Regardless of a facility’s size, it must ensure that its healthcare security measures are on par with the types of technology it uses on a daily basis. An organization cannot assume that a healthcare data breach will never occur, or assume that a breach will not have a lasting impact. Employee training is an important aspect of this, according to Frank Negro, Practice Leader, Global Healthcare Consulting, Dell Services.
In an interview with HealthITSecurity.com, Negro underlined the importance of the relationship between users and the data they’re accessing within healthcare facilities, and how comprehensive security measures are crucial for keeping information secure.
ELIZABETH SNELL: Why should the relationships between users and the data they’re accessing be a key initiative for healthcare organizations in 2015?
FRANK NEGRO: Although it can be easy to consider information protection the job of a technological solution, a robust security program is based on a workforce that understands its role in the process. In order to ensure that workers are being provided with appropriate tools and knowledge to help the organization safeguard its information, it is imperative to understand their relationship with the information we are asking them to protect. While regulations require that individuals are granted access to the minimum information necessary to perform their function, understanding the relationship between workers and the information they create, modify, use and/or report can provide additional texture, which can strengthen the security program. In a study by the Ponemon Institute, more than 78 percent of respondents said that negligent or malicious employees and insiders were responsible for at least one data breach within their organizations over the past two years. This further emphasizes the need for employee education and a focus on the human element of security.
ES: What are some of the key data security issues that healthcare organizations need to be mindful of this year?
FN: Healthcare organizations have two attributes that make them liable to data security losses, both of which are increasing in significance.
First is the presence of an increasingly mobile healthcare workforce. This mobility needs to drive a shift in thinking from a static model of perimeter protection and device encryption to a dynamic model of a complete security program protecting data at rest and in flight. Such a program needs to consider regulatory security and privacy compliance, technical security safeguards and education of healthcare information workers as to the challenges of data protection. Healthcare organizations need a mobile security roadmap so security and mobile user-enablement are not at odds. Mobile security policies include implementing encryption for institutional data on all devices and mandating that trusted devices only access the network via a virtual private network (VPN).
The second is the increasing value of protected health information on the open market. Analysts estimate that a healthcare record is as much as 50 times more valuable than credit card information, and this is because of both the completeness of the data when used for identity theft and the high potential value of a fraudulent insurance transaction. According to one survey, the percentage of healthcare organizations that have reported a criminal cyber attack has risen dramatically in recent years from 20 percent in 2009 to 40 percent in 2013.
ES: What are some of the biggest data security mistakes that facilities make? How can they best go about avoiding those mistakes?
FN: Two big security mistakes are 1) being tempted to feel that your security program is good enough to protect you, and 2) underestimating the impact of a security breach.
To protect against the former, an organization must be in a constant state of assessment, analysis and mitigation of potential risks. This activity should increase during and after any change to the information processing environment or workforce, and should be conducted by individuals not responsible for the maintenance of the security program. An independent review of a security program is always highly recommended.
To protect against the latter, one need only be mindful of the lessons learned by organizations that have suffered data breaches, where the cost of a single breach can average 20 times the cost of fines and penalties. These can include the costs of security program remediation, identity theft insurance, legal costs, and individual and class action civil suit awards.
ES: What advice would you give to healthcare organizations that are working to improve their data privacy and data security?
FN: Every dollar spent on developing and maintaining a robust security program for your organization should be considered money paid into an insurance program of risk mitigation and potential liability reduction. Just as a healthcare organization would not proceed without a healthy malpractice insurance policy, they should take care to ensure they are well-protected against security risks. Despite the growing number of breaches that occur within healthcare institutions, the healthcare industry’s IT departments historically receive 2 or 3 percent of organizations’ budgets compared to more than 20 percent in the retail and financial industries. The lack of adequate funding to address security only increases challenges faced by the healthcare industry.
ES: How do you see healthcare privacy and security needs evolving over time?
FN: Security programs will need to adapt to recent and future changes in technology. For example, we are seeing advances in wireless communication (including near-ubiquitous connectivity and unprotected near-field communication) that can create unanticipated access points to protected information. There has also been a proliferation of consumer-collected and transmitted information (usually, from non-secured devices and often using the expanded wireless communication capabilities mentioned above). According to a report from ABI Research, close to 100 million wearable remote patient monitoring devices will be sold and shipped by 2019. These devices also create new access points on the network, which must be appropriately secured.