Mitigating Risks In the Wake of Security and Data Breach

Guest post by Tim Cannon, vice president of product management and marketing, HealthITJobs.com.

Tim Cannon
Tim Cannon

A study, early this year, found that more IT employers are offering their employees flexible work options. But in the wake of security and data breach, is it worth the risk in health IT?

A report published by the Ponemon Institute in September 2014 revealed 43 percent of U.S. companies surveyed experienced a security breach in the past year, up from 33 percent in 2013. Healthcare organizations are a prime target for cyberattacks, according to a report from the Identity Theft Resource Center. Health and medical companies suffered the most breaches in 2014, accounting for 42.5 percent of reported cyberattacks.

Here are some of the biggest risks health organizations face with a virtual health IT workforce, and how to keep patient data safe:

Email risks
Hillary Clinton recently came under fire for using a personal email address for government business during her time as secretary of state. Not only did her exclusive use of personal emails violate federal record-keeping laws and practices, but also put sensitive information at risk. Her actions remind us that employees are using their personal email accounts for work, whether their employers are aware or not.

Health IT professionals who work from different locations and from different devices could be sharing unencrypted data over their personal emails without password protection. They could be sending work emails from a personal account on their phones or home computers because it’s more convenient than connecting to their work accounts.

Solution:
Set clear policies on email use and remind employees of the importance of password protection when sending sensitive information.

Network vulnerabilities
To accommodate the remote workforce, networks and cloud-based data storage systems can be accessed from any location. But more employees using the network and accessing data from different places makes it easier for hackers to access the information as well.

Remote workers usually operate out of their home offices. This means they are using their home network, which is usually much less secure than the office network. Sometimes, they also work out of Starbucks and other public spaces that have unsecure Wi-Fi networks. These places also do not have standard security protocols, which means all the data is unencrypted and easy for hackers to steal.

Solution:
The underlying software of the network needs to be secure, no matter where employees are working from. Securing cloud-based systems is also extremely important. Making sure your servers are up to date with service packs and software updates is critical to close potential holes in your network. Having a strong virtual private network is critical to protect patient information and other sensitive data. Invest in highly protected providers, encrypt sensitive data, and diversify your passwords to avoid security breaches.

Continue Reading

The Majority of EHR Security Breeches Are Inside Jobs

Looks like my suspicions are correct. Most health data breaches are inside jobs. But, what’s surprising, according to a somewhat recent survey from Veriphyr — an access and identity provider – is that the majority of data breaches of medical records is by practice employees.

According to the survey, most of the data breeches of medical records more than 35 percent were of healthcare employees peeking into the files of their co-workers. Another 27 percent of the breeches reported were of a healthcare employee’s family or friends

Also gleaned from the survey is that of the hospitals and healthcare facilities surveyed, 70 percent reported some form of data breech. Data breeches cost healthcare organizations more than $6 billion a year, according to Veriphyr’s CEO, Alan Norquist, so they really are big business.

Some of the report’s key findings include:

Top breaches by type:

When a breach occurred, it was detected in:

Once a breach was detected, it was resolved in:

According to Health Data Management, there have been more than 31,000 data breeches in the last two-and-a-half years. Most of these breaches are unintentional, though, according to magazine, with “employee transferring records to a flash drive or sending records to a personal e-mail account to work on them from home, or even sending records to a peer for advice.”

Accordingly, some steps to limiting internal data breeches is to continuously educate your employees about the dangers and consequence of handling HIPAA-protected data appropriately, and in some case, it’s may be necessary to adopt new policies to help manage how data is accessed. For example, if personal devices are allowed to be used in the work setting, you need to establish some rules to protect the data the the devices access, and in some cases, you’re going to have to offer support of the devices.

For more details about how to create a BYOD plan, take a look at this recent post: Creating a BYOD Plan Protects Your Practice and Your Employees.

Nevertheless, the information about data breeches is shocking. The number of employees sneaking peeks at patient’s profiles is like the rest of the world surfing the social profiles of complete strangers. Sure, the information is there, but that doesn’t mean we should take advantage of it.