According to the United States Department of Health and Human Services, approximately 70 percent of organizations are not HIPAA Compliant. The Health Insurance Portability and Accountability Act, known as HIPAA mandates industry wide standards for healthcare information and electronic billing, and requires protection as well as confidential handling of protected health information.
According to HIPAA rules, any company that deals with protected information must have a physical network and process security measures that are followed to ensure compliance. It may be safe to say that many organizations are still perplexed about HIPAA audits, enforcements and compliance. As a result, the number of organizations that fail to meet compliance each year remain the majority. To begin understanding compliance, healthcare organizations would be wise to consider three key recommendations.
Analyze the past, to avoid making the same mistake twice
It is important for hospitals and healthcare facilities to look at some of the common mistakes that are repeatedly noted in HIPAA security reviews. HIPAA states that out of all the reviews completed, there are a number of frequent compliance violations and issues that are found each year. This includes impermissible uses and disclosures of protected health information, lack of safeguards to protect health information, lack of patient access to their personal health information, lack of administrative safeguards on electronic protected health information, and use or disclosure of more than the minimum protected health information. Protecting valuable data by analyzing past mistakes is an important step in the compliance process.
Perform a risk assessment and GAP analysis
One preventative measure in assessing an organization’s compliance with HIPAA is a risk analysis and a GAP analysis. The confusion and lack of understanding around the two examinations has been common among healthcare professionals in the marketplace for some time. Not understanding the differences can be detrimental to an organization, and puts them at a significantly higher risk. According to HHS and OCR guidelines, all healthcare organizations must specifically conduct a risk analysis to be deemed within HIPAA compliance.
A HIPAA GAP analysis can be used to measure the organizations information security standing against HIPAA, which is part of HHS audit protocol. Comparing the organization’s current practices to the HHS OCR audit protocol will identify the strengths and weakness of the security program. From there, the organization can determine whether they have reasonable and appropriate administrative, physical and technical safeguards in place to protect patient health. Performance of the GAP analysis also allows the organization to develop an audit response toolkit, which includes the data and documentation that would be able to support compliance with the HIPAA regulations to regulatory agencies.
Amazon announced that a version of their virtual assistant technology, Alexa, is now HIPAA-eligible. This means it’s available for applications that are subject to the data privacy and security requirements of HIPAA. The new HIPAA-eligible version of Alexa, specifically the Alexa Skills Kit, is now available to a limited number of developers by invitation only.
Amazon has seen increasing interest in Alexa’s potentialto serve as a virtual healthcare assistant. While devices like PCs, tablets, and smartphones have contributed to advances in healthcare, they’ve been problematic for some aspects of patient engagement – particularly among the elderly and others whophysically cannot – or will not – use them.
The idea of a smart, always-available, hands-free, voice-powered virtual assistant that can answer questions, deliver medication reminders, facilitate communication with one’s doctor, provide health coaching, and more, has piqued the interest of the healthcare community. Amazon has responded.
Until now, Alexa’s use in healthcare has been mostly limited to questionanswering services – voice apps, or “skills” in Alexa parlance, that answer general questions about health conditions, treatments, symptoms, etc. Amazon Echo users, for example, canaccess health benefit information from a skill like Answers by Cigna, or tap into one of many symptom checkers in the Alexa marketplace. The big change is that Alexa can now be used in certain applications that collect and transmit protected health information (PHI).
Thisopensa whole new world of voice applications beyond basic Q&A, such as remote patient monitoring population health, medication adherence and clinical trial optimization. It seemed inevitable that voice assistants like Alexa and smart speaker-equipped devices like the Amazon Echo would find their way into clinical applications. Amazon’s announcement confirms this.
Organizations must understand the full range of issues surrounding the “what, why and how” of securing, voice-first healthcare applications. HIPAA is just the start. There is no formal certification process for HIPAA, and it applies only in the U.S.Also, many healthcare IT departments use other industry standards or ?have created their own standards for data privacy and security. In their eyes, completely securing a voice application may go well beyond ensuring that a service provider will sign a HIPAAbusiness associate agreement. Issues like user authentication, data privacy in shared spaces,network and device hacking, secure system integration (e.g. with an EHR), should all be addressed.Continue Reading
By Brooke Faulkner, freelance writer; @faulknercreek.
