“In a world in which the total of human knowledge is doubling about every 10 years, our security can rest only on our ability to learn.”- Nathaniel Branden- a Canadian psychotherapist and writer known for his work in the psychology of self-esteem.
The path to health data security -- to paraphrase -- also “rests solely on our ability to learn.” An Eligible Professional (EP) or an Eligible Hospital (EH) has nearly unfettered access to millions of websites, white papers, podcasts, presentations, videos, and text files on the subject of “healthcare data security” ~48,300,000 Yahoo!/ Bing results; ~119,000,000 Google results.
An EP or EH can subsequently refine search results to “drill down” for specific knowledge on:
- data security spending and costs
- mobile device data breaches
- most common gaps in healthcare data security (risk assessment)
- tools to tighten healthcare data security and
- healthcare data security fines
(Six- and seven-figure fines have been handed to EPs and EHs nationwide; oft-times learning is hard and painful. Aggregating, sorting, analyzing, and “knowledge mapping” your search results will bolster PHI security.)
“According to "Breach Report 2011: Protected Health Information" from IT security firm Redspin, “19 million patient health records were breached last year, a 97-percent increase from 2010,” reported Taylor Armerding for CSO Online in PHI security is MIA, (April 04, 2012).
Redspin President and CEO Daniel W. Berger observed, “Instead of a person sneaking out of a medical office with 30 patient files, it is now possible to steal millions of records at a time.”
Reasons for the increasing number of breaches include-
- “data on backup tapes stolen from the car of an employee
- rapidly increasing use of portable devices and media in health care
- a lack of security protocols and of sophisticated fraud detection systems
- federal regulations that don't require PHI to be encrypted when it is on transportable devices.”
“But perhaps most significant is that health records can be a financial mother load[sic] for thieves,” Berger emphasized.
"Most importantly, once such a record is breached, it is potentially 'in the wild' forever, unlike credit card numbers, which can simply be changed."
Mr. Amerding concludes by noting- “But, of course, risks to healthcare organizations for PHI breaches go far beyond penalties imposed by federal regulators. They could include costs of restitution, legal fees, media relations, brand damage, and exposure to class-action lawsuits.”
Jennifer Bayuk, also writing for CSO Online, describes in the six pages of “How to Write an Information Security Policy,“ the steps to take toward establishing an effective ISP (Information Security Policy).
“An Information Security Policy is the cornerstone of an Information Security Program. It should reflect the:
- organization's objectives for security and
- agreed upon management strategy for securing information.”
“In order to be useful in providing authority, it must also be formally agreed upon by executive management.”
“To develop an information security policy document, an organization has to have:
- well-defined objectives for security and
- an agreed-upon management strategy for securing information (without consensus, reliable, robust, and consistent data security cannot be achieved)”
“Since a security policy is a set of management mandates with respect to information security, the first step in shaping a security policy is to determine management’s views on security. “
“Define common themes from management interviews and prepare a mission statement about how the organization as a whole wants its information protected. The time and effort spent to gain executive consensus on policy will pay off in the authority it lends to the policy enforcement process.”
“This framework will be the foundation of the organization's Information Security Program, and service as a guide for creating an information security policy.”
Seven Practical Ideas for Security Awareness makes visible the steps for establishing and sustaining awareness, identified by Audry Agle in CSO Online, June 02, 2009.
“It is widely agreed that the single most effective security measure is staff awareness of protecting the confidential information of an organization. Often, technical controls are of little or no use in protecting the organization from information thieves who exploit the trusting nature of those who have legitimate access.”
“In order to create and maintain a security-conscious mindset within the practice or hospital, talk often with a consistent theme about protecting information. People need to hear a message, “rule-of-thumb,” or concept multiple times before it “sinks in” or are convinced of efficacy.”
“A security-aware culture is possible in any organization as long as it is the standard by which everyone operates, and concepts are consistently reinforced:
1. Get people interested in security by arming them with techniques to secure their personal information.
2. Make the message visible with posters at fax machines, shred bins, and break rooms.
3. Provide snacks (pastries, fruits) in conjunction with the security-awareness message.
5. Bring it to their computer screen via the newsletter, a monthly email. and a Security page on your employee intranet that lists the security policies, important contact information, links, etc.
6. Require training: Training programs will be more effective if they have interactive exercises, contests, games, or give-aways. Try to keep it short, and test comprehension.
7. Walk the walk: Perhaps the most impactful technique is for senior leadership members to display their own penchant for security- if it looks to be important at the top, you can bet it'll be important at the bottom.
- Advertise internally when someone:
- does something that thwarts a potential attack
- comes up with a control that bolsters the security of your organization in a cost-effective manner
- Use incident exercises at all levels, including executive leadership”
“Keep all employees engaged in security processes by soliciting feedback and suggestions. Provide a phone message line and email—anonymous if necessary. Make it easy to use, non-threatening, and welcome ‘stupid’ “questions.”