TO: CHIEF RISK OFFICER
FROM: CHIEF EXECUTIVE OFFICER
RE: PATIENT DATA SECURITY
The headlines are numerous: “Theft exposes patient data across five U.S. states”; “Stolen laptop puts health plan clients at risk”; “Hospital chain loses patient data.” Not surprisingly, eight out of 10 Americans are concerned about identity theft and the possibility of their electronic health information being misused, according to a survey by the New York-based Markle Foundation. No health system or health plan is completely safe from hackers or computer thieves, but you can minimize the fallout if a security breach does occur by planning ahead and taking steps to safeguard patient data. Who should be worrying about data security?
Safeguarding patient information needs to be a high priority for the senior management team, says Thomas A. Young, vice president and chief privacy and security officer at Aetna Inc. in Hartford, Conn. “At Aetna, data security is also a high priority with our board of directors. That level of commitment ensures heightened focus, accountability and resources—both technological and human—for safeguarding personal member information.” What are our biggest areas of risk?
Portable electronics, such as notebook computers, PDAs and storage devices, may be a convenient way for employees to keep data at their fingertips or work away from the office, but security controls are often less vigorous and in some cases nonexistent, says Douglas J. Borg, M.H.A. “Electronic devices such as these are also very susceptible to theft,” adds Borg, the director of insurance at Duke University Health System in Durham, N.C. “Even with the best technology, training programs, audits and controls, the biggest risks are the criminal element—whether a thief or trusted insider committing fraud—and simple human error,” says Young. If data is stolen, what should we do?
Two parallel actions must begin immediately, says Young. Determine precisely what data was compromised and assess possible risks to customers, members and any other affected parties. Find out if the data was sensitive, password-protected and whether it can be used in a malevolent way, adds Borg. In addition, find out who is affected and notify them, even if the risk is considered low. “There may be applicable federal regulations or state statutes that require the disclosure of such a loss,” says Borg.
In a recent vendor burglary, for example, Aetna chose to notify each affected person, even though authorities believed the thieves were only looking for property to pawn and IT experts confirmed the likelihood of the data being compromised was low, says Young. “Put yourself in the shoes of the member and customer. What are their primary concerns? What would they want you to do?”How can we avoid litigation?
The way an organization demonstrates that it has studied issues such as adequate security plans and ongoing employee education in advance is crucial, says Borg. Taking reasonable and appropriate steps after the loss or theft of sensitive information should also help in the defense of litigation. “Several insurance companies now offer cyber liability protection that can help cover the costs of privacy notification, credit monitoring and remediation, as well as defense costs for regulatory action or civil litigation,” Borg says.What safeguards should we have in place?
Both Young and Borg agree that your facility should have a formal security management plan that covers the development of IT security policies and procedures, employee education, access controls and the physical security of your information systems. In addition, ask your legal counsel if your plan adheres to federal and state regulations that may impact how your facility handles sensitive information and breaches of data security, says Borg. —Carrie Vaughan