Advancements in medical technology grant modern patients access to better care than ever before, but they also come with serious privacy concerns. Widespread data breaches in the realm of digital health records led to the implementation of the Health Insurance Portability and Accountability Act (HIPAA) in 1996, and it’s a relevant as ever in the present day.
In our current healthcare climate, patient privacy and data protection go hand in hand. HIPAA is meant to protect sensitive patient medical records while adhering to ethical principles. With the rise of alternate treatments like medical marijuana and CBD, which are illegal or regulated in many states, ensuring patient privacy is more important than ever. Here’s how patient privacy and ethics intersect in the age of technology.
Healthcare administrators, ethics and privacy
The role of the healthcare administrator is a complex one that merges patient care and bureaucratic involvement. Healthcare administrators are a major player in the front lines of HIPAA compliance. One of the biggest ethical dilemmas of the role is maintaining each patient’s right to privacy and autonomy. Administrators often play a big part in ensuring that a facility properly adheres to HIPAA and other relevant laws and regulations.
Of course, ensuring patient privacy only goes so far in certain situations. A healthcare administrator may break confidentiality under particular circumstances, such as when patients may harm themselves or others. Cultivating a thorough understanding of applicable laws and knowing when to break confidentiality is integral to maintaining a balance of patient privacy and ethics.
It may not always be easy to determine if or when confidential information should be shared. A psychiatrist in Singapore was recently fined $50,000 for breaching medical confidentiality by sharing confidential patient information with an unauthorized party. A man posing as a patient’s husband contacted the psychiatrist, claiming that his “wife” was suicidal. The psychiatrist had previously determined that his patient was at risk of self-harm, and he wrote a memo for the man that included confidential medical information. The man turned out to be the patient’s brother rather than her husband, and he did not have legal access to the patient’s medical information.
In this case, while the psychiatrist was within his rights to share information related to his patient’s potential for self-harm, he did not verify the identity of the family member who ultimately received the confidential medical information. Thus, the patient filed a complaint with the Singapore Medical Council (SMC). The SMC handed down the stiff penalty and censure as a form of “general deterrence” for similar situations in the future, and healthcare administrators should take note of the decision.
The role of the medical provider
The topics of patient privacy and ethics form the backbone of numerous industry jobs, from healthcare administrators to nurses and medical assistants. In many cases, medical assistants are directly responsible for administrative tasks, including the collecting and handling of patient data. Because of this fact, a medical assistant must ensure that he or she adheres to all pertinent privacy regulations and take the utmost care to keep patient data safe. Nurses also come in contact with sensitive patient data and should take similar precautions to avoid a potential HIPAA violation.
Ensuring patient data privacy starts at the training level for medical assistants. Best practices for maintaining electronic patient medical records is a key focus in any assistant’s education, but it’s particularly important for those interested in pharmacology. As a student, a medical assistant should be trained in HIPAA and similar regulations in order to develop a keen understanding of what’s at stake. A HIPAA breach could result in fines, but guilty parties may also be stripped of their individual licenses as well, causing many to lose their job and be barred from future employment in the healthcare industry.
While not all HIPAA violations result in termination, repercussions for individuals depend on the policy of the healthcare facility or organization and the severity of the violation. In 2018, a Texas nurse was fired after violating HIPAA regulations by posting sensitive patient data on social media. While posted information did not include a patient name, it contained specific details about the patient’s condition, and the nurse’s social media profile listed the facility in which she worked. Her employer, Texas Children’s Hospital, determined that the violation was severe enough to warrant firing her.
By Amy Perry, director of product marketing, OpenText.
The pace of digital transformation today is increasing rapidly, with more industries jumping on the bandwagon to adopt new technologies which recast workflows. New solutions powered by artificial intelligence and machine learning are enabling machines to handle processes once cumbersome to employees.
