse aid or administrative staff member—has inappropriate access to patient health or other data. And as such, it can be little harder to prevent than a laptop theft or a rogue hacker onslaught.
"Many breaches have occurred as a result of an 'inside' job where employees have proven to be the weakest link," security and privacy expert Adam Levin, the chairman and founder of IDT911, tells Healthcare Dive, noting that such incidents aren't always intentional. "Oftentimes an employee will carelessly click on the wrong link and will have unwittingly exposed the medical office or a medical provider to malware. Another point of vulnerability is when employees are allowed to connect their own devices to internal systems at medical facilities, because many do not have proper security software and aren't necessarily vetted by the facility."
Data breaches like these can cost organizations millions of dollars in fines and damage-control efforts.
What's more, a recent survey of 1,000 consumers by PwC's Health Research Institute reveals 68% of consumers are concerned about the security of data stored in smartphone health apps. And more than 65% of respondents said data security was more important to them than convenient access for imaging and test results, doctors' notes, diagnoses and prescription.
But what can an organization do to prevent something as innocuous as the wrong staffer looking at private stuff?
A lot, says Mick Coady, a principal at PwC who covers cybersecurity and privacy.
"I do a lot of post-breach work, and in most cases, the response capabilities are an issue," Coady tells Healthcare Dive. "I could go into 90% of hospitals today and I guarantee you I would find an inappropriate level of access granted to the wrong individual, or an individual has excessive rights to information."
To decrease the likelihood of data breach, Coady recommends organizations develop ways to manage staff identity and data access, for example, by giving different access rights to different positions, such as a manager and a health aid. Also, organizations should audit themselves, and check that everyone has the right access, on a biannual basis. Finally, technology systems should be equipped with better control access capabilities so they can help management block those who have no business looking at certain patient data.
"It's what I would call granular access control," says Coady.
Levin also offers four specific best practices organizations that want to stop inside-the-corridor snooping should employ:
1. Take inventory.
Healthcare organizations should perform an information asset inventory, focusing on employee and patient data, which vendors have access to.
2. Monitor and audit.
The organization should have monitoring, logging and alerts in place to watch for any unusual or potentially suspicious activity where critical information is held. The organization should have annual audits to assess their security and privacy status.
3. Train correctly.
Offices should stress employee security and privacy awareness training and this should be part of continuing medical education and training for every medical profession.
5. Verify vendors.
Make sure all external contacts and vendors with access to the healthcare organization's internal network or sensitive information have a third party security and privacy assessment.
"Remember that PHI is a gold mine for hackers selling this data on the black market," says Levin. "So healthcare organizations should have strong security protocols in place."