Five ounces of prevention
Kim has the following tips for avoiding theft of your patients' medical identities:
- "You should be doing regular risk assessments," she says. "Remediate and mitigate risks. Consider all risk factors inside and outside of your organization, including all factors relevant to a mobile workforce." Kim adds that mobile computing, VPNs, and cloud computing can all be added risk factors employees might not immediately consider.
- Perform simple measures like ensuring routers are set up correctly, install firewalls properly, and change your passwords frequently. These steps alone can prevent many breaches. Since most healthcare organizations don't operate at a huge profit, other expenses tend to take priority over recruiting IT staff and installing strong security systems—but spending a little extra on hiring the right people for this job and ensuring an adequate technology budget can pay off.
- The distributed nature of healthcare makes it vulnerable to breaches—not only does a doctor's office have access to records, but also hospitals, insurers and billing contractors like Sutherland Healthcare Solutions. While some of this is simply the nature of the industry, Kim adds that it's a good idea to regularly inventory all "containers" of information, then remediate and mitigate the risks as needed.
- "Strengthen your social media and file sharing policies," implores Kim, adding that all organizations need official acceptable use policies.
- Being familiar enough with your system to know you've been breached isn't as easy as it might sound, but it can mean the difference between proactively notifying clients early and notifying clients only because it's required by law or regulation—which is not good for consumer relations. "Is your team looking for breaches or security incidents proactively? What are your organization's technological capabilities? Even if they have the ability to determine they've been breached, what's their process if there's a possible incident or breach?" Kim asks. Have an action plan in place in case a breach does occur, too.
Of course, preventing breaches from happening is the ideal, in which case the IT team may not see or hear anything. "If it's a well-oiled machine, you won't hear the engine cranking," Kim says, adding that many potential breaches are prevented by the expert security professionals. "There's a hidden battle going on.… Sometimes, the security pro is the unsung hero."
Lena Weiner is an Associate Editor at HealthLeaders Media.