In fact, the rate of this shift is so pronounced that according to Deloitte, the average digital transformation budget has increased by 25 percent over the past year, from $11 million to $13.6 million. More than half of mid-sized and large companies are spending more than $10 million on these efforts.
While this is a trend impacting almost every industry, it presents unique challenges to the healthcare sector. One of the most important challenges digital transformation extends to healthcare professionals is in the area of interoperability. As the sheer amount of health-related data, along with the ways to transmit and store this data, continues to increase, the ability of healthcare organizations to juggle the free flow of information between the patient’s care team and the patient is becoming more vital. At the same time, healthcare providers must ensure the highest levels of patient data privacy.
Unsurprisingly, most healthcare providers are preparing for this challenge. According to a new survey of healthcare IT professionals conducted by OpenText in conjunction with IDG Research, 85 to 94 percent of healthcare organizations are either actively investing or are planning to quickly invest in interoperability infrastructure to provide more intelligent and connected healthcare. While this intent is a great starting point, the journey can still be challenging for organizations of every size.
Ensuring a more free flow of information between providers to enhance the patient experience while simultaneously adhering to HIPAA’s privacy mandates may initially seem impossible to many teams. A wider embracement of paperless fax solutions across the industry could provide a data-centric solution which allows organizations to further interoperability goals while also ensuring that patient privacy remains paramount.
Paperless fax gains momentum
The evolution to fax stems from HIPAA guidelines mandating all patient information be securely stored and communicated. Tools such as email lack essential regulatory compliance and must be shelved in favor of other forms of communication, such as secure fax. While paper-based fax has become almost obsolete in other industries, it is still heavily used in healthcare despite causing some roadblocks to efficient communication. Paper-based fax requires a labor-intensive process that results in limited access to patient information at the point of care and slower care coordination between providers. Though these shortcomings are widely recognized among healthcare professionals, nearly half of patient information is still being transmitted by paper-based fax.
Findings from the same survey confirm momentum in paperless fax technologies. According to survey respondents, 50 percent of all medical communications continues to be done via some form of fax, but paperless faxing surpasses paper-based faxing in terms of medical communications volume. Among this, a significant majority of the survey respondents showed favorability to paperless faxing because of its digital integration capabilities.
Seventy-six percent of respondents either agreed or strongly agreed with the statement that they are happy with their current paperless faxing method because it’s integrated with their electronic medical record (EMR), back-end system, or other applications. By integrating digital faxing with EMR, document management systems, and clinical applications, a paperless fax solution becomes the most connected device in an organization, optimizing patient information exchange, reducing costs, and increasing productivity.
The catalyst for future patient information exchange
In addition, a favorable attribute to paperless faxing is that it provides a much more secure form of patient information exchange and surpasses the requirements of HIPAA’s Protected Health Information privacy rule. As new interoperability tools based on standards for the secure transmission of patient records are considered across many healthcare organizations, health providers can leverage their existing paperless fax solution to transition to modern, secure, and interoperable exchanges of patient documentation that are integrated across systems and applications.
Ultimately, the study’s findings show technology has reversed the death knell many initially thought had struck the fax industry. In fact, instead of being a siloed or time-consuming way to share information, new paperless fax technologies are helping eliminate these inefficiencies by shortening the time it takes to get patient information to the right provider and facilitating faster access to critical information at the point of care. Implementing a cloud-based delivery system is an attractive step as organizations move to the adoption of digital transformation. Healthcare providers must modernize legacy systems and embrace these new technologies to stay at the forefront of the industry and meet patients’ growing expectations.
By Drew Ivan, EVP of product and strategy of Rhapsody.
It was generally recognized by 2009 that the health care industry was long overdue when it came to adopting electronic systems for storing patient data. At the time, hospital adoption of electronic health record (EHR) systems was at about 10 percent while electronic record keeping was commonplace in most other industries. EHR technology was widely available, yet doctors and hospitals were still using paper charts.
