The enactment of the Health Insurance Portability and Accountability Act – HIPAA – is about to reach its 20th anniversary, yet there are still serious issues circling around the accessibility of private patient data. A nurse may not realize it, but innocently feeding data into a mobile device, or storing it in a cloud, could be putting the privacy of a patient in jeopardy. Kroll Advisory Solutions looked at this issue four years ago, and found that hospitals are still unintentionally guilty of HIPAA violations.
Innocent errors on the part of nurses and other medical employees remain the biggest threat to the security of personal data. This is due in part to an increase in health care workers using their own electronic devices to store and manage data that is case sensitive. There are two similar, yet distinct issues at play. One has been coined the BYOD, or bring your own device, while the other is bring your own cloud (BYOC). Each can cause a data security breach, on a small or large scale.
A nurse no longer needs to fear physical files being stolen from a hospital. In our electronic world, we are inadvertently making patient information more easily accessible by storing it in places that can easily be accessed by anyone with the computer know-how.
Strategies for Hospitals Trying to Reduce the Risk of a Data Security Breach
- Conduct Data Storage Audits – A hospital has to look at its data in the same way it does its inventory of supplies, in order to understand where the potential breaches lie. If administrators do not know the type of data being saved, and where it is being held, they have no method of being able to protect that information.
- Purge Data as Often as Possible – The fact that physical files are no longer taking up space inside of a medical institution should not lead to over storage of unnecessary information. Only keep patient information for as long as you are required to, or for as long as it is relevant, before purging it from your system securely.
- Consider Outside Devices – Any strategy aimed at reducing the risk of a security breach needs to take into account outside devices being brought in by nurses and other staff members. We have reached an age where a nurse has the ability to share confidential data with the world, through a device that looks like a watch. Protocols must be put into place and enforced that disallow the use of personal devices for data collection.
- Insist on Security Software – If an institution is allowing the use of “bring your own devices” by nurses and medical staff, it can only do so if it is able to police the security measures being undertaken by the individual owners. This includes using encrypting software, passwords, firewalls and anti-virus programs.
- Educate Employees on their Role in Data Security – If you are allowing the use of personal devices, you have a responsibility to educate those users on the critical nature of security. Not all technology users are privy to the threat they pose, but you can help to reduce instances of security breaches by educating workers on the implications of not using the suggested or required security strategies.
- Expect and Plan for “Accidental” Breaches – There is technology available that helps an institution reduce the risk of a security breach. Disabling USB ports on your hardware or disallowing the use of data sharing “clouds” like DropBox give you an extra layer of protection from employee misuse of technology.
- Consider the Possibility of a Lost or Stolen Device – Most of us don’t even consider the wealth of personal information a thief would be privy too if they got hold of one of our tech devices, let alone the confidential data. Individuals who do use these devices for work-related purposes need to do so with the belief that one day someone else will have access to it and, therefore, have a plan on how to block sensitive information that is stored there. This includes passwords to any cloud storage being used.
An alarming number of medical security breaches are accidental, rather than purposeful, assaults by outsiders. In other words, it is our own misuse of technology that puts patient data at risk, not random individuals maliciously attacking our systems. Understanding the implications of storing information online is hospitals’ first step towards reducing their vulnerability. It is important that everyone who uses the internet during the course of patient treatment knows that once data has been shared online, in any format, it is nearly impossible to block complete access to it.
Hospital administrators need to assess their risk potential for a data security breach as often as new technologies and software are becoming available. Employing a team comprising nurses, physicians and other staff members to help keep up with the trending programs that staff members access is your first line of defense against an accidental data security breach. This type of task force can assess the use of personal devices, evaluate the risk of common apps and programs, and alert administrators to any potential threats immediately, before sensitive information is accidentally lost to the internet.