Data breaches and HIPAA violations became common, almost daily, news in 2015, exposing sensitive client information with devastating results. Understanding HIPAA compliance will be critical in 2016, especially since the Office for Civil Rights (OCR) will begin a new round of HIPAA audits.
In spite of record spending on firewalls, anti-virus software, malware detectors and the widget of the day, healthcare organizations keep getting hacked because the focus is in the wrong place. Here are three trends taking presence in 2016 that can help any organization fight the good fight against cyberattacks.
Buying Technology Alone is a Security Strategy That Does Not Work
Healthcare is under constant pressure to safeguard assets, however too many firms focus on security for HIPAA compliancy and then call it a day. Compliance is a legal necessity, but organizations expose themselves to cyberattack when use technology as a crutch. Many organizations will need to look at their operations as a critical network and seek ways to defend it.
A majority of breaches are from data that has been stolen, via record removal, virtually and physically. We see the trend in 2016 shifting from technology to people if healthcare organizations are going to defeat hackers.
Focus on the Human Element
Examine the largest data breaches of 2015. Technology did not protect the vast majority of these companies. In each case, data was breached due to hackers successfully exploiting humans.
The proliferation of mobile devices in healthcare like smartphones and tablets have also made the human element even more vulnerable because this area of security is often overlooked and is, in fact, the weakest link.
Technology is only as good as the people who use it and is merely a tool in the fight against cybercrime. Technology alone cannot fully protect an organization’s data, networks, or interests. This is a trend in 2016 and beyond that must be recognized if organization hope to safeguard patient records.
Security continues to be a major problem in health IT. The coming year will only bring more breaches and problems that must be addressed by those leading their organizations. In 2013 alone, millions of people were affected by breaches.
Breaches can be attributed to something as simple as a stolen device — flash drives and laptops, for example – to unauthorized access or disclosure of information by health system employees. For example, Healthcare IT News recently reported a four-year long breach by a single employee at the five-hospital Riverside Health System in southeast Virginia.
Health IT security issues are only going to get more pervasive, aggressive and encompassing in the years ahead. So, what can we expect as we look ahead? Here are some predictions about health IT security from the industry’s leading minds:
Remaining in compliance with these codes and regulations, like HIPAA, is key from a security point of view for healthcare organizations. Being compliant and ensuring that only the appropriate healthcare staff members and contract workers have access to the information they need to do their jobs ensures that the information remains secure and does not end up in the wrong hands.
Because of the sensitivity of the information accessed on a daily bases within a healthcare organizations and the number of people accessing the information – doctors, nurses, clinical and admin personnel, and contractors – IT security concerns will be slightly different than the highly publicized breaches we read about, like the recent Target breach that originated outside the organization.
Introducing an electronic medical records system into the practice helps the physicians and staff provide more efficient healthcare by making medical records more accessible to all health care team members. It also brings some risks. In this two-part article, CAP Risk Management and Patient Safety identifies 10 areas of risk exposure and provides some brief recommendations in each area.
EMR or EHR
Know your system. Electronic Medical Record is the term most often used for the electronic system now holding the medical records of the physician’s patients. If patients’ medical data is shared electronically with other facilities, locations, caregivers, and/or billers, the term Electronic Health Record is more accurate. The terms are often used interchangeably. Most articles are using the words “Electronic Health Record.”
Provide updated/additional training periodically, especially after software updates and enhancements.
The report suggests that 16 percent of surveyed U.S. doctors say that patients should be able to update some demographic information in their EHR and 5 percent say that patients should not have the ability to update any demographic data.
“Sixty-seven percent of surveyed U.S. doctors say that patients should be able to update all family history information in their EHR, while 21 percent say that patients should be able update some family history data and 12 percent say that patients should not have the ability to update any family history information,” according to the study.
Twenty-five percent of surveyed U.S. doctors say that patients should be able to update all of their laboratory test results in their EHR, while 28 percent say that patients should be able to update some lab test results and 47 percent say that patients should not have the ability to update any lab test data.
On behalf of Accenture, Harris Interactive conducted the online survey of 500 U.S. physicians between November 2012 and December 2012.
This is an interesting topic that seems to have many foes and fans, and I can see the perspective from each side. On one hand, allowing access to a personal record may allow for breeches of information, HIPAA violations and may create a slippery slope to a movement for patients to have full editorial access to their records. Obviously, doing so creates more many more problems than it solves.
The benefits to such a move – allowing patients to input their demographic data into their personal health record – may lead to greater patient engagement, which seems to be healthcare’s sticky wicket, and it may help practices struggling with being overwhelmed administratively to streamline some of their intake and the management of their information and “pass along the cost,” so to say.
It seems as new solutions come to pass and as we as an industry seek ways to moderate, streamline and create new efficiencies, questions such as the one raised by this survey will be asked more and more. As the questions become more well circulated and discussed, the issues they address will move toward the acceptable and standard practice as they gain ground within the society we have created.
As such, though there may be initial resistance, like all cultures built to change, what was once unacceptable will become standard practice.
Given the issue raised by these questions, I wonder what level of change we’ll see in regard to this in the near term. My hunch is that in an effort to include more people in the process, to streamline and to offload some of the administrative responsibility, we’ll see tactics such as these be incorporated more often, and more “power” given to the patients.
I wonder what your thoughts are on this subject, and what your perspectives are. Do you agree with the survey results? Should patients be allowed to change any of the data in their records or does it make sense to include them in the administrative management of the record?