The HITECH Act of 2009 was part of a broader stimulus package that financially nudged hospitals and eligible professionals to adopt and use EHRs. The meaningful use incentive program began a national, decade-long project to adopt, implement, and optimize EHR software. The program was a huge success, judged by the most obvious metric, EHR adoption. Today, nearly 100 percent of hospitals are using electronic health records. This means that records are safe from physical damage, far easier to analyze and report on, and – in theory at least – easier to transfer from one provider to another.
However, when viewed through the lens of return on investment, the success is less impressive. The federal government has spent $36 billion to encourage providers to adopt EHR systems but the industry has spent far more than that to procure, implement and optimize the software. Yet, hospitals are seeing reduced productivity, doctors face a huge documentation burden, and interoperability remains an unsolved problem. The first two problems are the consequence of workflow changes brought on by the EHR systems, but interoperability roadblocks ought to have been eliminated by implementing EHR systems, so why is it still so difficult to transfer records from one provider to another, or from a provider to the patient?
Health IT experts generally consider three categories of obstacles to interoperability:
Business disincentives: allowing medical records to move to a different provider makes it easier for patients themselves to move to another provider, and helping customers switch health care providers is contraindicated by usual business practices (even though HIPAA states that patients are entitled to receive copies of their medical records and may direct copies of their records to be sent elsewhere.)
Technical challenges: Meaningful use set a fairly low bar for cross-organizational data exchange requirements, and it did little to ensure that EHR systems could understand data sent from another system. Although these problems are largely resolved today, there is still the impression that “interoperability is a hard technical problem”.
Network effects: point-to-point connections between providers are impractical, but the network approach also has its drawbacks. The assortment of HIEs and national interoperability initiatives is huge and confusing, and it’s not obvious which network(s) an organization should join.
There may have been an assumption that when medical records moved from paper to electronic format they would immediately become more interoperable, but by 2016, the level of interoperability was far below what patients and regulators expected. As a result, the 21st Century Cures Act of 2016 was passed by Congress and signed into law by the outgoing Obama administration. The law’s scope included a number of health care priorities, including a patch for the interoperability gap left by Meaningful Use. Cures explicitly forbids providers, technology vendors, and other organizations from engaging in “information blocking” practices.
Earlier in 2019, the Office of the National Coordinator for Health IT (ONC) issued a notice of proposed rulemaking (NPRM) that defined exactly what is (and what is not) meant by “information blocking.” Once adopted, the expectation will be that a patient’s medical records will move according to the patient’s preferences. Patients will be able to direct their data to other providers and easily obtain copies of their data in electronic format.
It is not uncommon, in today’s age, to do large amounts of personal business online. This includes discussing or sharing medical records. You may think that any place that shares your medical records online would invest in intense digital security, but you would be surprised.
It takes just a small mistake on the part of the health organization working with your records and your data can be breached. In fact, there have been multiple examples of large medical organizations allowing thousands of patient’s information to be leaked.
In 2010, Columbia University Medical Center and New York-Presbyterian Hospital were victims of cyber security attacks involving the theft of close to 6,800 patient records. A Temple University doctor had his laptop stolen which contained the private medical files of nearly 4,000 patients. These are just two of way too many examples.
Part of the problem is that these records are being protected by individual not properly trained in digital security. Medical professionals all know about HIPAA (Health Insurance Portability and Accountability Act) — a US law designed to provide privacy standards to protect patients’ medical records and other health information provided to health plans, doctors, hospitals and other health care providers.
They know that you don’t share medical information to anyone that isn’t approved of in writing by the patient. But even that standard is often broken by some medical professionals. So, if some people in the medical industry are willingly leaking information, just imagine how often information is leaked accidentally.
So, what can you do? As with most instances of digital security, it is best to take matters into your own hands. The only person who will always, 100 percent of the time, advocate for you – is you. It is vital that you do everything you can to protect yourself and your data when going online. This can prevent others from ascertaining your location, medical data, personal data, and much more.
Let’s take a look at a few ways that you can protect yourself in the digital realm:
Be aware with whom you are communicating
It might be obvious that you shouldn’t send personal information to strange email contacts or social media profiles, but not everyone considers the authenticity of medical websites. Often times people will look up medical advice and find themselves sharing personal details with any random website that offer to let you chat with a “real” medical professional.
These websites can not only put your medical information at risk but also your credit card information since we guarantee you won’t get to chat with anybody without coughing up your card number.
Beyond that, it is also important to consider the applications your medical facility is using to share your information. Before agreeing to access your data digitally, look into the software they are using to ensure it is considered respectable and safe.
By Brad Spannbauer, senior director of product management, eFax Corporate.
When it comes to cybersecurity, healthcare organizations are up against a constantly shifting threat landscape. New technologies and techniques, employed by increasingly advanced criminals, require organizations to be proactive in their defense efforts, or they risk being outsmarted by those who seek to expose them. But security threats don’t just come from external sources; risks are just as prevalent within organizations. In fact, the latest edition of Verizon’s Data Breach Investigations Report found that healthcare is the only industry where insiders pose the greatest threat to sensitive data, with 58 percent of incidents coming from within.
Whether malicious in intent or the result of innocent mistakes by healthcare workers doing their best in a high-stress environment, a failure to recognize these risks and apply appropriate safeguards can have grave consequences for healthcare providers. For example, an IBM & Ponemon Institute study revealed that healthcare data breaches cost organizations $408 per record on average, which is more than three times the global average across all other industries. That may not seem like a lot of money, but multiplied by the thousands of records that could be contained on a stolen and unencrypted laptop, it adds up to a significant financial penalty.
Software testing and quality assurance have grown in critical importance for companies. Over the few years, it has established itself as a formidable career choice which is unlikely to stop anytime soon. Now as the name implies, quality insurance is all about maintaining “high quality” on a constant basis. And it isn’t surprising at all to see the concept making its way to the core of several industry verticals including the healthcare.
Quality monitoring is gaining momentum for purchasers, patients, and providers who strive hard to evaluate the value of health care expenditures. Over the past decade, science has evolved in regards to quality measurement despite a few challenges that might be a counterforce to the demands of cost containment. Well, the following post explores those crucial challenges that must be addressed in the Healthcare sector. But before that let’s take a bit of a detour which will eventually lead us to the answer.
Why the healthcare sector needs QA and testing
Speed and quality are one of the core essentials that tend to serve the healthcare industry more efficiently leading to a significant amount of inventions and advancements. One of the best examples showing how digitalization is becoming more capable of transforming the industry is that more and more number of people and devices are found connected to deliver meaningful interference from the data generated.
Technology is the best support system where different kinds of applications are created to deliver best services even at a distant. A sudden increase is found in the growth of healthcare products such as wearables, followed by applications especially the ones being associated with them. It may quite interest you to know that these can be termed as products featuring a big market and will continue to have a tremendous impact on the economy even in the upcoming years. Down below I would like to mention a few reasons stating why QA and testing are crucial in the healthcare industry.
#1 Big Data Testing in Healthcare: Because of being well associated with tons of information related to their patient’s health conditions, the healthcare industry is believed to be one of the most highly data-intensive sector. Several healthcare institutions and the associated segments to devise the right strategy building the right and relevant kind of products. Initially invented to derive the right interferences and the data point big data testing also helps in making certain decisions in regards to drug inventions, disease cure, and the last but not the least research and development. These decisions are some of the best and informed ones that anyone could take.
#2 Security of applications: I am sure you will agree with me when I say that healthcare websites have the most sensitive kind of the data about their patients and their health-related information. By security testing and penetration testing, we can make the websites, as well as applications, hack proof and sustainable especially in challenging a digital scenario. It is very important to conduct quality assurance and testing to ensure security to all such applications.
#3 Usability testing in healthcare: Usability testing is the most required in the health care industry. However, there are various features and the user scenarios that a pharmacist or a nurse can continue to face during their working hours. Do you think these tasks are of prime importance? Absolutely not! In fact, they can be eased with the help of automation, adding in more number of features that will help to simplify the entire process.
QA Challenges in Healthcare Apps
Healthcare industry has also started to introduce mobile platforms across the care delivery cycle, creating a voluminous medical app market. Further, we have extracted a few QA challenges concerning testing and healthcare mobile apps and how to get over them.
Challenge #1 Users and their expectations
Software usability has been a core element in the healthcare industry. Look at those EHR systems; it is very important to come up with something that not just offers accurate physical records but also aggregate physical activity recommendations with nutrition tracking. While testing a mhealth app, thinks about situations which patients may need it. During critical cases, older patients can make the most of condition management app that aids well in finding what their actual condition is and tap the emergency call button at an extreme point.
In addition to this, healthcare mobile apps have the potential to influence the stakeholders this includes patients, caregivers, care team members, administrative staff, insurers and more. The app should adequately support their workflows, so QA specialists need to get a good picture of basic user needs. Let’s say for example if the patient likes to connect his or her smartwatch to the app to monitor heart rate while exercising or if a physician would like to review his patient’s treatment plan progress remotely.
Healthcare organizations face unprecedented compliance challenges when it comes to managing business associate agreements (BAAs) amid frequent data breaches, heightened federal scrutiny and anticipated privacy legislation. Actions by the Office for Civil Rights (OCR) have clearly demonstrated stricter enforcement of HIPAA rules in recent years, and the industry has already witnessed a notable uptick in public shaming and fines associated with missing just a single BAA.
Simply put, BAAs have become a cornerstone of OCR compliance initiatives. And the outlook is not likely to change as trends point to continued advancement of privacy laws. As of close of 2018, 12 states had already updated their privacy laws regarding notification to patients, shortening the standard 60 days from the federal guidelines to 45 days, and in some states (CO, FL), the breach notification window is down to 30 days.
Breaches involving protected health information (PHI) are typically reported publicly at the Covered Entity (CE) level. When a breach involving a third party, or Business Associate (BA), occurs, one of the first things the federal government investigates is whether a BAA is in place with the CE. If a BAA does not exist, it typically sets off a chain reaction of investigations into other areas of HIPAA compliance.
While most headlines related to BAA compliance relate to CEs, HIPAA experts predict that 2019 will usher in greater focus on BAs and their management of these agreements as well. Many believe that unprepared BAs—especially small and mid-sized companies that lack resources to address HIPAA compliance—will become targets, increasing industry concern over proper BAA compliance.
Healthcare’s BAA management conundrum
Today’s healthcare organizations are feeling the heat, yet most are challenged to effectively manage BAAs due to limited resources for reviewing and managing massive and growing numbers of these agreements—reaching upwards of several thousand in larger organizations and health systems. Exacerbating this challenge is the current consolidation trend, which creates a fragmented landscape for BAA oversight that extends across multiple departments, facilities, affiliations and a multitude of different owners.
Consequently, manual, inconsistent workflows common to BAA management in today’s organizations open the door to significant risk. In truth, the most basic information often eludes the executive suite in most CEs and BAs, including the total number of existing agreements, where they are located and the terms of each.
BAAs are also the subject of intense negotiations between CEs, BAs and other subcontractors that often result in obligations that go beyond HIPAA and HITECH, causing contractual obligations to vary significantly between agreements. Subsequently, when organizations need to know the terms of these agreements, they must manually extract the information one agreement at a time. Within a framework of manual processes, the resources required to conduct this kind of data extraction across hundreds or thousands of BAAs is simply unfeasible for many organizations.
Yet, compliance professionals need quick and easy access to this information to ensure optimal response to breaches, which have become the norm for healthcare organizations as opposed to the exception. Consider the findings of a 2018 Black Book Market Research study: 90 percent of healthcare organizations have experienced a data breach since the third quarter of 2016, and nearly 50 percent have had more than five.
In the more than 20 years since the landmark passage of the Health Insurance Portability and Accountability Act (HIPAA), healthcare organizations have come a long way in protecting the security and privacy of patient data. Organizations now use sophisticated tools in the form of electronic health records (EHRs), online patient portals and virtual clinics that have elevated modern medicine to a new level of care. As a result, patients have come to expect a seamless interaction – whether digitally or in-person – with their healthcare provider, and trust that their personal information is safeguarded throughout.
But just as these new digital records and online portals make it easier to access and manage patient care and medical history, there still looms a security threat that organizations may not be as well-equipped to prevent. Despite the regulations put in place to guard against privacy violations and data theft, healthcare data breaches now occur at a rate of more than one per day, with nearly 60 percent of these breaches coming from insiders. You read that right. Unfortunately, the greatest threat to a healthcare organization may not always be from outside cybercriminals hacking into an organization’s network and stealing patient medical records. While the vast majority of healthcare workers are good and honest people, it only takes one employee succumbing to curiosity and taking a peek at a patient’s EHR without a valid reason, to violate HIPAA compliance laws and potentially cause a massive data breach.
Why are insider threats on the rise?
The healthcare sector employs tens of millions of people across the country, and organizations go to great lengths to hire quality employees. But the fact remains that access to sensitive information, coupled with large organizations that employ people with varying levels of commitment – whether full-time, part-time or as contractors – can present opportunities for unethical and unlawful actions.
For instance, I recently spoke with Phil Fasano, CEO and co-founder of Bay Advisors, LLC, and former executive at Kaiser Permanente, and he noted that the size of many large healthcare providers is more like a city than a business, and they often employ temporary staff and contractors. When he was executive vice president and chief information officer at Kaiser in the early 2000s, the organization employed more than 300,000 people, with some 60,000 to 80,000 being temporary, such as contact center workers, custodians and administrative staff. In high turnover roles and with temporary staff, not only may there be a lower familiarization with compliance regulations and data security protocols, there may also be a greater willingness to skirt the rules for short-term gain. Thus it becomes even more imperative for businesses to have the right tools, technology and training in place in order to ensure data security and privacy – not only to comply with the law, but to protect patients and the long-term viability of their business.
This issue is not hypothetical. There have been many high-profile examples in the news of healthcare insiders stealing patient data to use for fraudulent purposes, or simply viewing it out of sheer curiosity, which is still a major violation. In a recent case of identity fraud, UMass Memorial Healthcare had to pay $230,000 to settle a lawsuit that resulted from two employees stealing patient information to open credit card and cellular phone accounts. In a truly egregious example from several years ago, an employee of the UCLA Medical Center leaked the late actress Farrah Fawcett’s cancer diagnosis to the National Enquirer before she even had the opportunity to break the news to family and friends herself. These cases are unfortunately not isolated incidents. Shockingly, a recent survey of healthcare workers found that one in five would be willing to sell confidential patient data if given the opportunity.
How to mitigate insider threats
First and foremost, healthcare organizations should institute mandatory background checks on all full-time, part-time and temporary hires – no exceptions. They should also aim to improve employee awareness and understanding of the laws by conducting annual training sessions and refreshers on all relevant data security and privacy regulations, including HIPAA, the General Data Protection Regulation (GDPR) and the Payment Card Industry Data Security Standards (PCI DSS) – this last one being especially important for patient billing and contact centers that handle payment card data. There are also several advanced technologies and strategies that an organization can implement to improve its defenses from insider threats, namely:
Establish staff guidelines for patient record access
The best way to avoid an internal compromise of sensitive information is to establish and enforce the principle of least privilege user access (LUA) on all computer systems, which states that an employee should only have the minimum level of access necessary to do their job. For example, an agent in the health system’s contact center may need access to some patient data such as payment or scheduling information, but they may not need to see information about medical history. Creating LUA controls limits unnecessary access and adds a strong, first level of security.
Monitor and flag staff access to patient data
Systems can include various levels of protection, from asking employees to enter password information twice before accessing confidential patient information, to red-flagging abnormal activity. Red-flagging provides an alert to senior staff of suspicious behaviors in the cases where an employee may be accessing large amounts of patient information or performing irregular activities within the network.